Alert grouping types and creation methods

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Alert grouping types and creation methods

This guide helps ServiceNow customers understand various alert grouping types in Event Management, their descriptions, and how they are created. Effective alert grouping enhances problem identification and streamlines alert management by organizing related alerts into groups for easier analysis and resolution.

Show full answer Show less

Viewing and Managing Alert Groups

Access all alert groups via Event Management > All Alerts.
The Group column icon indicates the alert group type; alerts without a group have no entry.
Double-clicking the Group column opens the Grouped Alerts dialog to view, add, or remove alerts from a group manually.
Note: Each alert can belong to only one alert group at a time.

Alert Grouping Types and Creation Methods

Alerts are grouped based on specific logic, enabling targeted issue tracking and resolution. The main grouping types include:

Log Analytics (Icon: L): Groups related Log Analytics alerts identified through event processing.
Rule-based (Icon: R): Groups alerts based on compliance with alert correlation rules via business rules on the emalert table.
Automated (Icon: A): Aggregates alerts sharing the same Configuration Item (CI) type and metric name, creating a virtual primary alert.
CMDB (Icon: C): Groups alerts based on CI relationships in the CMDB for alerts not included in rule-based or automated groups.
Network traffic based (Icon: N): Uses network traffic analysis and ML Service Mapping to group alerts related to network traffic issues.
Text (Icon: T): Groups alerts by similar text found in fields such as Description, Metric Name, and CI Class.
Tag Cluster (Icon: Tag): Groups alerts according to user-defined tag-based clustering definitions.
Shared Impacted Services: Automatically clusters alerts sharing the same Top Service, prioritizing Business Services linked to each alert's CI.
Manual (Icon: M): Alerts grouped manually by users for organizing related issues.

Creation Methods

Log Analytics groups are formed during log analytics event processing.
Rule-based groups are created via business rules (Calculate correlation rule) during alert creation or update.
Automated, CMDB, Network traffic, Text, and Tag Cluster groups are created through scheduled jobs.
Shared Impacted Services groups are generated automatically by the alert grouping job based on shared Top Service.
Manual groups are user-created.

Additional Guidance

For configuring scheduled jobs and parameters related to alert grouping, refer to the relevant documentation sections on Scheduled jobs and parameters for alert grouping.
To customize alert correlation logic order, consult the documentation on Configure alert correlation logic order.

Explore different alert grouping types, understand their descriptions, and learn about their creation methods to enhance problem identification and streamline alert management.

Viewing and managing alert groups

Navigate to Event Management > All Alerts to view all alert groups. The icon in the Group column denotes the alert group type, while alerts not associated with any group have no entry in the Group column. Double-click the Group column to open the Grouped Alerts dialog, where you can view all alerts in the group and manually add or remove alerts.

Note:

An alert can belong to only one alert group at a time.

Types of alert grouping

Table 1. Alert grouping types
Type	Icon	Description	Creation method	Additional information
Log Analytics	L	Log Analytics groups are formed when the system identifies multiple related Log Analytics alerts, grouping them based on their significant connections.	Created as part of log analytics event processing.	Kinds of Health Log Analytics alerts
Rule-based	R	Rule-based groups consist of related alerts that are organized based on compliance with alert correlation rules, which determine how alerts are grouped according to their relationships.	Created via business rule (Calculate correlation rule) on em_alert table when alert is created or updated.	Rule-based alert grouping Create an alert correlation rule
Automated	A	Automated groups are formed by alert aggregation and include a virtual alert as the primary alert of the group. An Aggregated automated group is created when two or more alerts share the same CI type and metric name.	Created via scheduled job.	Automated alert grouping
CMDB	C	CMDB groups are formed based on CI relationships in the CMDB, specifically for CIs that are not included in rule-based or automated groups.	Created via scheduled job.	CMDB based alert grouping
Network traffic based	N	Network traffic alert groups are formed by analyzing network traffic connections between processes across hosts. This method leverages service candidates identified through ML Service Mapping to group alerts related to network traffic issues.	Created via scheduled job.	Network traffic based alert grouping
Text	T	Text groups are formed by grouping alerts based on similar text from frequently used words in following fields. Description Metric Name CI Class	Created via scheduled job.	Text-based alert grouping
Tag Cluster	Tag	Tag Cluster groups are formed by grouping alerts according to user-defined tag-based alert clustering definitions.	Created via scheduled job.	Tag cluster alert grouping
Shared Impacted Services	Impacted Services	Shared Impacted Services groups consist of related alerts that are automatically clustered based on a shared Top Service — the highest-priority Business Service linked to each alert's configuration item.	Created automatically by the alert grouping job when alerts resolve to the same Top Service.	Shared impacted services alert grouping
Manual	M	Alerts grouped manually by users to organize related issues.	Created manually by the user.	Manual alert grouping

For information on scheduled jobs and parameters, refer to Scheduled jobs and parameters for alert grouping. For detailed information on configuring alert correlation logic order, see Configure alert correlation logic order.