Tag cluster alert grouping

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Tag cluster alert grouping

    Tag cluster alert grouping is a non-code method to group similar alerts in ServiceNow, reducing alert noise without requiring CMDB or model training. It becomes available immediately after activating the Tag-Based Alert Clustering Engine application from the ServiceNow Store. This method groups alerts based on tags attached to alert clustering definitions, forming groups classified as Tag Cluster group type. It supports domain separation, allowing distinct alert grouping configurations per domain.

    Show full answer Show less

    Key Features

    • Tag-based grouping: Create alert grouping tags that define criteria for grouping alerts using exact match, fuzzy match, or character pattern match.
    • Predefined tags and definitions: Use out-of-the-box tags and alert clustering definitions to speed up setup. Predefined tags derive from alert fields, tags, or additional info, and if missing, use CMDB Configuration Item (CI) values.
    • Many-to-many tag association: Multiple tags can link to one alert clustering definition, and a tag can belong to multiple definitions.
    • Correlation logic order: Grouping applies according to a configurable alert correlation logic order.
    • Timeframe-based grouping: Alerts are grouped if they share matching tags and occur within a defined timeframe relative to the initial alert.
    • Grouping automation support: You can create grouping automation workflows in Service Operations Workspace for tag-based grouping.

    Practical Guidance for Customers

    • Create or activate alert clustering tags and definitions to establish your grouping criteria.
    • Ensure predefined definitions are activated before use; some are active by default in new systems.
    • Attach one or more tags to alert grouping definitions to enable alert correlation based on those tags.
    • Configure the alert correlation logic order to control how grouping is applied.
    • Define the timeframe in alert clustering settings to control how long new alerts can be added to existing groups.
    • Use grouping automation in Service Operations Workspace to streamline alert grouping processes.

    Benefits

    This feature simplifies alert management by grouping similar alerts using tags without complex CMDB dependencies or machine learning models. It reduces alert noise, improves operational efficiency, and supports multi-domain environments with customizable grouping logic.

    Tag cluster alert grouping enables you to easily create groups of alerts. It is a non-code method of alert grouping that correlates alerts without having to use CMDB or model training. This simpler way of grouping similar alerts reduces the overall noise of a large quantity of alerts.

    Tag cluster alert grouping is enabled immediately after the activation of the Tag-Based Alert Clustering Engine application, available in the ServiceNow Store. This grouping is applied according to the correlation logic order specified in the Configure alert correlation logic order. Alert grouping tags are attached to definitions on a many-to-many (M2M) basis. Multiple tags can be linked to a single definition, and a tag can be part of multiple definitions. Groups formed from tag cluster alert grouping definitions are classified as the Tag Cluster group type.

    Tag cluster alert grouping supports domain separation, allowing different domains to have their own distinct alert grouping configurations and logic.

    First, create alert grouping tags to define the criteria for grouping alerts. You can set the tags to require an exact match, an approximate ('fuzzy') match, or a character pattern match.

    You can also use preconfigured tags to speed up alert clustering. These predefined tags are mapped from alerts and are based on information from sources such as the Alert field, Alert tags, or Alert additional info. If the required data is missing and the selected tag source is Alert CI or Alert CI key, the tag is populated using the Configuration Item (CI) value from the Configuration Management Database (CMDB). Predefined tags are easily identified by their description, which includes out of the box.

    You can attach one or more tags to an alert clustering definition, which specifies the conditions for alert correlation. You can either create your own alert clustering definition or use a predefined one provided by the application. Predefined definitions come with associated tags.

    Important:
    Make sure to activate predefined definitions before use. In new systems, several definitions are active by default. The remaining ones must be activated. For more information, see Activate a predefined alert clustering definition.

    Once one or more alert clustering tags are attached to a definition, the system collects alerts and checks if their tags match all the tag values specified in the definition. Alerts with matching or similar tag values are grouped together. New incoming alerts join an existing group if their tags match the tags in the definition used to create the group.

    For tag-cluster grouping, alerts are added to a group based on the timeframe defined in the alert clustering settings. The time between the initial alert (virtual alert) and subsequent alerts is evaluated. If two new alerts are received, and their time difference falls within the defined timeframe, they are added to the group. The initial event's generation time is used to determine the relevance of the timeframe.

    To group alerts using tag-based grouping, you can also create a grouping automation in Service Operations Workspace. For more information, see Create Group automation.