Text-based alert grouping

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Text-based Alert Grouping

    Text-based alert grouping in ServiceNow organizes alerts by correlating them based on specific text patterns or keywords in the alert content. This method enables the flexible management of alerts by clustering similar alerts, such as error messages and event descriptions, which helps to streamline alert responses.

    Show full answer Show less

    Key Features

    • EM Alert Clustering Solution: Correlates alerts based on similarities in fields like Description, Metric name, and Configuration item. New alerts are dynamically assigned to clusters by the ML Predictor.
    • Asynchronous Processing: The ML Predictor assigns real-time alerts to clusters, which may introduce slight delays in grouping, as the alert grouping job runs every minute.
    • Predictive Intelligence Plugin: Requires the installation of the Predictive Intelligence plugin (com.glide.platformml) and activation of the EM Alert Clustering Solution definition to execute text-based logic.
    • Threshold Settings: Controls for cluster quality and alert rank thresholds ensure that only alerts of sufficient quality and similarity are grouped together.

    Key Outcomes

    By utilizing text-based alert grouping, customers can achieve:

    • A consolidated view of alerts, enhancing the ability to diagnose network issues quickly.
    • Improved alert management through the automatic grouping of alerts with similar textual characteristics.
    • Higher precision in alert groupings, reducing noise from irrelevant alerts by adhering to defined quality thresholds.

    For successful implementation, ensure that the required properties are created and configured properly, and check the activation status of the EM Alert Clustering Solution definition.

    In text-based alert grouping, alerts are organized and correlated based on specific text patterns or keywords within the alert content. This approach dynamically groups alerts that share similar textual characteristics, such as error messages or event descriptions, allowing for more flexible and adaptive management of alerts.

    The EM Alert Clustering Solution is a method used to correlate alerts based on similarities in specific fields and form clusters or groups. In ServiceNow Event Management, it creates clusters based on the Description, Metric name, and Configuration item.Class fields. This solution organizes alerts into text-based groups, and when a new alert arrives, the ML Predictor identifies the appropriate cluster, grouping alerts within the same cluster.
    Note:
    The ML Predictor job is asynchronous and assigns real-time alerts to clusters, which may result in slight delays. This delay can cause text-based groups to be created several minutes later, as the alert grouping job runs once per minute. If prediction results are not available during a run, they are rechecked in the next grouping job.

    For text-based logic to execute, you must have the Predictive Intelligence plugin (com.glide.platform_ml) installed and the EM Alert Clustering Solution definition activated.

    There are specific settings or limits used to control the behavior of text-based alert grouping. These thresholds define the criteria for how alerts are grouped based on text patterns or attributes. The text-based thresholds are:
    • Cluster quality threshold: The Cluster quality threshold (sa_analytics.alert_grouping_tb_cluster_quality_threshold) determines the minimum quality required for an alert cluster to be considered valid. This threshold ensures that only clusters with a minimum level of similarity and reliability are used. Clusters that meet this threshold are considered valid, improving the precision of the groupings and reducing noise from irrelevant or low-quality clusters. The range of the threshold is from 1 to 100 and the default value is 70.
    • Alert rank threshold: The Alert rank threshold (sa_analytics.alert_grouping_tb_alert_rank_threshold) defines the minimum rank required for an alert to be included in a group. This threshold ensures that only alerts with a certain level of similarity are grouped together, filtering out lower-ranked alerts to maintain the quality of the alert group. The default value is 0.3, where smaller values indicate better similarity.
    Note:
    To use these properties, you need to create properties with the same names and assign the required values to them. For more information on how to create a property, see Add a system property.

    The EM Alert Clustering Solution definition is located in the [ml_capability_definition_clustering] table. To access it, navigate to Predictive Intelligence > Clustering > Solution Definitions.

    To verify if the solution definition is active, see Verify text-based clustering solution. To disable the EM Alert Clustering Solution definition, disable text-based alert grouping by setting the property sa_analytics.text_based_group_enabled to false and clearing the Active check box in the EM Alert Clustering Solution definition.

    Example of text-based alert grouping

    Scenario Example
    Network Connectivity Problems: There are widespread network connectivity issues affecting multiple departments.

    Alerts from various network monitoring tools might report issues like Network segment down, High packet loss, or Connectivity issues in subnet. Text-based alert grouping uses the EM Alert Clustering Solution and ML Predictor to streamline alert management. The EM Alert Clustering Solution employs Natural Language Processing (NLP) algorithms to analyze and identify common text patterns in alerts such as Network segment down or High packet loss. It then clusters these alerts based on their text similarity, grouping related issues together. The ML Predictor further enhances this process by evaluating new alerts in real time and assigning them to the appropriate existing clusters based on their text patterns.

    This dynamic grouping provides a consolidated view of the connectivity problems, allowing network engineers to quickly diagnose and address the root cause of the issues more efficiently.