Exploring Health Log Analytics

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Health Log Analytics

    ServiceNow Health Log Analytics (HLA) is designed to predict IT issues proactively by collecting, analyzing, and correlating machine-generated log data in real time. It detects anomalies in logs and alerts operators before problems impact users. HLA processes various textual log data types, including application, infrastructure, and network logs, and integrates with ServiceNow Event Management to deliver actionable alerts.

    Show full answer Show less

    HLA supports UTF-8 encoded logs and can be configured for logs in non-English languages. While a Configuration Management Database (CMDB) can improve event quality, it is not a requirement for HLA operation.

    User Roles

    • Administrator: Configures and maintains HLA, sets up connectors, and installs content packs to ensure efficient system operation. Roles include evtmgmtadmin and admin.
    • Operator: Analyzes alerts generated by HLA, triages related logs, and takes actions to resolve issues. Role includes evtmgmtoperator.

    Health Log Analytics Workflow

    HLA’s workflow consists of several key layers:

    • Ingestion: Connects data sources such as Rsyslog, Beats, Splunk, Elasticsearch, MID Server, or TCP streams to HLA. Guided setup simplifies creating input connectors.
    • Structuring: Automatically or manually organizes log data by extracting key properties like message, timestamp, host, severity, and external IDs. It auto-maps logs to logical silos called Components based on source analysis.
    • Enrichment: Identifies variable parts of log messages including keywords (e.g., WARN, Failed) and contextual properties (e.g., user, source IP, port) to enhance analysis.
    • Analysis: Indexes each log line and applies machine learning to model expected behavior. Anomalies are detected as deviations and trigger events sent to Event Management for alerting.

    Machine Learning and Alerting

    HLA leverages unsupervised machine learning algorithms to learn unique log patterns and dynamically set thresholds for anomaly detection in real time. When an anomaly is detected, an event is generated and appears in ServiceNow Event Management’s All alerts list, enabling operators to view and respond to alerts in context.

    Key Benefits for ServiceNow Customers

    • Proactive Issue Resolution: Operators receive predictive alerts to address IT issues before user impact.
    • Efficient Setup: Administrators can quickly integrate log data sources via the Integrations Launchpad and reduce onboarding time with content packs.
    • Data Management: Administrators can migrate data input configurations between instances to ensure consistency and reduce errors.
    • Root Cause Analysis: Operators can analyze surrounding logs to identify the root cause of alerts effectively.
    • Visualization and Correlation: Operators can view anomalous logs in a Log Viewer and detect relationships using log correlators.
    • Noise Reduction: Operators can create log filters and mute alert metrics to focus on relevant issues.
    • Customization: Operators can manage keywords and build custom alert rules to tailor anomaly detection to their environment.

    Next Steps for Customers

    To deepen understanding and maximize the value of Health Log Analytics, explore related topics such as the HLA architecture, how alerts are generated, the types of anomalous behavior detected, and the classification of HLA alerts.

    ServiceNow Health Log Analytics (HLA) predicts IT issues before they affect your users by collecting, analyzing, and correlating machine-generated log data in real time. It discovers anomalies and alerts you to potential issues.

    Health Log Analytics overview

    Health Log Analytics typically receives and processes log data and sends events to ServiceNow Event Management. The application discovers anomalies as they happen and helps you identify the root cause of an issue by enabling you to triage related logs and analyze the raw data.

    Health Log Analytics can handle any kind of machine-generated textual log data. It can process application, infrastructure, and network logs, as well as other types of textual log data. Although a Configuration Management Database (CMDB) can be helpful to generate high-quality events and alerts, it is not necessary.

    Note:
    • Health Log Analytics supports only UTF-8 logs. It does not support binary logs.
    • If you are sending logs in a language other than English, additional configuration may be required.

    For a brief explanation of key terms and concepts used in HLA, see the Health Log Analytics terminology.

    Health Log Analytics users

    Table 1. Health Log Analytics Users
    User Description Role
    Administrator Configures the Health Log Analytics application to make it ready for use by Operators.

    Performs administration tasks to keep the system running efficiently.

    		 evt_mgmt_admin, admin
    Operator Analyzes Log Analytics alerts and takes action to help resolve the underlying issue. evt_mgmt_operator

    Health Log Analytics workflow

    Health Log Analytics collects and processes log data automatically. It structures the data logically for operators to analyze, and generates meaningful alerts and suggestions that display in Event Management.

    The diagram shows the Health Log Analytics workflow from collecting the data through sending an event or alert to Event Management.

    Figure 1. Health Log Analytics workflow
    Health Log Analytics workflow: Ingestion - Structuring - Enrichment - Analysis - ML & AI - Alert in Event Management
    Ingestion
    This layer connects your environment to Health Log Analytics. You can stream your logs directly from servers and endpoints or from log repositories. The optional guided setup helps you create data input connectors for common data sources, such as:
    • Rsyslog
    • Beats
    • Splunk
    • Elasticsearch
    • MID Server
    • TCP
    Structuring
    This layer deals with structuring log data and auto-mapping it to logical silos, called Components. Data structuring can be done automatically or manually.
    The system auto-structures log data by extracting the following properties from incoming log messages: Message, Timestamp, Host, Severity, and External-IDs. It extracts explicit values, like "property-name" and "value is IP." and semantic ones such as length, number of English words, and variance.
    Auto-mapping assigns log samples and metadata to the appropriate tags automatically. The system tries to map log lines by analyzing the source that streams the data. The mapping is based on agent hints and common transport header fields.
    Enrichment
    This layer handles identifying the variable parts of a log message.
    Figure 2. Health Log Analytics workflow - Enrichment
    Health Log Analytics workflow - Enrichment.
    It also identifies keywords and contextual properties. In the image, "WARN" and "Failed" are the keywords to track. "User," "source IP," and "port" are the contextual properties.
    Analysis
    In this layer, each log line is indexed. Health Log Analytics extracts properties from the inner log message that contribute to models of behavior that the system learns to expect. Anomalous behavior departs from this expected behavior. You can search for an event and its most significant properties for manual triaging.
    Machine Learning (ML) and Artificial Intelligence (AI)
    Health Log Analytics uses advanced unsupervised machine-learning algorithms to discover patterns within logs and learn their unique data behavior. It then sets dynamic thresholds based on the data signature in real time to detect issues when they first occur. When the system detects a deviation from the typical pattern, it sends an event to Event Management.
    Alert in Event Management
    Health Log Analytics sends events to Event Management. In Event Management, Health Log Analytics alerts appear in the All alerts list. This list enables operators to see alerts from the event and the Health Log Analytics alert type in a single location.

    Health Log Analytics benefits

    Table 2. Health Log Analytics benefits
    Benefit Feature User
    Use predictiveLog Analytics alerts to handle emerging IT issues before they escalate and impact users. Analyzing and resolving Log Analytics alerts Operator
    Set up log data connector integrations quickly and conveniently from the Integrations Launchpad. Log data connector integrations Administrator
    Shorten onboarding time by installing content packs. Content packs Administrator
    Save time and reduce errors by migrating data input configurations between instances. Data input migration Administrator
    Identify the root cause of an alert by analyzing the logs that surround the anomaly. Analyzing the logs around an anomaly to help find the alert's root cause in Health Log Analytics Operator
    Visualize anomalous log data. Reviewing the logs for an alert on the Log Viewer in Health Log Analytics Operator
    Detect relationships in log data. Log correlators Operator
    Assign higher or lower significance to alerts. Mute alert metrics Operator
    Reduce noise by creating log filters. Log alert filters Operator
    Influence how Health Log Analytics finds anomalies by managing keywords it looks for in the log data. Lexical keywords Operator
    Create alerts for specified metrics by adding, changing, or deleting rules. Custom alert rules Operator

    What to explore next