Understanding Event Management

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding Event Management

    Event Management within IT Operations Management (ITOM) enables ServiceNow customers to monitor service and infrastructure health through a unified console. It processes events via the MID Server, providing intelligent event and alert analysis to maintain service performance. This functionality is crucial for proactive issue resolution and service continuity.

    Show full answer Show less

    Key Features

    • Discovered Services: Integrates with Service Mapping to include service maps with relationships, impact trees, and active alerts.
    • Application Services: Allows users to create services by selecting configuration items (CIs) and offers drill-down capabilities for detailed views.
    • Dynamic CI Groups: Automatically groups CIs based on specified criteria for easier management.
    • Alert Groups: Simplifies maintenance by organizing alerts into manageable sets.
    • Event Processing: External events are processed to generate alerts based on predefined rules, with options for filtering and transformation.

    Key Outcomes

    By utilizing Event Management, customers can expect:

    • Improved visibility of service health through dashboards and alert lists.
    • Faster remediation of issues via root cause analysis linked to alerts and CIs.
    • Enhanced performance through the optional Event Management Accelerator plugin.
    • Access to preconfigured analytics and reporting dashboards for actionable insights.
    • Ability to implement predictive analytics for proactive event management.

    To utilize Event Management, customers need to install the required plugin from the ServiceNow Store and may require additional activation by ServiceNow personnel.

    Monitor the health of services and infrastructure using a single management console and respond appropriately to any issues that come up. Event Management provides intelligent event and alert analysis to ensure continuity of your services' performance. Event Management receives and processes events via the MID Server.

    What Event Management can manage

    Event Management can manage:

    Discovered services
    A service is a definition of interrelated CIs from the CMDB. The discovered service, from Service Mapping, includes a service map with: mapping relationships, an impact tree showing outage severity, active alerts, related alerts, and CI properties. Service information is discovered by Service Mapping. The mapping information appears on dashboards, the Alerts list, and the Events list.
    Application services
    An application service is a service created by selecting CIs to include in the service. Application service information appears on dashboards with drill-down capability to a map view. For more information about application services, see Application services.
    Dynamic CI groups
    A dynamic CI group is a dynamic grouping of CIs, based on some common criteria. For example, you can create a dynamic CI group based on location for all web servers or all databases in Ireland. For more information about Dynamic CI Group, see Populate an application service using the Dynamic CI Group method.
    Alert groups
    Alert groups show sets of alerts for ease of maintenance.

    Architecture

    As events occur on various systems, the MID Server connector instance sends the events to the instance. Event Management generates alerts, applies alert management rules, and prioritizes alerts for remediation and root cause analysis. View this information on dashboards, the alert list in Alert Intelligence, or from a service map.
    Figure 1. Event Management architecture
    Event Management architecture

    Workflow

    Event Management receives external events and generates alerts based on event and alert management rules. Events are sent directly to your instance using an email server, script, SNMP trap, or a web service API. The corresponding alerts appear on dashboards for tracking and remediation purposes.

    As the computer, software, or service generates events, the MID Server polls the external event tracking tool. The MID Server, which maintains a connection to Event Management, sends the information to your instance for storage, processing, and remediation.

    The instance stores events in the Event [em_event] table and attempts to generate alerts based on pre-defined rules and event mappings. Regardless of whether an alert generates, the original event is available for review and remediation. Alerts generate according to the following process flow:

    1. Find the best matching event rule for an event. If the source of the event matches the source specified in an existing rule, then a rule is matched. A rule is also matched if the event matches the optional rule Filter and the event additional_info value matches the rule Additional Information filter. A rule without any filter is ignored, for example when the source filter is missing or the Additional Information filter is missing. If multiple rules are defined for the same type of event, use the rule Order to determine the order of rule application.
      • If the rule Ignore check box is selected, no alert generates. However, the event is still available for review and remediation.
      • If transforms have been defined, apply them. If compose parameters are set, apply the additional content to display to the user in the alert.
      • If Active in the threshold section is selected, accumulate all events until the threshold is met. Generate a single alert for the events.
    2. Search for an event field mapping even if there was no event rule. If an event field mapping is found, apply the mapping information. If the event has no severity after the event transformations, retain the event for reference purposes and do not generate an alert.
    3. Search the Alert [em_alert] table for a matching message key. If a matching message key exists, update the alert according to the event information. If a matching message key does not exist, create an alert. If another event has the same matching key, associate the events under a single alert. For root cause analysis purposes, bind the alert to a specific CI.
    Figure 2. Event workflow
    Event Management event workflow

    Event Management and Service Mapping

    Event Management uses discovered services from Service Mapping and automated alert groups with root cause analysis (RCA) to expedite alert resolution.

    When an event from an external source arrives from the MID Server, script, or web service API (not pictured), Event Management locates CI information for alert generation and CI remediation. CI information is stored in the CMDB from sources such as Service Mapping, Discovery, third-party sources, and manual population. You can use correlated alert group and root cause analysis information to resolve the issue.

    Figure 3. Event Management interoperability
    Event Management interoperability