Understanding pattern identifiers

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding pattern identifiers

    Pattern identifiers in ServiceNow are criteria or attributes—such as alert type or affected system—used to group similar alerts. This grouping helps teams quickly identify recurring issues and respond effectively, improving incident management and operational efficiency.

    Show full answer Show less

    How Pattern Identifiers Group Alerts

    Alerts are grouped based on shared attributes defined in the pattern identifier. For example, alerts with the same Metric Name and Configuration Item (CI) will be grouped together, indicating a recurring issue on a specific system. This enables targeted investigation and remediation by isolating related alerts while excluding unrelated ones.

    Configuring Effective Pattern Identifiers

    • Create an event rule: Define rules that populate alert fields relevant for pattern identification.
    • Manage pattern identifier: Add relevant alert fields as attributes for the pattern identifier and deploy the configuration.
    • Choose relevant identifiers: Select alert fields that clearly indicate the problem, avoiding overly unique fields (like timestamps) or overly common fields that dilute grouping accuracy.

    By default, the Metric Name field is included as a pattern identifier, but you can customize this to fit your alerting scenario.

    Alert Grouping and Learned Patterns

    When alerts share the same set of fields, they form a "Learned Pattern," which is reported under Event Management > Administration > Learned Patterns. These patterns help visualize and analyze recurring issues across your environment.

    Managing Pattern Attributes and Time Frame

    • Single active attribute set: Only one set of pattern identifier attributes can be active at a time; deploying a new set replaces the previous one.
    • Time frame: Grouping analyzes alerts from the past 30 days, governed by a system property.
    • Issue identification: Two alerts are considered similar if they share the same CI and pattern identifier, even if other fields differ.
    • Customization options: You can configure grouping based on different CI fields (e.g., location) or enable grouping of alerts without a CI by treating nodes as CIs.

    Including both node and metric name in the pattern identifier is recommended for precise CI-based grouping.

    A pattern identifier is a set of criteria or attributes (such as alert type, affected system, etc.) used to group similar alerts. It helps to identify recurring issues, making it easier for teams to respond and address ongoing problems.

    How pattern identifiers group alerts

    Consider a network monitoring system that generates alerts for various issues, such as high CPU usage, memory leaks, or connection timeouts.

    Pattern Identifier: Metric Name and CI
    • Alert 1: High CPU usage on Server A at 10:00 AM
    • Alert 2: High CPU usage on Server A at 10:05 AM
    • Alert 3: Memory leak on Server B at 10:10 AM
    • Alert 4: High CPU usage on Server A at 10:15 AM
    In this case, the pattern identifier could be set to the Metric Name (e.g., high CPU usage) combined with the Configuration Item (CI) (e.g., Server A). Alerts 1, 2, and 4 would be grouped together because they share the same metric (high CPU usage) and the same CI (Server A), indicating a recurring issue that may need further investigation. Alert 3, however, would not be included in this group because it has a different metric (memory leak) and CI (Server B).
    Note:
    The set of alert fields used for the pattern identifier is also referred to as Feature Identifier Attributes or simply attributes.

    How to configure effective pattern identifiers

    To configure effective pattern identifiers for alert grouping, follow these three key steps to ensure accurate and meaningful analysis of alerts.

    Step Action Description
    Create an event rule Define an event rule.

    To know how to create an event rule, see Create or edit an event rule.

    		 Set up an event rule to populate the relevant alert fields for the pattern identifier.
    Manage pattern identifier Add relevant alert field to the pattern identifier.

    To know how to add fields to the pattern identifier, see Specify and manage pattern identifier attributes for alert grouping.

    		 After adding the relevant alert fields, select Deploy to activate the pattern identifier.
    Choose relevant identifiers Select alert fields that clearly identify the problem.

    For example, if the issue is that a service is offline or there’s no connection to the database, look for specific values in the alert that indicate this. Add these types of fields to the pattern identifier. By default, we provide the Metric Name field as a pattern identifier.
    • Avoid overly unique fields (e.g., date) that make pattern identification difficult.
    • Avoid overly common fields that result in too many alerts being grouped together, making patterns indistinguishable.

    Alert grouping and Learned Patterns

    Learn how alert patterns are discovered, grouped, and displayed in the system.
    Concept Description
    Pattern discovery When a set of alert fields matches, the alerts are grouped into a "Learned Pattern." For example, alerts with the same Priority Group and Resource are grouped into a pattern.
    Pattern reporting These patterns are displayed on the Learned Patterns report found under Event Management > Administration > Learned Patterns.

    Managing Pattern Attributes and Time Frame

    Learn the process of managing pattern identifier attributes, deployment of new sets, and how the system identifies issues.
    Concept Description
    Active pattern identifier attributes Only one set of attributes can be active at a time.
    Note:
    The new set replaces the current one after deployment.
    Purpose and time frame Pattern grouping identifies issues within the last 30 days, controlled by the sa_analytics.agg.learner_period_days property.
    Issue identification

    To identify an issue, the system utilizes a combination of Configuration Items (CIs) and Pattern Identifiers (sometimes referred to as Feature Identifiers).

    By default, a Pattern Identifier is defined as the Metric Name, but this can be modified. Two alerts are considered similar if they share the same CI and Pattern Identifier, although fields such as Source, Severity, Description, and others may differ.

    For more information, see Specify and manage pattern identifier attributes for alert grouping.
    Note:
    The Alert Aggregation Learner also identifies patterns of alerts within manual alert groups.

    In some cases, you can create patterns from alerts where the CIs share the same value in a specified field. For example, to build patterns from alerts with the same CI Location field, enter location in the sa_analytics.agg.learner_group_by_property property. For more information, Configure scheduled job-based alert grouping.

    When working with CI-based groups, ensure that the pattern identifier includes both the node and the metric name. For details on configuring the Feature Identifier, see Learned patterns report.

    Note:
    Alerts that lack a CI can still be grouped together as Text-based or CI-based alert groups, treating a node as a CI. To enable this functionality, set the sa_analytics.enable_no_ci_grouping property to true.