Viewing links between alerts in alert groups in Express List

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Viewing links between alerts in alert groups in Express List

    Link View in Express List helps ServiceNow customers visually understand relationships between alerts within alert groups generated by Event Management. It displays how alert attributes are connected, using colored tags to represent Configuration Items (CIs) and other environment elements related to the alerts. This visualization aids in quickly identifying alert correlations and impacted services, improving triage efficiency.

    Show full answer Show less

    Key Features

    • Visual Representation: Link View provides a graphical view of the relationships between alerts, showing connections based on shared attributes and correlations.
    • CI and Service Impact Display: When the CMDB is populated, Link View highlights the probable cause of alerts and the services impacted by alert groups, offering deeper insights.
    • Interactive Node Management: Users can drag nodes to focus on specific areas, although manual refresh is required to reset node positions.
    • Stacked Nodes and Badges: Nodes with badges indicate multiple alerts sharing the same key-value pair. For example, a badge with a number shows how many alerts share that attribute.
    • Change Badges: Alerts with active change requests—potential causes—are marked distinctly for quick identification.
    • Legend and Filtering: A legend explains symbols, colors, and line types, with options to toggle tag visibility to reduce visual noise.
    • Tooltip Details: Hovering over nodes reveals tag name, class, severity, alert count, and alert role (primary, secondary, or probable cause).
    • Supported Alert Group Types: Link View supports tag-based, rule-based, CMDB-based, and network traffic-based alert groups.

    Key Outcomes

    • Gain immediate, visual insight into alert group relationships without requiring a fully populated CMDB.
    • Enhance operational triage by quickly identifying impacted services and probable alert causes.
    • Reduce alert noise and complexity through filtering and visual grouping, enabling focused investigation.
    • Improve understanding of alert correlations across multiple alerts and varied alert group types.

    Gain a better understanding of the relationships between alerts in alert groups in the Express List by using Link View. Link View offers a visual representation of the relationships between the alerts in a group.

    When Event Management generates an alert group, Link View shows how the attributes of the alerts in the group are linked. The colored tags represent Configuration Items (CIs) and other environment items in relation to the alerts. The information shown in Link View is available without the need for a populated Configuration Management Database (CMDB). However, when the CMDB is populated, Link View offers additional value by providing the probable cause of the alerts and the service that the alert group impacts.

    Figure 1. Sample alert group in Link View
    Sample alert group in Link View.

    You can focus on your areas of interest by dragging the nodes in Link View to different positions. When you refresh an alert group, rearranged nodes appear in their original position again. Therefore, Link View is not refreshed automatically, but waits for you to do so manually. If an alert on a CI impacts a service in the Configuration Management Database (CMDB), Link View shows the impacted service, enabling you to view it at a glance for quick triage.

    A stacked node indicates that multiple nodes were mapped for the same tag. When the same key-value pair appears in more than one alert, the corresponding node is shown with a badge. For example, when the same key-value pair appears in two alerts, the badge on the node shows the number 2, as seen on the Payment tracker node in the sample alert group figure. When a node has no badge, the key-value pair appeared in only one alert. An active change request, a probable cause of the alert, is marked by a Change badge.

    Figure 2. Node with a change badge
    Node with change badge.

    The Link View legend lists the meaning of the symbols and colors used and allows you to toggle between hiding and showing types of tags to reduce noise. In addition, the legend describes the meaning of the various lines linking the alert attributes. Attributes linked by a solid line share one or more alerts, whereas attributes linked by a dotted line are correlated by grouping criteria. For a description of each tag, see Attributes in Express List Link View. Hovering over a node displays a tooltip that includes the name of the tag, its class, its severity, the number of alerts in which it appeared, and whether the alert is primary or secondary or the probable cause of the alert, if applicable.

    Figure 3. Node tooltip
    Node tooltip with probable cause.
    Currently, Link View is supported for tag-based, rule-based, CMDB-based, and network traffic-based alert groups. For more information, see: