Tag cluster alert grouping

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Tag cluster alert grouping

    Tag cluster alert grouping is a no-code alert correlation method in ServiceNow that groups similar alerts based on tags, reducing alert noise without relying on CMDB or model training. It activates immediately upon enabling the Tag-Based Alert Clustering Engine application from the ServiceNow Store. This functionality groups alerts according to a configurable correlation logic order, creating groups classified as Tag Cluster group types. It supports domain separation, allowing different domains to maintain unique alert grouping configurations.

    Show full answer Show less

    Key Features

    • Tag-Based Grouping: Alerts are grouped by tags attached to alert clustering definitions on a many-to-many basis, allowing multiple tags per definition and tags shared across definitions.
    • Tag Matching Types: Tags can require exact matches, approximate (“fuzzy”) matches, or character pattern matches to define grouping criteria.
    • Predefined Tags and Definitions: The system provides predefined tags mapped from alert fields or additional info, and predefined alert clustering definitions with associated tags. Predefined definitions require activation before use.
    • Timeframe-Based Grouping: Incoming alerts are grouped if their tags match the definition’s tags and their occurrence falls within a configurable timeframe relative to the initial alert in the group.
    • CMDB Integration: For tags sourced from Alert CI or Alert CI key, missing data is populated from the CMDB.

    Practical Use for ServiceNow Customers

    Customers can leverage tag cluster alert grouping to efficiently reduce alert noise by grouping related alerts without complex configurations or dependency on CMDB models. By creating or activating alert clustering definitions and attaching relevant tags, customers ensure alerts are correlated based on meaningful criteria such as exact or fuzzy tag matches within a set timeframe. This leads to clearer alert management and faster incident response.

    Next Steps

    • Create or activate predefined alert clustering definitions.
    • Create and attach alert clustering tags that define grouping criteria.
    • Configure alert correlation logic order and alert clustering timeframes.
    • Optionally, customize alert content using event rules for enhanced grouping accuracy.

    Tag cluster alert grouping enables you to easily create groups of alerts. It is a non-code method of alert grouping that correlates alerts without having to use CMDB or model training. This simpler way of grouping similar alerts reduces the overall noise of a large quantity of alerts.

    Tag cluster alert grouping is enabled immediately after the activation of the Tag-Based Alert Clustering Engine application, available in the ServiceNow Store. This grouping is applied according to the correlation logic order specified in the Configure alert correlation logic order. Alert grouping tags are attached to definitions on a many-to-many (M2M) basis. Multiple tags can be linked to a single definition, and a tag can be part of multiple definitions. Groups formed from tag cluster alert grouping definitions are classified as the Tag Cluster group type.

    Tag cluster alert grouping supports domain separation, allowing different domains to have their own distinct alert grouping configurations and logic.

    First, create alert grouping tags to define the criteria for grouping alerts. You can set the tags to require an exact match, an approximate ('fuzzy') match, or a character pattern match.

    You can also use preconfigured tags to speed up alert clustering. These predefined tags are mapped from alerts and are based on information from sources such as the Alert field, Alert tags, or Alert additional info. If the required data is missing and the selected tag source is Alert CI or Alert CI key, the tag is populated using the Configuration Item (CI) value from the Configuration Management Database (CMDB). Predefined tags are easily identified by their description, which includes out of the box.

    You can attach one or more tags to an alert clustering definition, which specifies the conditions for alert correlation. You can either create your own alert clustering definition or use a predefined one provided by the application. Predefined definitions come with associated tags.

    Important:
    Make sure to activate predefined definitions before use. In new systems, several definitions are active by default. The remaining ones must be activated. For more information, see Activate a predefined alert clustering definition.

    Once one or more alert clustering tags are attached to a definition, the system collects alerts and checks if their tags match all the tag values specified in the definition. Alerts with matching or similar tag values are grouped together. New incoming alerts join an existing group if their tags match the tags in the definition used to create the group.

    For tag-cluster grouping, alerts are added to a group based on the timeframe defined in the alert clustering settings. The time between the initial alert (virtual alert) and subsequent alerts is evaluated. If two new alerts are received, and their time difference falls within the defined timeframe, they are added to the group. The initial event's generation time is used to determine the relevance of the timeframe.