Scheduled jobs and parameters for alert grouping

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Scheduled jobs and parameters for alert grouping

    This feature enables ServiceNow customers to automate the organization of alerts by grouping them based on predefined criteria using scheduled jobs. The primary job,Service Analytics group alerts using RCA/Alert Aggregation, typically runs once per minute and supports grouping for Automated, CMDB, Text-based, Tag Cluster, and Network Traffic Correlation alert types.

    Show full answer Show less

    Multiple scheduled jobs can be run in parallel to enhance alert grouping efficiency.

    Key Configuration Parameters

    • saanalytics.aggregationenabled: Enables alert grouping when set to true. This activates grouping for Automated, CMDB, Text-Based, Tag Cluster, and Network Traffic Correlation groups.
    • saanalytics.agg.querydynamicwindow: Defines the maximum allowed time difference (default 10 minutes) between the last event generation times of two alerts for them to be grouped together.
    • saanalytics.agg.querymaxgrouplifetime: Sets the maximum allowed lifetime of an alert group from the first to the last alert event (default 30 minutes). If delayed events arrive beyond this window, the saanalytics.agg.groupexpirationtime parameter can extend grouping time.

    Note: Some parameters like saanalytics.agg.querydynamicwindow, saanalytics.agg.querymaxgrouplifetime, and saanalytics.agg.groupexpirationtime require manual creation as system properties with assigned values to take effect.

    How Alert Grouping Works

    For tag-cluster grouping, alerts are grouped based on a timeframe defined in alert tag clustering settings. For Automated, CMDB, Text-based, and Network Traffic grouping, alerts with the same Configuration Item (CI) are grouped considering the dynamic window and maximum group lifetime parameters.

    Example: Given alerts with initial event times, alerts are grouped only if the time difference between consecutive alerts is within the 10-minute dynamic window and the total group lifetime does not exceed 30 minutes. Alerts outside these parameters form separate groups.

    Important: Correlation logic is applied once when an alert is created. Subsequent changes to the alert do not trigger re-evaluation. Alerts not initially correlated may still join a group later if a new alert triggers the grouping logic.

    Automate alert organization by configuring jobs to group alerts based on predefined criteria and parameters.

    To group alerts in Automated, CMDB, Text-based, Tag Cluster, and Network Traffic Correlation groups, the scheduled job named Service Analytics group alerts using RCA/Alert Aggregation is typically run once per minute. This job handles the grouping of alerts based on the specified method. Additionally, you can run multiple scheduled jobs in parallel to manage alert grouping more efficiently. For further details, see Run multiple scheduled jobs for alert grouping.

    To define which alerts are grouped, the following parameters are used:
    • sa_analytics.aggregation_enabled: This parameter enables alert grouping created by the schedule job. Set the property Enable alert aggregation for Automated, CMDB, and Text-Based groups to true to activate this feature.
      Note:
      This property also applies to Tag Cluster and Network Traffic Correlation grouping.
    • sa_analytics.agg.query_dynamic_window: By default, this is set to 10 minutes (600 seconds). It defines the maximum time difference allowed between the last event generation times of two alerts that can be grouped together.
    • sa_analytics.agg.query_max_group_lifetime: This parameter specifies the maximum time period from the generation of the first alert to the last alert in a group, with a default of 30 minutes (1800 seconds). If events arrive with a delay exceeding this period, the sa_analytics.agg.group_expiration_time parameter can be used to extend the grouping time beyond 30 minutes.
    Note:
    Some parameters, such as sa_analytics.agg.query_dynamic_window, sa_analytics.agg.query_max_group_lifetime, and sa_analytics.agg.group_expiration_time, are not provided out of the box. To use these properties, you need to create properties with the same names and assign the required values to them. For more information on how to create a property, see Add a system property.

    Example: How alerts are grouped

    For tag-cluster grouping, alerts are added to a group based on the timeframe parameter defined in the alert tag clustering settings. For automated, CMDB, and text-based, network traffic grouping, alerts are aggregated as follows.

    Consider the following alerts with the same CI. (All of them may be added to the same CMDB group).
    • Alert1: Initial event generation at 01:00:00 AM
    • Alert2: Initial event generation at 01:11:00 AM
    • Alert3: Initial event generation at 01:13:00 AM
    • Alert4: Initial event generation at 01:16:00 AM
    • Alert5: Initial event generation at 01:25:00 AM
    • Alert6: Initial event generation at 01:34:00 AM
    • Alert7: Initial event generation at 01:43:00 AM
    Alert1 and Alert2 are not grouped due to the time gap exceeding 10 minutes. Alert2 and Alert3 create a group at 01:13:00 AM. The 10-minute dynamic window starts at 01:13:00 AM, with the following:
    • Alert4 is added to the group at 01:16:00 AM, restarting the 10-minute window.
    • Alert5 and Alert6 are added to the group as their event times are within the 10-minute window.
    • Alert7 is not added to the group because it arrives 9 minutes after Alert6, exceeding the sa_analytics.agg.query_max_group_lifetime limit of 30-minute maximum group lifetime from the initial group creation (01:13:00 AM + 30 minutes = 01:43:00 AM).
    Note:
    After an alert is created, correlation logic is applied only once. Changes to the alert after its creation are not re-evaluated for correlation. If correlation is not established initially, the alert may still be added to a group later—but only if a new incoming alert matches and triggers grouping logic.