Rule-based alert grouping

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Rule-based alert grouping

    Rule-based alert grouping in ServiceNow is managed through alert correlation rules that classify alerts as primary or secondary and establish their relationships. This grouping helps in organizing related alerts, reducing noise, and focusing on the root cause of issues by designating one alert as primary and the others as secondary.

    Show full answer Show less

    The rules apply only to new alerts or alerts that have reopened, enabling dynamic and relevant grouping. For example, secondary alerts for virtual machines or applications affected by a server outage are grouped under the primary alert representing the offline server.

    Primary and Secondary Alerts

    • Primary alert: Represents the root cause of an alert group and serves as the parent for secondary alerts.
    • Secondary alerts: Related alerts that are grouped under the primary alert to reduce noise and allow focus on the main issue.

    Both primary and secondary alerts remain visible, but secondary alerts are nested under the primary alert. A system property controls whether secondary alerts remain open or closed when the primary alert is closed, enabling flexibility in alert lifecycle management.

    Alert Hierarchy and Behavior

    Only one level of secondary alerts is allowed. If a secondary alert has its own secondary alert, the hierarchy is flattened so all secondary alerts become siblings under the primary alert. This ensures a simple two-level structure for clarity.

    In complex scenarios with multiple correlation rules, the system enforces a single primary alert per secondary alert, maintaining clear parent-child relationships and preventing multiple parents.

    Practical Use for ServiceNow Customers

    • Create alert correlation rules to define which alerts act as primary (root cause) and which act as secondary (related issues).
    • Use grouping to reduce alert noise, improve incident investigation efficiency, and provide a clearer view of related alert relationships in Service Operations Workspace.
    • Manage alert closure behavior through system properties to align with operational preferences for alert lifecycle handling.

    By leveraging rule-based alert grouping, customers can streamline alert management in Event Management, focusing on root causes and minimizing distractions from secondary alerts.

    Rule-based alert grouping is created by alert correlation rules. These rules allow you to manually classify alerts as primary or secondary and establish a relationship between them. Use alert correlation rules to group related alerts. The rule runs only for new alerts or alerts whose status changed from close/flapping to open/reopen.

    Example: If rule-based alert grouping is applied, secondary alerts indicating that virtual machines or applications on the offline server are also down and are grouped under the primary alert, which is the root alert for the server that is offline. You can view rule-based alert grouping in Express List of Service Operations Workspace (ITOM). For more information, see Viewing links between alerts in rules-based alert groups.

    Primary and secondary alerts

    • Primary alert: Identifies the root cause of an alert group and represents its secondary alerts.
    • Secondary alert: Related to the same issue, they are grouped under the primary alert. The purpose of secondary alerts is to determine which alerts to suppress, reducing alert noise and allowing you to focus on the primary alert.

    How primary and secondary alerts interact

    In rule-based alert grouping, one of the real alerts is designated as the primary alert. Primary and secondary alert filter conditions specify which alerts are classified as primary and which as secondary. The filter criteria are applied to the Alert [em_alert] table.

    In this alert grouping, both primary and secondary alerts are visible but secondary alerts are grouped under the primary alert. The property Keep the secondary alert open even when primary closed. for manual or rule based (evt_mgmt.rule_based_manual_closure) controls whether secondary alerts remain open or are closed when the primary alert is closed.

    If the property is not selected (i.e., set to No), after the primary alert is closed, the parent reference is removed from the secondary alerts (the grouping is dissolved), and the secondary alerts are closed and become stand-alone. If you select the checkbox for the property (i.e., set it to Yes) and the primary alert is closed, the parent reference is removed from the secondary alerts (the grouping is dissolved), causing them to become stand-alone open alerts.

    Alert hierarchy

    Only one level of secondary alerts is permitted. In situations where a secondary alert has its own secondary alert, the Event Management application flattens the hierarchy to preserve only two levels.

    For example, assume alert A is the primary alert and alert B is the secondary alert. If alert C becomes a secondary alert for alert B, the application flattens the hierarchy so that A remains the primary and B and C become sibling secondary alerts, one level below A.

    As another example, assume that there are three correlation rules that produce the following results:
    • Rule 1 (with an Order value of 1): B becomes a primary alert for A.
    • Rule 2 (with an Order value of 2): A becomes a primary alert for C and D.
    • Rule 3 (with an Order value of 3): E becomes a primary alert for A.

    When alerts B, C, D, and E are triggered, they all appear in the alert list separately because there are no correlations between them.

    When alert A is triggered:
    1. Rule 1 makes A a secondary alert under alert B.
    2. Rule 2 makes both C and D secondary alerts under alert A, and the hierarchy is flattened so that A, C, and D become secondary alerts to the primary alert B.
    3. Rule 3 is not applied because multiple parents are not allowed—A already has B as its primary.

    Therefore, if all alerts are triggered, only B appears as the primary alert for A, D, and C, while E remains a standalone alert.