Understanding pattern identifiers

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding pattern identifiers

    Pattern identifiers are criteria or attributes used to group similar alerts in ServiceNow, helping teams recognize recurring issues for faster response and resolution. They combine alert attributes such as alert type and affected system (Configuration Item or CI) to cluster related alerts, enabling efficient problem identification.

    Show full answer Show less

    How Pattern Identifiers Group Alerts

    For example, alerts generated for high CPU usage on the same server can be grouped together by setting the pattern identifier to include the metric name (e.g., "high CPU usage") and the CI (e.g., "Server A"). This grouping highlights recurring problems that require attention, while distinct alerts with different metrics or CIs remain separate.

    Configuring Effective Pattern Identifiers

    • Create an event rule: Define rules that populate alert fields relevant for pattern identification.
    • Manage pattern identifier: Add relevant alert fields as attributes of the pattern identifier and deploy to activate.
    • Choose relevant identifiers: Select alert fields that clearly indicate the problem, avoiding overly unique fields (like timestamps) or overly generic fields that group too many unrelated alerts.

    By default, the Metric Name field is provided as a pattern identifier but can be customized to fit your environment.

    Alert Grouping and Learned Patterns

    The system discovers alert patterns by grouping alerts with matching attributes into "Learned Patterns," which can be reviewed in the Learned Patterns report under Event Management administration. This helps visualize and manage recurring issues efficiently.

    Managing Pattern Attributes and Time Frame

    • Single active attribute set: Only one pattern identifier attribute set can be active at a time; deploying a new set replaces the previous one.
    • Time frame: Pattern grouping analyzes alerts within the last 30 days by default, controlled by a system property.
    • Issue identification: Alerts are considered similar if they share the same CI and pattern identifier, even if other fields differ.
    • Customization: You can configure grouping based on other CI fields (e.g., location) and enable grouping for alerts without a CI by adjusting system properties.

    For CI-based alert groups, it is recommended to include both node and metric name in the pattern identifier for accurate pattern detection.

    A pattern identifier is a set of criteria or attributes (such as alert type, affected system, etc.) used to group similar alerts. It helps to identify recurring issues, making it easier for teams to respond and address ongoing problems.

    How pattern identifiers group alerts

    Consider a network monitoring system that generates alerts for various issues, such as high CPU usage, memory leaks, or connection timeouts.

    Pattern Identifier: Metric Name and CI
    • Alert 1: High CPU usage on Server A at 10:00 AM
    • Alert 2: High CPU usage on Server A at 10:05 AM
    • Alert 3: Memory leak on Server B at 10:10 AM
    • Alert 4: High CPU usage on Server A at 10:15 AM
    In this case, the pattern identifier could be set to the Metric Name (e.g., high CPU usage) combined with the Configuration Item (CI) (e.g., Server A). Alerts 1, 2, and 4 would be grouped together because they share the same metric (high CPU usage) and the same CI (Server A), indicating a recurring issue that may need further investigation. Alert 3, however, would not be included in this group because it has a different metric (memory leak) and CI (Server B).
    Note:
    The set of alert fields used for the pattern identifier is also referred to as Feature Identifier Attributes or simply attributes.

    How to configure effective pattern identifiers

    To configure effective pattern identifiers for alert grouping, follow these three key steps to ensure accurate and meaningful analysis of alerts.

    Step Action Description
    Create an event rule Define an event rule.

    To know how to create an event rule, see Create or edit an event rule.

    		 Set up an event rule to populate the relevant alert fields for the pattern identifier.
    Manage pattern identifier Add relevant alert field to the pattern identifier.

    To know how to add fields to the pattern identifier, see Specify and manage pattern identifier attributes for alert grouping.

    		 After adding the relevant alert fields, select Deploy to activate the pattern identifier.
    Choose relevant identifiers Select alert fields that clearly identify the problem.

    For example, if the issue is that a service is offline or there’s no connection to the database, look for specific values in the alert that indicate this. Add these types of fields to the pattern identifier. By default, we provide the Metric Name field as a pattern identifier.
    • Avoid overly unique fields (e.g., date) that make pattern identification difficult.
    • Avoid overly common fields that result in too many alerts being grouped together, making patterns indistinguishable.

    Alert grouping and Learned Patterns

    Learn how alert patterns are discovered, grouped, and displayed in the system.
    Concept Description
    Pattern discovery When a set of alert fields matches, the alerts are grouped into a "Learned Pattern." For example, alerts with the same Priority Group and Resource are grouped into a pattern.
    Pattern reporting These patterns are displayed on the Learned Patterns report found under Event Management > Administration > Learned Patterns.

    Managing Pattern Attributes and Time Frame

    Learn the process of managing pattern identifier attributes, deployment of new sets, and how the system identifies issues.
    Concept Description
    Active pattern identifier attributes Only one set of attributes can be active at a time.
    Note:
    The new set replaces the current one after deployment.
    Purpose and time frame Pattern grouping identifies issues within the last 30 days, controlled by the sa_analytics.agg.learner_period_days property.
    Issue identification

    To identify an issue, the system utilizes a combination of Configuration Items (CIs) and Pattern Identifiers (sometimes referred to as Feature Identifiers).

    By default, a Pattern Identifier is defined as the Metric Name, but this can be modified. Two alerts are considered similar if they share the same CI and Pattern Identifier, although fields such as Source, Severity, Description, and others may differ.

    For more information, see Specify and manage pattern identifier attributes for alert grouping.
    Note:
    The Alert Aggregation Learner also identifies patterns of alerts within manual alert groups.

    In some cases, you can create patterns from alerts where the CIs share the same value in a specified field. For example, to build patterns from alerts with the same CI Location field, enter location in the sa_analytics.agg.learner_group_by_property property. For more information, Configure scheduled job-based alert grouping.

    When working with CI-based groups, ensure that the pattern identifier includes both the node and the metric name. For details on configuring the Feature Identifier, see Learned patterns report.

    Note:
    Alerts that lack a CI can still be grouped together as Text-based or CI-based alert groups, treating a node as a CI. To enable this functionality, set the sa_analytics.enable_no_ci_grouping property to true.