Exploring Health Log Analytics

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Health Log Analytics

    ServiceNow Health Log Analytics proactively predicts IT issues by collecting, analyzing, and correlating machine-generated log data in real time. It detects anomalies and alerts IT teams before problems impact users. The application processes various types of textual log data, including application, infrastructure, and network logs, and integrates seamlessly with ServiceNow Event Management to send meaningful alerts and events.

    Show full answer Show less

    Health Log Analytics supports UTF-8 encoded logs and may require additional configuration for logs in non-English languages. While integration with a Configuration Management Database (CMDB) can improve event quality, it is not mandatory.

    Health Log Analytics Users

    • Administrator: Configures the application, manages integrations, and maintains system efficiency (roles: evtmgmtadmin, admin).
    • Operator: Analyzes alerts, investigates root causes using log data, and takes corrective actions (role: evtmgmtoperator).

    Health Log Analytics Workflow

    The workflow consists of several layers to transform raw logs into actionable insights:

    • Ingestion: Connects data sources such as servers, endpoints, and log repositories via connectors (e.g., Rsyslog, Beats, Splunk, Elasticsearch, MID Server, TCP). Guided setup simplifies connector creation.
    • Structuring: Automatically or manually extracts key properties (Message, Timestamp, Host, Severity, External-IDs) and organizes logs into logical components, enhancing searchability and correlation.
    • Enrichment: Identifies variable parts of log messages including keywords (e.g., WARN, Failed) and contextual properties (e.g., User, source IP, port) to improve anomaly detection.
    • Analysis: Indexes log lines and applies machine learning models to learn typical behavior patterns, enabling detection of anomalies as deviations from expected patterns.
    • Machine Learning and AI: Uses unsupervised algorithms to dynamically set thresholds and detect issues in real time, triggering alerts to Event Management when anomalies occur.

    Integration with Event Management

    Health Log Analytics sends detected anomalies as events to ServiceNow Event Management, where alerts appear in a consolidated All alerts list. This integration allows operators to view and manage Health Log Analytics alerts alongside other event types efficiently.

    Key Benefits

    • For Administrators:
      • Guided setup and integration launchpad accelerate data input connector configuration.
      • Content packs reduce onboarding time by delivering preconfigured analytics.
      • Data input migration tools save time and minimize errors when moving configurations between instances.
    • For Operators:
      • Analyze root causes by examining logs surrounding anomalies.
      • Visualize anomalous data with the Log viewer for deeper insight.
      • Detect relationships in log data using correlators.
      • Manage alert significance and reduce noise via muting, filtering, and customizing alert rules and keywords.

    Next Steps

    To deepen understanding and optimize usage, explore the Health Log Analytics architecture and learn how alerts are generated to fully leverage this predictive analytics capability in your ServiceNow environment.

    ServiceNow Health Log Analytics predicts IT issues before they affect your users by collecting, analyzing, and correlating machine-generated log data in real time. It discovers anomalies and alerts you to potential issues.

    Health Log Analytics overview

    Health Log Analytics typically receives and processes log data and sends events to ServiceNow Event Management. The application discovers anomalies as they happen and helps you identify the root cause of an issue by enabling you to triage related logs and analyze the raw data.

    Health Log Analytics can handle any kind of machine-generated textual log data. It can process application, infrastructure, and network logs, as well as other types of textual log data. Although a configuration management database (CMDB) can be helpful to generate high-quality events and alerts, it is not necessary.
    Note:
    • Health Log Analytics supports only UTF-8 logs. It does not support binary logs.
    • If you are sending logs in a language other than English, additional configuration may be required.

    Health Log Analytics users

    Table 1. Health Log Analytics Users
    User Description Role
    Administrator Configures the Health Log Analytics application to make it ready for use by Operators.

    Performs administration tasks to keep the system running efficiently.

    		 evt_mgmt_admin, admin
    Operator Analyzes Log Analytics alerts and takes action to help resolve the underlying issue. evt_mgmt_operator

    Health Log Analytics workflow

    Health Log Analytics collects and processes log data automatically. It structures the data logically for operators to analyze, and generates meaningful alerts and suggestions that display in Event Management.

    The diagram shows the Health Log Analytics workflow from collecting the data through sending an event or alert to Event Management.

    Figure 1. Health Log Analytics workflow
    Health Log Analytics workflow: Ingestion - Structuring - Enrichment - Analysis - ML & AI - Alert in Event Management
    Ingestion
    This layer connects your environment to Health Log Analytics. You can stream your logs directly from servers and endpoints or from log repositories. The optional guided setup helps you create data input connectors for common data sources, such as:
    • Rsyslog
    • Beats
    • Splunk
    • Elasticsearch
    • MID Server
    • TCP
    Structuring
    This layer deals with structuring log data and auto-mapping it to logical silos, called Components. Data structuring can be done automatically or manually.
    The system auto-structures log data by extracting the following properties from incoming log messages: Message, Timestamp, Host, Severity, and External-IDs. It extracts explicit values, like "property-name" and "value is IP." and semantic ones such as length, number of English words, and variance.
    Auto-mapping assigns log samples and metadata to the appropriate tags automatically. The system tries to map log lines by analyzing the source that streams the data. The mapping is based on agent hints and common transport header fields.
    Enrichment
    This layer handles identifying the variable parts of a log message.
    Figure 2. Health Log Analytics workflow - Enrichment
    Health Log Analytics workflow - Enrichment.
    It also identifies keywords and contextual properties. In the image, "WARN" and "Failed" are the keywords to track. "User," "source IP," and "port" are the contextual properties.
    Analysis
    In this layer, each log line is indexed. Health Log Analytics extracts properties from the inner log message that contribute to models of behavior that the system learns to expect. Anomalous behavior departs from this expected behavior. You can search for an event and its most significant properties for manual triaging.
    Machine Learning (ML) and Artificial Intelligence (AI)
    Health Log Analytics uses advanced unsupervised machine-learning algorithms to discover patterns within logs and learn their unique data behavior. It then sets dynamic thresholds based on the data signature in real time to detect issues when they first occur. When the system detects a deviation from the typical pattern, it sends an event to Event Management.
    Alert in Event Management
    Health Log Analytics sends events to Event Management. In Event Management, Health Log Analytics alerts appear in the All alerts list. This list enables operators to see alerts from the event and the Health Log Analytics alert type in a single location.

    Health Log Analytics benefits

    Table 2. Health Log Analytics benefits
    Benefit Feature User
    Simplify data input setup using the guided setup. Guided setup Administrator
    Set up log data connector integrations quickly and conveniently from the Integrations Launchpad. Log data connector integrations Administrator
    Shorten onboarding time by installing content packs. Content packs Administrator
    Save time and reduce errors by migrating data input configurations between instances. Data input migration Administrator
    Identify the root cause of an alert by analyzing the logs that surround the anomaly. Surrounding logs Operator
    Visualize anomalous log data on the Log viewer. Log viewer Operator
    Detect relationships in log data. Log correlators Operator
    Assign higher or lower significance to alerts. Mute alert metrics Operator
    Reduce noise by creating log filters. Log alert filters Operator
    Influence how Health Log Analytics finds anomalies by managing keywords it looks for in the log data. Lexical keywords Operator
    Create alerts for specified metrics by adding, changing, or deleting rules. Custom alert rules Operator

    What to explore next