Extracting and composing alert fields

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Extracting and composing alert fields

    In ServiceNow alert automation, extracting and composing alert fields help you manage alert output to simplify filtering, grouping, and readability. Extracting pulls specific data from event payloads into alert output fields, while composing merges multiple alert fields or texts into a single output field. These capabilities enable clearer and more actionable alert notifications.

    Show full answer Show less

    Extracting alert fields

    Extracting involves using regular expressions (regex) to isolate relevant context hidden within event payloads, enriching alert outputs for better understanding and resolution. For example, extracting cluster information from a host name helps in tagging and grouping alerts appropriately.

    • Use Perl Compatible Regular Expressions (PCRE) and capture groups in parentheses to extract specific portions of input data.
    • The entire input must match the regex, so it is common to surround regex with . on both ends.
    • Multiple capture groups produce multiple alert output fields.
    • Preview multiple events with example payloads to verify regex accuracy before finalizing.

    Example: Extract six letters from the "Metric Name" field value "Free swap space in %" using the regex (.........). and output it to a new alert field called mynewfield. Tag the new field to enable tag-based grouping and verify extraction through the preview feature.

    Composing alert fields

    Composing allows you to combine existing alert fields, tags, and free text into a single readable alert output field, enhancing clarity and management options.

    • Alert fields use the syntax ${fieldname}, which can be manually entered or selected from a dropdown.
    • You can create new alert output fields or update existing ones.
    • Tag composed alert fields for easier grouping.
    • Include free text along with fields to create meaningful alert messages.

    Example scenarios:

    • Scenario 1: Combine an existing alert field with another field (e.g., ${classification} and ${ueventid}) into a new alert output field mynewfield, tagging it for grouping.
    • Scenario 2: Compose free text with existing fields (e.g., Problem type: ${type} with severity ${severity}) and output to an existing alert field such as Description.

    Practical benefits for ServiceNow customers

    • Enhance alert clarity by extracting precise, relevant data from complex event payloads.
    • Improve alert filtering and grouping through tagging extracted or composed fields.
    • Create customizable, actionable alert messages by composing multiple fields and text.
    • Validate extraction and composition logic using preview tools before deployment.

    Extracting and composing are ways to manage what you see in the alert output, making it simpler to filter, group, and read. Alert automation enables you to extract values from event payload's alert field and place it in an alert output field. Composing allows you to merge multiple alert fields into a single output field.

    Extracting alert fields

    Alert notifications often contain relevant context buried within event payloads. By enriching alert outputs with values from the existing payload, you can better understand the significance of alerts and determine the appropriate steps for resolution. For example, a host name typically includes crucial information such as service, node, cluster, datacenter, and domain. To automatically add the value for a cluster tag based on incoming host data, you can extract just the cluster data.

    When extracting alert fields, use regular expressions (regex) to build value formulas. Regex allows you to precisely identify and capture the relevant portions of the payload, enabling the creation of meaningful and actionable alert notifications.
    Note:
    You can compose text using regular expression (regex) format conventions. Use one or more capture groups with parentheses to extract parts of the input. Capture groups in the regular expression are assigned to alert outputs based on the order in which they appear. The regex must match the entire input, so consider surrounding your regex with .* on each end. For example, (\w+).acme.com.* captures the host name in a fully qualified domain name. The parser for the regex engine is Perl Compatible Regular Expressions (PCRE) compatible.
    Figure 1. Extract alert fields
    Extract alert fields
    If you use multiple capture groups with parentheses, each extracted value appears in a separate output field.
    Figure 2. Extract field for multiple alert outputs
    Extract field for multiple alert outputs
    Preview the alert output across example events to verify that the values are extracted as expected by selecting Preview multiple events.
    Note:
    This option is available only when example source events are available and matched with the regex filter.

    Example: Extracting alert fields

    Suppose you need to extract only six letters from a specific field of an event and display them in a new alert field named mynewfield. You also want to tag this new alert field for later use in alert grouping. Here's how you can achieve this:
    • Source input field: Select the event field from which you want to extract data. In this case, the field is Metric Name.
    • Regular expression: Use a regular expression to extract the specific part you need from the selected field's value. For example, if the Metric Name field value contains "Free swap space in %" and you want to extract "Free swap", your regular expression must be (.........).*.
    • Alert output:
      • Choose an existing alert field, an existing alert tag, or manually enter a new field name. In this case, let's enter a new field name mynewfield.
      • Set mynewfield as a tag for later use in tag-based grouping. Notice the tag displayed before the field name.

      After applying the regular expression to the selected field's value (in this case the Metric Name field value), verify the extracted word displayed below the Alert output field. For instance, it should show "Free swap" if the regular expression matches correctly.

    • Preview multiple events: Previewing multiple events allows you to verify if the regular expression accurately extracts data from a range of example events. This helps determine if any adjustments to the regular expression are needed.

    Composing alert fields

    When creating an alert output, you can select or manually enter fields, tags, or free text to include. This data can be easily read, filtered, and grouped for better management and understanding of the alerts.

    Figure 3. Compose alert fields
    Compose alert fields

    Example: Composing alert fields

    Suppose you want to have two input fields that compose data and display it in two different alert output field. In one scenario, you want the source value to come from an existing alert field along with a new field, showing the composed value in a new alert output field. You also plan to tag the new alert output field for later use in tag-based grouping. In the other scenario, you combine existing fields with free text and select the alert output to display in an existing alert field. Here's how you can achieve this:
    • Scenario 1:
      1. Source input field: Select an existing alert field and add the text "and", followed by entering another field u_eventid. For example: ${classification} and ${u_eventid}.

        Note that alert fields are displayed in the ${field} syntax format. You can also select the field name from the drop-down list, and the syntax will be added automatically.

      2. Alert output: Enter the name of the new alert field where you want to display the values from the input fields. For example, let's name it mynewfield.

        Set mynewfield as a tag for later use in tag-based grouping. Notice the tag displayed before the field name.

    • Scenario 2:
      1. Source input field: Select existing alert fields and include any desired free text for how you want them to appear in the alert output field. For example: Problem type: ${type} with severity ${severity}.

        Alert fields are displayed in the ${field} syntax format. You can also select the field name from the drop-down box, and the syntax will be added automatically.

      2. Alert output: Select an existing alert field where you want to display the values from the input fields. For instance, select Description.