Real-time proactive resolution

  • Release version: Zurich
  • Updated May 13, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Real-time proactive resolution

    Real-time proactive resolution in ServiceNow Zurich enables customers to detect and remediate device and application issues within minutes, preventing user impact. Using DEX (Digital Experience), metric data is collected at configurable intervals and evaluated against defined thresholds. When a threshold breach occurs, events and alerts are generated to trigger remediation actions automatically or with user engagement.

    Show full answer Show less

    Key Features

    • Metric-based detection: Utilizes metric rules to analyze time-series data and generate alerts for conditions like disk usage or crash frequency.
    • Auto-correction scripts: Employs check definitions within policies to detect and correct common issues (e.g., VPN reconnection, Wi-Fi connection, service restart) at specified frequencies, even offline.
    • Alert generation and correlation: Alerts are created per device or application-metric combination, with device alerts grouped via correlation rules over a configurable time window (default one hour).
    • Impact tracking: Records impacted users and devices, maintaining detailed metadata for alerts and experience issues.
    • Remediation actions: Support multiple types including executing CI actions or scripts, creating ServiceNow incidents, delivering self-help instructions, or directing users to resource URLs.
    • Execution modes:
      • Silent: Automatic remediation without user interaction.
      • Notify and engage: Users receive notifications and must provide consent before action execution, with options to confirm resolution or escalate.
      • Notify only: Users are informed without prompting or action initiation.
    • Fallback configurations: If users do not respond or issues persist, fallback actions can include no action, incident creation, or live agent connection.
    • Automatic alert and issue closure: Alerts and experience issues close automatically when impacted devices are resolved or removed.

    Practical Application for ServiceNow Customers

    This capability enables IT teams to proactively maintain device and application health by defining metric thresholds and remediation policies. It reduces downtime and user disruption by automating detection and resolution workflows. Customers can customize alert correlation timing, remediation engagement levels, and fallback responses to fit their operational needs. Auto-correction scripts extend remediation to offline scenarios, ensuring continuous issue resolution even without connectivity.

    By leveraging these features, customers can expect faster problem identification, automated remediation workflows, improved end-user experience, and streamlined incident management within the ServiceNow platform.

    Use metric rules, alerts, and auto-correction scripts to detect and remediate device and application issues within minutes, before users are affected.

    DEX collects metric data at configurable intervals (every 5, 10, or 15 minutes depending on the metric configuration) and evaluates conditions that indicate a device or application issue. When a threshold is breached, DEX generates events and alerts that trigger remediation actions.

    DEX supports two real-time detection and remediation approaches:

    • Metric-based: Uses metric rules to evaluate time-series data and generate alerts. Suitable for conditions that can be expressed as a threshold on collected metrics, such as disk usage or crash frequency.
    • Auto-correction scripts: Uses check definitions wrapped in policies to detect and correct conditions at a defined frequency. Suitable for common detect-correct scenarios that don't require additional analysis or correlation, and that must work even when the device is offline.

    Alert generation

    When a metric rule detects that a device or application metric has breached a threshold, DEX generates events and alerts in the following sequence:

    DEX alert generation flow
    1. DEX evaluates metric rules against incoming metric data for each device.
    2. For each device that breaches a threshold, DEX creates one event in the em_event table.
    3. DEX generates one alert per device in the em_alert table (device alerts) or one alert per application and metric rule combination (application alerts).
    4. DEX groups device alerts using the alert correlation rule available with the base system, which consolidates all device alerts for the same metric rule combination within a configurable time window. The default window is one hour and is controlled by the system property sn_dex.alert.correlation_rule.device_period.
    5. For application alerts, subsequent evaluations for the same application and metric rule update the same dex_alert_metadata record with the new event ID and impacted devices. All new events for the same application and metric rule map to the same alert number until the alert is closed.
    6. Impacted users and devices are recorded in the dex_alert_impacted_users table. Additional details are recorded in dex_alert_metadata.

    Alert remediation

    When a resolution is defined in the metric rule, DEX generates an experience issue per impacted user in the sn_pren_experience_issue table. Remediation can be silent (executed automatically without user interaction) or can engage the end user through a notification.

    DEX alert remediation flow
    Remediation action types
    • Remedial action: Executes a CI action (command or script on the endpoint), catalog item, flow, or Virtual Agent (VA) topic.
    • Create incident: Opens an incident record in ServiceNow.
    • Self-help instructions: Delivers instructions to the end user.
    • URL: Directs the end user to a resource URL.
    Silent execution
    The remediation action runs automatically on the device without notifying the end user.
    Notify and engage
    DEX sends the end user a notification through a VA push notification, email, or desktop push notification, then requests consent before executing the action. After execution, the user confirms resolution or escalates.
    Notify only
    DEX notifies the end user without prompting for consent or executing an action.
    Fallback configuration
    If the user does not respond or confirms that the issue is not resolved, a fallback action runs. Fallback options include doing nothing, creating an incident, or connecting the user to a live agent.

    When all devices are removed from the impacted device list, DEX closes the alert automatically. For device alerts, the experience issue is also closed. For application alerts, the alert closes when no devices remain in the impacted list.

    Auto-correction scripts

    Auto-correction scripts use check definitions wrapped in policies to detect and correct issues at a configured frequency. This approach is suitable for common detect-correct scenarios, such as reconnecting a VPN, connecting to Wi-Fi, or restarting a service, that don't require correlation with metric data or other data collected with DEX.

    Auto-correction scripts run on the endpoint and work even when the device is not connected to the internet or to the ServiceNow instance.

    Tip:
    For guidance on authoring policies and check definitions, see the policy and check definition authoring documentation.