Alert priority group calculation explainedSummaryContents1. Overview2. What is Alert Priority Group?3. What is Alert Priority Score Calculation? 4. How is priority calculated for each Alert? 1. OverviewThis article will demonstrate the details of what is Alert Priority, how alert priority grouping is calculated and will provide details about the scheduled jobs that are executed for the process. 2. What is Alert Priority Group? The alert priority group indicates which alerts should be attended to first. This is different from Alert Severity. The priority groups into which alerts fall are listed in the following table. Priority GroupIconUrgentHighModerateLow Priority is calculated for each open alert and then mapped into one of four priority categories based on the priority calculation score. Every alert that is created and is open will have a priority score calculated and will be mapped to the priority group it belongs to. Therefore, consider an alert contains the Severity of Major and Priority group "Low", it is unlikely to be resolved first as the Priority Group is the main element that would be considered for resolution priority of the incident. If the Priority group of the Alert is "Low" then the alert with Severity "Major" will not be attended first. 3. What is Alert Priority Score Calculation? As mentioned above, each "Open" alert is considered to have a priority score entitled to it. The scheduled job Event Management - Alert Priority Queue is responsible for calculating the priority score of group of open alerts and this is repeated every 19 seconds on the instance in batches of 1000 open alerts.. When the job runs, every open Alert gets a score calculated and its corresponding priority group would be assigned. Changes to open alerts also would trigger the recalculation of the priority and then the alert is again categorized into the relevant priority group. There is also another scheduled job called Event Management - Calculate Alert Priority that is responsible for calculating the limits on the Priority Group categories. This runs every 30 minutes on the instance. The priority group division occurs solely based on the range of the open alerts that was present at the time of this job's execution and considers the division of the priority group based on highest and values of priority scores present in the instance and allocates the TOP and BOTTOM limits to the different categories like Urgent, High, Moderate and Low.The below picture represent the Priority group table and this record will be modified every 30 minutes when the above job runs. Please "Configure Form Layout" to see the upper and lower limits of the priority groups.https://<instance_name>.service-now.com/em_alert_priority_group_list.do?sysparm_nostack=trueThe values in the TOP and BOTTOM limit values for each category during the time of job processing would be seen. This is the value calculated by our backend script when the scheduled job Event Management - Calculate Alert Priority is run and allocates the limits for each Alert Priority Group. This limit is used to allocate the Open alerts to the corresponding groups.Below could be the limits as an example: URGENT Limit > Anything above 7306020.001High TOP and BOTTOM Limit > 4306020.001 to 7306020.001Moderate TOP and BOTTOM Limit > 1206020.003 to 4306020.001LOW limit > Anything below 1206020.003 The Event Management - Alert Priority Queue which runs every 19 seconds would then calculate the priority of each new open alert and allocate the alert tot the priority group. Note the alerts with State = Closed and Severity = OK are not considered. Thresholds on the calculated priority are used to determine to which category the alert is mapped to. Alerts with a priority above the value of the evt_mgmt.top_priority_group_threshold property are categorized as Urgent, which is the highest priority. The default value of this threshold is 1M. This default value 1M is relevant only during the initial period until the group thresholds are calculated. The calculated priority values of all alerts are considered and are divided into groups according to percentage. Every percentile has a threshold found as calculated priority of corresponding alert. For example, if there are 100 alerts among which High priority is 10% of alerts and, the 100 alerts are ordered by priority value and the priority of the alert number 90 in the ordered list is the threshold for high priority alerts. Next coming alert - if it’s calculated priority is bigger than this threshold - will be set in High priority bucket. These threshold values are recalculated periodically.When we run priority calculation according to the existing alerts as above, when the the items in the URGENT bucket are divided, the code logic ensures that the priority value exceeds the property (by default 1M). It means that in an environment where there are no alerts with priority above 1M, there will be only 3 groups: High, Moderate and Low (no Urgent). 4. How is priority calculated for each Alert? As per the documentation, the score is calculated based on the information on the alertshttps://docs.servicenow.com/bundle/paris-it-operations-management/page/product/event-management/concept/alert-priority.html#alert-priority__section_modify For example, consider an Alert having 3 Business Services impacted with a "Minor" Severity, having a CI type that belongs to the class "cmdb_ci_linux_server", with correlation_group of 2 and is a secondary alert with the state = "Open".Below measures are considered and the Priority score is calculated: 1) Business Services:There were 3 Impacted business services impacted by this alert. All of this has a business criticality of 4 - not critical. OOTB mapping of Business Criticality is 1,2,3,4 where 4-not critical had the value 1.This is present in the below table:https://<instance_name>.service-now.com/em_alert_priority_category_mapping_list.do?sysparm_query=priority_category%3Df511d05f936732000238f179077ffb7a&sysparm_view= Therefore, since there were 3 Impacted services the value of Business service was calculated as 3*1*10000000;2) Severity:This is mapped based on the severity present on the alert itself. On this alert the severity is Minor.From the below list for severity we see that this was mapped to 2https://<instance_name>.service-now.com/em_alert_priority_category_mapping_list.do?sHence severity value is calculated as 2.0*10000003) CI Type:CI Type is calculated based on the table Alert Priority CI Types. From the alert the CI is a Linux servers and belongs to cmdb_ci_server class whose value is 60 in the below link:https://<instance_name>.service-now.com/em_alert_priority_ci_type_list.doHence CI Type value is calculated as 60.0 * 100 Note: These values mapped to CI Types could be changed according to the required values depending on your environment.4) Role:Role is mapped to a field called correlation_group. Based on the value for this field in the alert we calculate this. The above alert has the correlation_group of 2.Hence we calculate 2.0 * 105) Secondary:This is the number of secondary alerts that belong to the alert. We see that there are no secondary alerts here which is why it is calculated as 0.6) State:The priority of the alert was calculated when the state was in Open which maps to 1.Hence the value 1*0.001We add the above products together to obtain the total priority and divide it by 1000.Therefore the Priority score calculated was 3206020.001/1000 = 3206 which is allocated to the alert.During the time 3206020.001 belonged the Priority Group with the limit - "Moderate":Example: Moderate has the respective bound with TOP and BOTTOM Limit between a range of 1206020.003 to 4306020.001Hence we see that although the Alert Severity is Minor, the alert/incident would get resolved based on a Moderate priority.Related Links5. FAQ's? 5.1 Can you change the priority of some of the above categories of the alert priority? Ans: You can change the importance of some categories of the alert priority, by modifying their order and/or their weight, as described below. For example, if the CI type is higher in importance than the number of impacted services, you can change their respective order. As a result, the number of services is now multiplied by 100, while CI type is now multiplied by 1000000. Navigate to the em_alert_priority_category_order table. In the Order column, you can change the order of the required category.Note: The changes that you make, using this advanced procedure, changes the default method of calculating the alert priority score. Alerts that might otherwise not have a high score, by changing these configurable values, changes the way you determine the order in which to handle alerts. 5.2 Can you remap the values of each of the category to a different value? Ans: The em_alert_priority_category_mapping table shows the configuration value for each category choice. Each value in a drop-down list of categories can be remapped to a different value by configuring this table. Please note that this would affect the priority calculation values.5.3 Where can you find the Alert Priority score calculation?Ans: Open the Alert record. Navigate to the tab in Related List > "More Information" > "Priority breakdown". Verify the values during the time of priority calculation for each category. This will be re-written when priority is re-calculated for an alert.