Tag cluster alert grouping

IT Operations Management > ITOM Health > <a class="link" href="../../../product/event-management/concept/c_EM.html" title="The ServiceNow Event Management application helps you to identify health issues across the datacenter on a single management console. It provides alert aggregation and root cause analysis (RCA) for discovered services, application services, and automated alert groups. Event Management is available as a separate subscription from the rest of the ServiceNow platform.">Event Management > Configuring Event Management > <a class="link" href="../../../product/event-management/concept/c_ServiceAnalyticsOverview.html" title="Alert grouping is the process of organizing and consolidating related alerts into sets based on common characteristics or criteria. This helps in simplifying alert management by reducing noise, making it easier to prioritize, track, and address issues efficiently. Grouped alerts provide a clearer overview of related incidents, facilitating quicker root cause analysis and remediation.">Alert grouping >

Tag cluster alert grouping enables you to easily create groups of alerts. It is a non-code method of alert grouping that correlates alerts without having to use CMDB or model training. This simpler way of grouping similar alerts reduces the overall noise of a large quantity of alerts.

Tag cluster alert grouping is enabled immediately after the activation of the Tag-Based Alert Clustering Engine application, available in the ServiceNow Store . This grouping is applied according to the correlation logic order specified in the Configure alert correlation logic order . Alert grouping tags are attached to definitions on a many-to-many (M2M) basis. Multiple tags can be linked to a single definition, and a tag can be part of multiple definitions. Groups formed from tag cluster alert grouping definitions are classified as the Tag Cluster group type.

Tag cluster alert grouping supports domain separation, allowing different domains to have their own distinct alert grouping configurations and logic.

First, create alert grouping tags to define the criteria for grouping alerts. You can set the tags to require an exact match, an approximate ('fuzzy') match, or a character pattern match.

You can also use preconfigured tags to speed up alert clustering. These predefined tags are mapped from alerts and are based on information from sources such as the Alert field, Alert tags, or Alert additional info. If the required data is missing and the selected tag source is Alert CI or Alert CI key, the tag is populated using the Configuration Item (CI) value from the Configuration Management Database (CMDB) . Predefined tags are easily identified by their description, which includes 'out of the box.'

You can attach one or more tags to an alert clustering definition, which specifies the conditions for alert correlation. You can either create your own alert clustering definition or use a predefined one provided by the application. Predefined definitions come with associated tags.

Important: Make sure to activate predefined definitions before use. In new systems, several definitions are active by default. The remaining ones must be activated. For more information, see Activate a predefined alert clustering definition .

Once one or more alert clustering tags are attached to a definition, the system collects alerts and checks if their tags match all the tag values specified in the definition. Alerts with matching or similar tag values are grouped together. New incoming alerts join an existing group if their tags match the tags in the definition used to create the group.

For tag-cluster grouping, alerts are added to a group based on the timeframe defined in the alert clustering settings. The time between the initial alert (virtual alert) and subsequent alerts is evaluated. If two new alerts are received, and their time difference falls within the defined timeframe, they are added to the group. The initial event's generation time is used to determine the relevance of the timeframe.

Create alert clustering tags Alert clustering tags represent an improved way to correlate alerts. Alerts with identical or similar tags (depending on the configured match method) are joined together to form a group. Create an alert clustering definition An alert clustering definition determines the conditions that must be met for invoking one or more alert clustering tags. Alert clustering tags enable you to create an alert group from fewer alerts. Create key values to cluster alerts Create key values to cluster CIs, using the Key Values table. Key values create an additional way to determine commonality between alerts and to combine them into groups. For example, you may want to group alerts on CIs that share the same supplier or location. Activate a predefined alert clustering definition Activate predefined alert clustering definitions provided with the Tag Based Alert Clustering Engine application before use. Using these preconfigured definitions minimizes setup time. Attach a predefined tag to a tag-based alert clustering definition Get started faster with alert clustering by attaching a predefined alert clustering tag to a tag-based alert clustering definition in Event Management .

Parent Topic: Alert grouping types

Related concepts Alert tags

Related tasks Create alert clustering tags Create an alert clustering definition Activate a predefined alert clustering definition Attach a predefined tag to a tag-based alert clustering definition Configure an event rule to customize alert content