Alert Grouping Failed - mismatch: Case sensitivity / Clustering timeframe / Metric name - Support and Troubleshooting

Alert Grouping Failed - mismatch: Case sensitivity / Clustering timeframe / Metric name Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Alert groups are failing despite having a configured grouping rule.

[1] alerts with uppercase node values (e.g., BOWSQL291, IDWSQL170) not matching lowercase node conditions (bow, idw, sjw) in the grouping rule.

[2] alerts with Initial event generation times spanning 9 days are not grouped due to a 10-minute clustering timeframe.

[3] alert had a metric name (system.memory.virtual.utilization) that did not match the rule's configured metrics.

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } all

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } [1] Case sensitivity mismatch: The grouping rule's node conditions (bow, idw, sjw) were lowercase, while alert node values were uppercase, and filter parameters are case-sensitive by default

[2] Clustering timeframe mismatch: Alerts with Initial event generation times spanning 9 days fell outside the 10-minute window

[3] Metric name mismatch: One alert had a metric name (system.memory.virtual.utilization) not matching the rule's configured metrics

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } [1] Case sensitivity mismatch:

According to the ServiceNow documentation for the Tag Based Alert Clustering definition form ( https://www.servicenow.com/docs/r/it-operations-management/event-management/tag-based-alert-clustering-definition-form.html) , filter parameters are case sensitive by default.

1. Navigate to sys_properties.do in your instance 2. Search for sa_analytics.correlation_case_sensitive 3. If the property exists, update the value to false and save 4. If the property does not exist, create a new system property with the following details: - Name: sa_analytics.correlation_case_sensitive - Type: true | false - Value: false 5. Save the property 6. Monitor the next set of matching alerts to confirm grouping is triggered correctly

[2] Clustering timeframe mismatch:

With Tag Based Alert Clustering Definition, from this we can see the Clustering timeframe in minutes is determined by the Initial event generation time on the alert.

The Clustering timeframe field on the grouping rule states the following:

"The alerts considered are only those that arrive within this time window (determined by the Initial event generation time field on the alert)."

This means the clustering engine uses the Initial event generation time field — not the Created time — to determine whether alerts fall within the grouping window.

When we reviewed the Initial event generation times of the four alerts, they span approximately 9 days:

- Alert1111111: 2026-04-28 07:27:37 - Alert2222222: 2026-04-26 08:12:28 (2 days apart) - Alert3333333: 2026-04-25 09:45:14 (3 days apart) - Alert4444444: 2026-04-19 04:36:22 (9 days apart)

As the Clustering timeframe is set to 10 minutes, alerts with Initial event generation times spanning 9 days will not be grouped together, regardless of the filter conditions.

To resolve this, set the expected behaviour — specifically, over what time period should alerts of this type be grouped together? Once you have confirmed this set the Clustering timeframe value accordingly.

7. Determine the appropriate Clustering timeframe for alerts and update the value accordingly in the grouping rule