View alert information

View a list of all alerts for business services and manual services, and then manage individual alerts as necessary.

Before you begin

Role required: evt_mgmt_admin, evt_mgmt_operator, or evt_mgmt_user

About this task

Multiple related events may correlate into a single alert. Event Management only creates alerts when one or more events meet the conditions defined in event rules, alert rules, and alert configuration settings.

Procedure

  1. Navigate to Event Management > All Alerts.
  2. To view or manage an alert, click the alert number.
  3. Review the information on the Alert form.
    You can click tabs on the form for additional information.
    • To view flapping information, click the Flapping tab.
    • To view alert history, click the History tab.
    • To view remediation information, click theRemediation Tasks tab.
    • To view corresponding events, click the Events tab.
    • To view related alerts, click the Alerts tab.
    • To show affected business services, click the Alert Services tab.
    Table 1. Alert form
    Field Description
    Number If an alert was created as a result of the event, this field contains the unique ID that Event Management generates to identify the alert.
    Source Event monitoring software that generated the event, such as SolarWinds or SCOM. This field has a maximum length of 100. It is formerly known as event_class.
    Node Node name, fully qualified domain name (FQDN), IP address, or MAC address that is associated with the event, such as IBM-ASSET. This field has a maximum length of 100.
    Type Pre-defined event type, such as high CPU, which is used to identify an event record. This field has a maximum length of 100.
    Resource Node resource that is relevant to the event. For example, Disk C, CPU-1, the name of a process, or service. This field has a maximum length of 100.
    Configuration Item JSON string that represents a configuration item. For example, {"name":"SAP ORA01","type":"Oracle"}. CI identifier that generated the event appears in the Additional information field. This field has a maximum length of 1000.
    Task The corresponding task for the alert, such as an incident, change, or problem.
    Description The alert description.
    Severity The severity of the event. The value for this field is copied from the event unless the event closes the alert, in which case the previous severity is retained for reporting.
    • Critical: Immediate action is required. The resource is either not functional or critical problems are imminent.
    • Major: Major functionality is severely impaired or performance has degraded.
    • Minor: Partial, non-critical loss of functionality or performance degradation occurred.
    • Warning: Attention is required, even though the resource is still functional.
    • Clear: No action is required. An alert is not created from this event. Existing alerts are closed.
    • Info: An alert is created. The resource is still functional.
    State The state of the alert.
    • Open: The alert requires user action.
    • Reopen: The previously closed alert requires additional user action.
    • Flapping: The alert is receiving a high frequency of identical events from the same source which causes many alert reopenings after a close had been made. User action is required.
    • Closed: The alert is closed and no further user action is required.
    Category Manner in which an alert derives from one or more events. If the alert was upgraded from Fuji, all alert updates have the Regular category.
    • Default: Alert that does not derive from any alert rule or event rule transform.
    • Threshold: Alert that derives from an event rule threshold.
    • Regular: Alert that derives from an alert rule.
    Acknowledged A check box that shows whether a user acknowledged an alert.
    Maintenance A check box that shows whether the resource affected by the alert is in maintenance.
    Updated The most recent time that the alert information was updated.
    Knowledge Article The knowledge article associated with the alert, if any.
    Description Reason for event generation. Shows extra details about an issue. For example, a server stack trace or details from a monitoring tool. This field has a maximum length of 4000.
    Source instance The name of the machine or software that generated the event. For example, SolarWinds on 10.22.33.44.
    Message key Event unique identifier to identify multiple events that relate to the same alert. If this value is empty, it is generated from the Source, Node, Type, and Resource field values. This field has a maximum length of 1024.
    Additional Information A JSON string that gives more information about the event. For example, {"evtComponent":"Microsoft-Windows-WindowsUpdateClient","evtMessage":"Installation Failure: Windows failed. Error 0x80070490"} This information can be used for third-party integration or other post-alert processing.
    User name and role The user and role of the person who made the most recent alert updates.
    Acknowledged The Acknowledged check box value after the most alert recent update.
    • True: The Acknowledged is selected.
    • False: The Acknowledged check box is cleared.
    Severity The Severity: Value of the most recent alert update.
    State The State: Value of the most recent alert update.
    Correlated Alerts section The secondary alerts that are correlated with this alert, where this alert is the primary alert. See Alert correlation rules for more information.
    Flapping tab
    Flap count The number of times the alert has flapped—that is, has fluctuated between a closed and a non-closed state—within the flap interval since the start time in the Flap start window.
    Flap start window The initial start time to measure the flapping occurrences.
    Flap last update time The last time flapping occurred. This time is the ServiceNow processing time, not the source system time.
    Flap last state The state before the alert entered the flapping state.
    History tab
    Initial event time The time the event that generated the alert first occurred. This time is the ServiceNow processing time, not the source system time.
    Last event time The last time the event that is linked to the alert occurred. This time is the ServiceNow processing time, not the source system time.
    Created The alert creation time.
    Parent The parent alert, if any—that is, any related alerts that have occurred earlier.
    Work notes The additional notes about the alert.
    Remediation Tasks tab
    Number The remediation task number.
    State The Orchestration work flow state.
    Workflow The Orchestration workflow name.
    Events tab
    Severity The severity of related events:
    • Critical: Immediate action is required. The resource is either not functional or critical problems are imminent.
    • Major: Major functionality is severely impaired or performance has degraded.
    • Minor: Partial, non-critical loss of functionality or performance degradation occurred.
    • Warning: Attention is required, even though the resource is still functional.
    • Clear: No action is required. An alert is not created from this event. Existing alerts are closed.
    • Info: An alert is created. The resource is still functional.
    Time of event For related events. Time that the event occurred in the source system. This field is a GlideDateTime field in UTC or GMT format. This field has a maximum length of 40.
    Source For related events. Event monitoring software that generated the event, such as SolarWinds or SCOM. This field has a maximum length of 100. It is formerly known as event_class.
    Node For related events. Node name, fully qualified domain name (FQDN), IP address, or MAC address that is associated with the event, such as IBM-ASSET. This field has a maximum length of 100.
    Type For related events. Pre-defined event type, such as high CPU, which is used to identify an event record. This field has a maximum length of 100.
    Resource For related events. Event unique identifier to identify multiple events that relate to the same alert. If this value is empty, it is generated from the Source, Node, Type, and Resource field values. This field has a maximum length of 1024.
    Alerts tab
    Number For related alerts. If an alert was created as a result of the event, this field contains the unique ID that Event Management generates to identify the alert.
    Severity For related alerts. The severity of the event. The value for this field is copied from the event unless the event closes the alert, in which case the previous severity is retained for reporting.
    • Critical: Immediate action is required. The resource is either not functional or critical problems are imminent.
    • Major: Major functionality is severely impaired or performance has degraded.
    • Minor: Partial, non-critical loss of functionality or performance degradation occurred.
    • Warning: Attention is required, even though the resource is still functional.
    • Clear: No action is required. An alert is not created from this event. Existing alerts are closed.
    • Info: An alert is created. The resource is still functional.
    State For related alerts. The state of the alert.
    • Open: The alert requires user action.
    • Reopen: The previously closed alert requires additional user action.
    • Flapping: The alert is receiving a high frequency of identical events from the same source which causes many alert reopenings after a close had been made. User action is required.
    • Closed: The alert is closed and no further user action is required.
    Source For related alerts. Event monitoring software that generated the event, such as SolarWinds or SCOM. This field has a maximum length of 100. It is formerly known as event_class.
    Node For related alerts. Event monitoring software that generated the event, such as SolarWinds or SCOM. This field has a maximum length of 100. It is formerly known as event_class.
    Resource For related alerts. Node resource that is relevant to the event. For example, Disk C, CPU-1, the name of a process, or service. This field has a maximum length of 100.
    Type For related alerts. Pre-defined event type, such as high CPU, which is used to identify an event record. This field has a maximum length of 100.
    Category For related alerts. Manner in which an alert derives from one or more events. If the alert was upgraded from Fuji, the all alert updates have the Regular category.
    • Default: Alert that does not derive from any alert rule or event rule transform.
    • Threshold: Alert that derives from an event rule threshold.
    • Regular: Alert that derives from an alert rule.
    Acknowledged For related alerts. A check box that shows whether a user acknowledged an alert.
    Configuration Item For related alerts. JSON string that represents a configuration item. For example, {"name":"SAP ORA01","type":"Oracle"}. CI identifier that generated the event appears in the Additional information field. This field has a maximum length of 1000.
    Service The business service name.

What to do next

You can respond to the alert in the following ways:
Table 2. Alert response options
Option Description
Acknowledge the alert. Click Acknowledge. If the alert is reopened, this button reappears so you can reacknowledge the alert.
Create an incident. Click Create incident. For more information, see Create an incident from an alert.
Create a security incident response, if Security Incident Response is activated. Click Create Security Incident.
Designate that the alert is in maintenance. Select the Maintenance check box. For more information, see View all alerts by the maintenance status.
Close the alert. Click Close. For more information, see Close an alert.