Understanding Event Management

Event Management enables you to monitor the health of business services and infrastructure using a single management console and respond appropriately to any issues that come up. It provides intelligent event and alert analysis to ensure continuity of your business service performance.

What Event Management can manage

Event Management can manage external events and configure alerts for discovered business services, manual services, technical services, and alert groups.

Discovered business services
Business service that is a definition of interrelated CIs from the CMDB. The discovered service, from Service Mapping, includes a business service map with mapping relationships. It also includes an impact tree to show outage severity, active or related alerts, and CI properties. Business service information is discovered by Service Mapping. The mapping information appears on dashboards, the Alerts list, and the Events list.
Manual services
A manual service is a business service that you manually create by selecting CIs to include in the service. Manual service information appears on dashboards with drill-down capability to a map view.
Technical services
A technical service is a dynamic grouping of CIs based on some common criteria. For example, you can create a technical service based on location for all web servers or all Oracle databases in Boston.
Alert groups
Alert groups, not to be confused with automated alert groups in Service Analytics, show sets of alerts for ease of maintenance.


Event Management receives and processes events via the MID Server.

As events occur on various systems, the MID Server connector instance sends the events to the ServiceNow instance. Event Management generates alerts, applies alert rules, and prioritizes alerts for remediation and root cause analysis. You can use a browser to view this information on dashboards, the Alert Console, or from a service map.
Figure 1. Event Management architecture

Process flow

Event Management either pulls events from supported external event sources using a MID Server or pushes events from external event sources using JavaScript code.

Inbound events are collected in the Event [em_event] table and then processed in batches. For events that meet the defined criteria in alert rules, alerts are created or updated in the Alert [em_alert] table. If an alert does not exist for the event, a new alert is created. If the alert exists, the existing alert is updated appropriately.
As part of the alert life cycle, you can manage alerts in the following ways:
  • Acknowledge alerts.
  • Create a task such as an incident, problem, or change.
  • If automatic remediation tasks apply to the alert, begin automatic remediation to start a workflow.
  • Complete all tasks or remediation activities.
  • Close alerts for resolved issues.
  • Add additional information, such as a knowledge article for future reference.
Figure 2. Event Management process flow

Event Management and Service Mapping

Event Management uses discovered services from Service Mapping and automated alert groups with root cause analysis from Service Analytics to expedite alert resolution.

When an event from an external source arrives from the MID Server, script, or web service API (not pictured), Event Management locates CI information for alert generation and CI remediation. CI information is stored into the CMDB from sources such as Service Mapping, Discovery, third-party sources, and manual population. If Service Analytics is enabled, additional correlated alert group and root cause analysis information is available to resolve the issue.
Figure 3. Event Management interoperability

Supported browsers

  • Firefox version 31 ESR and version 38 or later
  • Chrome version 43 or later
  • Microsoft Internet Explorer (IE) 7 or later
  • Safari version 6.1 or later
For UI16:
  • Firefox version 31 ESR and version 38 or later
  • Chrome version 43 or later
  • Microsoft Internet Explorer (IE) 9 or later
  • Safari version 6.1 or later