Installed with Event Management

Activating the Event Management (com.glideapp.itom.snac) plugin adds several tables, properties, user roles, script includes, business rules, and scheduled jobs to the system.

Tables installed with Event Management

Event Management adds these tables.
Table Description
Alert

[em_alert]

Alerts that Event Management manage.
Alert Correlation Rule [em_alert_correlation_rule] Rules specifying primary and secondary correlated alerts.
Alert Aggregation Group Alerts

[em_agg_group_alert]

Relationships between secondary alerts and the correlation group they belong to.
Alert Aggregation Group

[em_agg_group]

Relationships between correlation groups and primary alerts.
Alerts History

[em_alert_history]

History of alerts. Used for impact calculation.
Alert Rule

[em_alert_rule]

Mappings of alert fields to the Incident [incident] table.
Alert Template

[em_alert_template]

Alert templates. This table extends the Template [sys_template] table.
Event Management SLA

[em_ci_severity_task]

Event management SLA tasks for CIs and business services.
Connector Definition

[em_connector_definition]

Settings for gathering events from external event sources.
Connector Instance

[em_connector_instance]

Connection details for external event sources.
MID Server to Connector Instance

[em_connector_instance_to_mid]

Mappings of MID Servers to connector instances.
Event

[em_event]

Events received by Event Management.
Event Filter

[em_event_filter]

Storage for defined event filters.
Event Match Rule

[em_match_rule]

Updated events for alert processing. Used by event rules.
Event Match Field

[em_match_field]

Mappings of event fields to alert fields. Simple mapping. Used by Event Rules.
Event Compose Field

[em_compose_field]

Mappings of event fields to alert fields. Composite mapping. Used by Event Rules.
Event Mapping Rule

[em_mapping_rule]

Updated event fields for alert processing.
Event Processing Statistics

[em_event_stats]

Statistics on Event Management performance.
Event Type

[em_event_type]

Event types.
Task Template

[em_incident_template]

Templates that define how to populate new tasks. For example, how fields of an incident that is being created from an alert, must be populated. This table extends the Template [sys_template] table.
Registered Nodes

[em_registered_nodes]

Registered nodes data.
Threshold Rule

[em_threshold_rule]

Alert threshold rules.
Binding Device Map

[Em_binding_device_map]

Event binding to network paths and storage paths.
Process to CI Type Mappings

[Em_binding_process_map]

Event binding to specific processes.
CI Remediation

[em_ci_remediation]

Remediation rule definitions.
Impact Graph

[em_impact_graph]

Impact tree of CIs containing CI hierarchy and impact rules to be used for impact calculation.
Impact Graph History

[em_impact_graph_history]

History of changes in impact tree.
Impact Rule Definitions

[em_impact_rule_definition]

Definition of rules used for impact calculation.
Impact Rule instance

[em_impact_rule]

Rules based on impact rule definitions.
Infrastructure Relations

[em_impact_infra_rel_def]

Child-parent pairs or CI types. CIs matching these definitions are added to impact trees.
Impact Maintenance CIs

[em_impact_maint_ci]

CIs that are in maintenance and therefore are excluded from impact calculation.
Impact Status

[em_impact_status]

Calculated status of CIs and services to be displayed in the dashboard and business service maps for technical services.
SLA Configuration

[em_sla_configuration]

SLA configuration records that identify the CIs that SLAs can run on.
Service Analytics Metric Type Registration

[sa_metric_registration]

Source registration details for processing raw data.
Manual Service

[cmdb_ci_service_manual]

Stores records that represent Business Services that were created manually using Event Management > Manual Services capabilities, or imported from the Business Service [cmdb_ci_service] table. The added functionality of the Business Service table [cmdb_ci_service_manual] is that it supports Business Service maps and impact calculations.

Event Management adds the following tables that are shared with Service Analytics.

Table Description
Alert Aggregation Group

[em_agg_group]

Stores alert aggregation query groups formed using co-relation rules and the groups generated using analytics.
Alert Aggregation Group Alerts

[em_agg_group_alert]

Stores alerts associated to alert aggregation group.

Properties installed with Event Management

Event Management adds these properties. Be cautious when changing Event Management property values, as these settings can greatly affect overall system performance.
Note: To open the System Property [sys_properties] table, enter sys_properties.list in the navigation filter.
Property Description
evt_mgmt.query_based_service_graph_handler.page_count Page size of CIs from the technical service to be fetched at once while calculating technical service Impact Tree Page size in a single fetch of CIs while calculating the Impact Tree for a technical service.
  • Type: integer
  • Default value: 100
  • Location: Event Management > Properties
evt_mgmt.event_processor_enable_multi_node Enable multi node event processing
  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
  • Learn More: Alert binding procedures
evt_mgmt.event_processor_job_count Number of scheduled jobs processing events
evt_mgmt.max_events_processing_per_job Maximum events to be processed by every scheduled job
  • Type: integer
  • Default value: 5000
  • Location: Event Management > Settings > Properties
evt_mgmt.impact_calulation.alert_group_support Enable alert group support
  • Type: true | false
  • Default value: true
  • Location: Event Management > Settings > Properties
  • Learn More: Alert impact calculation
evt_mgmt.impact_maintenance.sleep_time_sec Minimum time in seconds for checking CI maintenance: checks both the Status field on the CI and any change request schedule for the CI.
  • Type: integer
  • Default value: 60
  • Location: Event Management > Settings > Properties
evt_mgmt.alert_auto_close_interval Auto close interval (in hours), within which open alerts will be automatically closed; Setting to 0 disables the feature

The number of hours the system waits until it automatically closes an expired alert.

evt_mgmt.active_interval Active interval (in seconds), within which a new event reopens a closed alert

Determines the time interval within which a new event that is identified as a recurrence of an existing issue updates the existing alert or, if the alert has been closed, reopens the alert.

evt_mgmt.connector_test.progress_timeout Test connector timeout interval

The number of seconds the Test Connector UI action waits for a response before timing out.

  • Type: integer
  • Default value: 120
  • Location: Event Management > Settings > Properties
evt_mgmt.log_debug Display logs for debugging

Determines whether Event Management logs event and alert processing.

  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
sa.impact.crash_interval Timeout for the impact calculation (in minutes)

If the calculation is not complete within the specified period, it is assumed as failed and any free calculation thread/node will attempt to re-calculate.

  • Type: integer
  • Default value: 10
  • Location: Event Management > Settings > Properties
  • Learn More: Alert impact calculation
evt_mgmt.flap_interval Flap interval (in seconds), within which an alert enters the flapping state

Determines the time interval within which an alert enters into the flapping state. An alert enters the flapping state if its flap count—that is, the number of times it has fluctuated between states—meets or exceeds the flap frequency value within the flap interval time period.

  • Type: integer
  • Default value: 120
  • Location: Event Management > Settings > Properties
  • Learn More: Configure alert flapping
evt_mgmt.flap_frequency Flap frequency, frequency an alert must reoccur to enter the flapping state. An alert enters the flapping state if its flap count meets or exceeds the specified value within the time period specified by the flap interval property.

Determines the number of times an event must reoccur within the flap interval time period for the alert to enter the flapping state. An alert enters into the flapping state if its flap count meets or exceeds the flap frequency within the flap interval.

  • Type: integer
  • Default value: 10
  • Location: Event Management > Settings > Properties
  • Learn More: Configure alert flapping
evt_mgmt.flap_quiet_interval Flap quiet interval (in seconds), quite time that must pass for an alert to exit the flapping state. An alert exits the flapping state if the difference between the alert's last flap time and the time of the new event exceeds the specified value.

Determines the time interval that determines whether an alert exits the flapping state. An alert exits the flapping state if the time between alert's last flap update and the time of the new event exceeds this property.

  • Type: integer
  • Default value: 300
  • Location: Event Management > Settings > Properties
  • Learn More: Configure alert flapping
evt_mgmt.max_alerts_to_display Maximum number of alerts to show on the Event Management alert panel on the dashboard and map

Specifies the upper limit of the number of alerts that are displayed in the alert panel under the Event Management dashboard and map. For example, if the value 5 is specified and there are 6 alerts, only 5 alerts are displayed. To see all the alerts without regard to this upper limit, open the Alert Console.

  • Type: integer
  • Default value: 500
  • Location: Event Management > Settings > Properties
evt_mgmt.fetch_limit Fetch limit, number of queued events to be fetched by the event processor in a single fetch

Determines the number of queued events to be fetched at a time by Event Management.

  • Type: integer
  • Default value: 500
  • Location: Event Management > Settings > Properties
evt_mgmt.alert_ack_on_close Acknowledge an alert when manually closing it

Determines if manually closing an alert acknowledges the alert.

evt_mgmt.alert_closes_incident Closing alerts determines the system action when an alert is closed
evt_mgmt.alert_reopens_incident Reopening alerts determines the system action when an incident is reopened
evt_mgmt.incident_closes_alert Resolving an incident closes the associated alerts.

Determines if associated alerts are closed when an incident is resolved.

evt_mgmt.import_service.levels Number of connected CI levels when importing a Fuji Event Management business service into a new manual service
  • Type: integer
  • Default value: 4
  • Range of possible values: 1-11
  • Location: Event Management > Settings > Properties
mid.server.connector_default Default MID Server for connectors

Determines the MID Server connectors to use when no MID Server is specified. Must match a MID Server name.

  • Type: string
  • Location: System Property [sys_properties] table
evt_mgmt.update_alert_restricted_fields_elapsed_time Minimum time in seconds to wait before updating an alert for identical events
evt_mgmt.event_rules.num_of_events_to_handle Number of events to handle for event rules processes.
  • Type: integer
  • Default value: 50000
  • Location: Event Management > Settings > Properties
evt_mgmt.max_alerts_to_display Maximum number of alerts to show on the dashboard
evt_mgmt.valid_processing_duration_of_event_rule Time (in seconds) of valid processing duration of event in event rules evaluating.
  • Type: integer
  • Default value: 60
  • Location: Event Management > Settings > Properties
evt_mgmt.enable_alert_correlation Enable alert correlation calculation
  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
evt_mgmt.max_worknotes_on_alert Maximum alert work notes. When the maximum number is reached, further work notes are purged from the alert.
  • Type: integer
  • Default value: 50
  • Location: Event Management > Settings > Properties
evt_mgmt.remote_incident_url URL of the instance for incident management
  • Type: string
  • Location: Event Management > Settings > Properties
evt_mgmt.remote_incident_credentials Name from the credentials list that defines which credentials to use when accessing a remote incident management instance
  • Type: string
  • Location: Event Management > Settings > Properties
sa.map.LIMIT_MAX_GRAPH_SIZE Enable limitation of business service maps drawing by number of nodes and edges. ServiceNow recommends that this property be specified and not be disabled.
  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
sa.map.MAX_NODES_FOR_LAYOUT Maximal number of displayable nodes on business service maps. Maps with larger values are not displayed. ServiceNow recommends that the value specified not to exceed 5000.
  • Type: integer
  • Default value: 5000
  • Location: Event Management > Settings > Properties
sa.map.MAX_EDGES_FOR_LAYOUT Maximal number of displayable edges on business service maps. Maps with larger values are not displayed. ServiceNow recommends that the value specified not to exceed 1000.
  • Type: integer
  • Default value: 1000
  • Location: Event Management > Settings > Properties
sa.map.LIMIT_GRAPH_DEGREE Maximal degree of node on business service map for large map modes. Maps with smaller degrees are displayed in regular mode. Maps with larger degrees apply more edge merging for a view that is more compact. ServiceNow recommends that the value specified not to exceed 1000.
  • Type: integer
  • Default value: 1000
  • Location: Event Management > Settings > Properties

Roles installed with Event Management

Event Management adds these roles.
Role title [name] Description Contains roles
Event Management Administrator

[evt_mgmt_admin]

Has read and write access to all Event Management features to configure Event Management.
  • evt_mgmt_user
  • template_editor_global
Event Management Integrator

[evt_mgmt_integration]

Has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.
Event Management User

[evt_mgmt_user]

Has read access to all Event Management features. Has write access to alerts to manage the alert life . Has the itil role so they can manage incidents that are created from alerts.
  • itil
Event Management Operator

[evt_mgmt_operator]

In addition to the evt_mgmt_user permissions, can also activate operations on alerts such as acknowledge, close, open incident, run remediations.
  • evt_mgmt_user

Script includes installed with Event Management

Event Management adds these script includes.
Script include Description
EvtMgmtIncidentHandler Creates an incident for an alert based on the incident template defined in the alert rule.
SaAlertsQuery Displays alerts information on the dashboard.
SaAlertsQueryByCI Displays alerts information for a selected CI.
EventRuleUtil Used in Event Rules form for upgrade from ServiceWatch to event rules.
EvtMgmtCustomIncidentPopulator Placeholder for a custom script used to populate incident fields from an alert.
EvtMgmtKBHandler Associates knowledge article to any alert and acknowledge alert based on the found alert rules.
ConnectorUtil Connector handler.

Business rules installed with Event Management

Event Management adds these business rules.
Business rule Table Description
Add message key if missing Alert

[em_alert]

Constructs a message key from the Source, Node, Type, and Resource field values.
After insert (async) Alert

[em_alert]

Updates the parent field of an alert, creates mapping between alerts and CMDB services, and automatically creates incidents based on the alert rules.
Alert Parent Validation Alert

[em_alert]

Check cycles in alerts.
After update (async) Alert

[em_alert]

Creates incidents automatically based on the alert rules.
Apply overwrite rule and validate Alert

[em_alert]

Applies and validates overwrite rules.
Change definition by Impact On Impact Rule

[em_impact_rule]

Synchronizes the impact rule with impact definition according to impact on field.
Close associated incident Alert

[em_alert]

Closes the incident associated with an alert as defined by the evt_mgmt.alert_closes_incident property.
Convert Clear severity to Info Event Management SLA [em_CI_severity_task] Sets the severity to Info.
Delete related Threshold Staging records Alert

[em_alert]

Removes closed alerts from the Threshold Staging [em_threshold_staging] table.
Disable default rule edit Impact Rule

[em_impact_rule]

Reverts changes in the default impact rule.
Event rule grouping calculation Event rule calculation

[em_event_rule_calculation]

Calculates suggested grouping for events.
Forward stats Event Processing Statistics

[em_event_stats]

Forwards event statistics to usage analytics instance.
Handle Classification Change Alert

[em_alert]

Removes alert from impact calculation if it is reclassified as a security alert.
Handle Delete alert Alert

[em_alert]

Removes deleted alert from impact calculation.
Handle deleted event rule Event Rule [em_match_rule] Removes deleted event rule.
Handle SLA configuration delete SLA Configuration [em_sla_configuration] When SLA configuration filters are deleted, deletes CIs in the em_ci_severity_task table.
Name and pattern cannot be empty Event Type

[em_event_type]

Verifies that the Name and Pattern fields have values.
Notify impact Impact Rule

[em_impact_rule]

Notifies impact calculation about modifications to impact rules, triggering an impact recalculation as needed.
Prevent duplicate records Impact Rule

[em_impact_rule]

Reverts a change to impact rules if the change causes duplication.
Rebuild Impact Tree on InfraDef change Infrastructure Relations

[em_impact_infra_rel_def]

Notifies impact calculation about changes to the definition of infrastructure relationships, triggering an impact recalculation as needed.
Reset service hashes Alert

[em_alert]

Notifies the dashboard that an alert has changed.
Reopen associated closed incident Alert

[em_alert]

Reopens the incident associated with an alert, as defined by the evt_mgmt.alert_reopens_incident property.
Run automatic remediation actions Alert

[em_alert]

Runs the remediation task defined for an alert.
Save type in userPreference Alert Rule

[em_alert_rule]

Passes parameters between alert rule update forms.
SLA Configuration Service Filter Updated SLA Configuration [em_sla_configuration] Updates the em_ci_severity_task table with the records that match the filter in the SLA configuration records.
Update Instance Parameters Connector Instance

[em_connector_instance]

Refreshes connector instance parameters in memory before connecting.
Validate BS Impact Rule

[em_impact_rule]

Verifies the business service in an impact rule.
Validate CI Impact Rule

[em_impact_rule]

Verifies the CI in an impact rule.
Validate contribution type Impact Rule

[em_impact_rule]

Verifies the contribution type in an impact rule.
Validate contribution value Impact Rule

[em_impact_rule]

Verifies the contribution value in an impact rule.
Validate impact definition Impact Rule

[em_impact_rule]

Verifies the impact definition in impact rule.
Validate Inputs Connector Definition

[em_connector_definition]

Validates entries in the Name and Schedule fields.
Validate Inputs Event Match Rule

[em_match_rule]

Validates entries in the Name field.
Validate Inputs Event Mapping Rule

[em_mapping_rule]

Validates entries in the Name, From field, and Field to fields.
Validate severity fields Impact Rule

[em_impact_rule]

Verifies severity fields of impact rule.
Verify overwrite template table Alert Rule

[em_alert_rule]

Verifies that the overwrite template of the alert rule is defined in the Alert table.
Verify template is on Incident Alert Rule

[em_alert_rule]

Verifies that the incident template of the alert rule is defined in the Incident table.

Scheduled jobs installed with Event Management

Event Management adds these scheduled jobs.
Scheduled job Description
Event Management - Connector execution job Compares current time with time when active connector instances were last run and sets relevant connectors to execute. Runs every 10 seconds.
Event Management - Delete Work Notes Trim content of alert work notes. When the maximum number of work notes (default is 50) is reached, further work notes are purged from the alert. Modify the default using the evt_mgmt.max_worknotes_on_alert property. Runs every hour.
Event Management - Impact Calculator Trigger Trigger the impact calculation. Runs every 19 seconds.
Event Management - Update stuck connectors

Release connector instances that are stuck. Runs every 2 minutes.

Event Management - auto close alerts Alerts that are idle longer than 7 days (default time period) are closed. Modify the default using the evt_mgmt.alert_auto_close_interval property. Runs every 10 minutes.
Event Management - close flapping alerts Close flapping alerts. Runs every 5 minutes.
Event Management - close threshold alerts Close threshold alerts. Runs every 2 minutes.
Event Management - create/resolved incidents by alerts Job to:
  • Create incidents for alerts according to alert action rules.
  • Update incidents according to alert state.
Runs every 11 seconds.
Event Management - Maintenance Calculator Calculate the maintenance for CIs. Runs every minute.
Event Management - Node Count Calculate license usage. Runs once every hour.
Event Management - Queue connector processor Bi-directional functionality. Processes all pending alerts in the Update Queue and sends them to the MID Server. By default, this dequeue process is performed in batches of 1,000 alerts. Runs every 30 seconds.
Update SLA Configuration Result Synchronizes the CIs that match the SLA configuration filter with the Event Management SLA [em_ci_severity_task] table.
Update Event Management SLA Updates Event Management SLA [em_ci_severity_task] table with the new severity.

Content packs for Event Management

Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.

Note: You can activate Performance Analytics content packs and in-form analytics on instances that have not licensed Performance Analytics Premium to evaluate the functionality. However, to start collecting data you must license Performance Analytics Premium.

Content packs

The Performance Analytics widgets on the dashboard visualize data over time. These visualizations allow you to analyze your business processes and identify areas of improvement. With content packs, you can get value from Performance Analytics for your application right away, with minimal setup.
Note: Content packs include some dashboards that are inactive by default. You can activate these dashboards to make them visible to end users according to your business needs.

To enable the content pack for Event Management, an admin can navigate to Performance Analytics > Guided Setup. Click Get Started then scroll to the section for Event Management. The guided setup takes you through the entire setup and configuration process.