Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Alert aggregation and RCA

Alert aggregation and RCA

The alert aggregation and root cause analysis (RCA) capability enhances Event Management with alert data analysis and alert aggregation for technical services, manual services, and alert groups. It also provides root cause analysis (RCA) for business services discovered by Service Mapping, manual services, automated alert groups, and CMDB alert groups.

Use alert aggregation and RCA to do the following:
  • Aggregate alerts to create automated alert groups.

    Correlate alerts according to timestamps and CI identification to create automated alert groups. Alert correlation helps organize incoming real-time alerts and reduce alert noise.

  • Apply RCA to automated alert groups and to CMDB alert groups.
  • Apply RCA to discovered business services and to manual services.
  • Correlate alerts based on CIs' relationships in the CMDB to create CMDB alert groups.
  • Generate a pattern for a manual alert group and then create an automated alert group according to that pattern.
  • Visualize the correlation between alerts, services, and root cause CIs for discovered business services and for manual services in a service map.

Alert aggregation

Alerts are grouped based on the CI that is associated with the alerts. Event Management groups alerts that are similar, but not necessarily identical, and also based on how close in time the alerts were created.

Alert aggregation has these components:
Alert Aggregation Learner
An offline job that runs once a day to process past alerts. The Alert Aggregation Learner identifies patterns of related alerts using a combination of pattern-based and probabilistic techniques. If the sa_analytics.agg.learner_group_by_property property is set, then before processing starts, the Alert Aggregation Learner groups alerts by the specified CMDB property.
Real-Time Query
A scheduled job that runs every minute and updates alert aggregation groups. It tries to match real-time alerts with alert patterns stored in the alert knowledge base.

RCA for automated alert groups

If you set the Enable Alert Correlation RCA property to true, then Event Management applies RCA algorithms to automated alert groups. RCA identifies the root cause alert within the automated alert group. RCA helps to direct resources to the root cause CI of a problem. Root cause alerts are displayed in the Alert Console.

RCA for CMDB alert groups

If the Enable CMDB Correlation for Alert Aggregation property is set to true and CMDB alert groups are forming, then Event Management applies RCA algorithms to CMDB alert groups. RCA identifies the root cause alert within the CMDB alert group. RCA helps to direct resources to the root cause CI of a problem. Root cause alerts are displayed in the Alert Console.

RCA for discovered business services and manual services

Event Management applies RCA algorithms to discovered business services and to manual services to identify a root cause CI within the service. Event Management then aggregates similar alerts from the root cause CI and from its related CIs into an automated alert group. An operator can drill down and determine which CIs and alerts are affecting discovered business service and manual service health. This information helps to easily identify related issues across the data center, in the context of services.

Alerts for technical services and alert groups are not associated with a service model and do not undergo RCA. Other than being correlated by time and CI, these alerts are not necessarily related by the same underlying problem.