Installed with Event Management

Activating the Event Management (com.glideapp.itom.snac) plugin adds several tables, properties, user roles, script includes and other components.

Tables installed with Event Management

Tables that are provided when Event Management is activated.

Event Management adds these tables.
Table Description
Alert

[em_alert]

Alerts that Event Management manage.
Alert Correlation Rule [em_alert_correlation_rule] Rules specifying primary and secondary correlated alerts.
Alert Aggregation Group Alerts

[em_agg_group_alert]

Stores alerts associated with aggregated alert groups.
Alert Aggregation Group

[em_agg_group]

Relationships between aggregated groups and primary alerts.
Alerts History

[em_alert_history]

History of alerts. Used for impact calculation.
Alert Rule

[em_alert_rule]

Mappings of alert fields to the Incident [incident] table.
Alert Template

[em_alert_template]

Alert templates. This table extends the Template [sys_template] table.
Event Management SLA

[em_ci_severity_task]

Event Management SLA tasks for CIs and business services.
Connector Definition

[em_connector_definition]

Settings for gathering events from external event sources.
Connector Instance

[em_connector_instance]

Connection details for external event sources.
MID Server to Connector Instance

[em_connector_instance_to_mid]

Mappings of MID Servers to connector instances.
Event

[em_event]

Events received by Event Management.
Event Filter

[em_event_filter]

Storage for defined event filters.
Event Match Rule

[em_match_rule]

Updated events for alert processing. Used by event rules.
Event Match Field

[em_match_field]

Mappings of event fields to alert fields. Simple mapping. Used by Event Rules.
Event Compose Field

[em_compose_field]

Mappings of event fields to alert fields. Composite mapping. Used by Event Rules.
Event Mapping Rule

[em_mapping_rule]

Updated event fields for alert processing.
Event Processing Statistics

[em_event_stats]

Statistics on Event Management performance.
Event Type

[em_event_type]

Event types.
Task Template

[em_incident_template]

Templates that define how to populate new tasks. For example, how fields of an incident that is being created from an alert, must be populated. This table extends the Template [sys_template] table.
Registered Nodes

[em_registered_nodes]

Registered nodes data.
Threshold Rule

[em_threshold_rule]

Alert threshold rules.
Binding Device Map

[Em_binding_device_map]

Event binding to network paths and storage paths.
Process to CI Type Mappings

[Em_binding_process_map]

Event binding to specific processes.
CI Remediation

[em_ci_remediation]

Remediation rule definitions.
Impact Graph

[em_impact_graph]

Impact tree of CIs containing CI hierarchy and impact rules to be used for impact calculation.
Impact Graph History

[em_impact_graph_history]

History of changes in impact tree.
Impact Rule Definitions

[em_impact_rule_definition]

Definition of rules used for impact calculation.
Impact Rule instance

[em_impact_rule]

Rules based on impact rule definitions.
Infrastructure Relations

[em_impact_infra_rel_def]

Child-parent pairs or CI types. CIs matching these definitions are added to impact trees.
Impact Maintenance CIs

[em_impact_maint_ci]

CIs that are in maintenance and therefore are excluded from impact calculation.
Impact Status

[em_impact_status]

Calculated status of CIs and services to be displayed in the dashboard and business service maps for technical services.
SLA Configuration

[em_sla_configuration]

SLA configuration records that identify the CIs that SLAs can run on.
Service Analytics Metric Type Registration

[sa_metric_registration]

Source registration details for processing raw data.
Manual Service

[cmdb_ci_service_manual]

Stores records that represent Business Services that were created manually using Event Management > Manual Services capabilities, or imported from the Business Service [cmdb_ci_service] table. The added functionality of the Business Service table [cmdb_ci_service_manual] is that it supports Business Service maps and impact calculations.
Health monitor scripts

[em_monitor_scripts]

These scripts determine how to monitor or check, for example, when using the Connectors Monitor script. You can create customized script to monitor a device or an entity. The scripts provided with the base instance are:
  • Check delay in event processing
  • Connectors Monitor
  • Get Event Processing state
  • MID Server Threshold Alerts
Monitoring configuration

[em_monitor_conf]

Use this table to configure what to monitor according to the scripts that are listed.

Configure how often to run each script. If a script has a threshold, it determines what alert severity to display. Threshold values are in units of minutes and specify the delay time. Navigate to Event Management > Settings > Self-Health configuration to see the list of Monitoring Configurations or to create a new one. Use this script to test Data Center Monitoring.

The scripts provided with the base instance are:
  • Connector's idle state monitoring-monitor to verify whether any of the connectors was in idle state that surpassed the threshold [in minutes] that was configured.
  • Connectors Status- monitor to track the active status of the connectors.
  • Delay in event processing-monitor to track the duration [in minutes] of events that remained in 'ready' state and were not processed.
  • Event Processing job-monitors the state of the event processing jobs.
  • MID Server Threshold Alert-monitors MID Server health.
Monitoring state

[em_monitor_state]

Use this table to set the threshold for each connector. When there is a value above the threshold, an alert is generated. A business service displays the status, for example, in the Event Management dashboard or Alert Console.

Event Management adds the following tables to support alert aggregation and RCA.

Table Description
SA RCA Status

[sa_rca_status]

Information (such as IDs) for the latest messages that were sent to the ECC Queue for a service during RCA.
SA RCA Output

[sa_rca_output ]

RCA learner output data.
SA RCA Group

[sa_rca_group]

Automated alert groups for the RCA query.
SA Analytics Alert Staging

[sa_analytics_alert ]

Staging table for alerts used for analytics.
SA RCA Input

[sa_rca_input]

Input data for the RCA learner.
SA Analytics Status

[sa_analytics_status]

Last run information to be used for alert aggregation and RCA.
SA RCA Group Alert

[sa_rca_group_alert ]

Alerts associated with automated alert groups.
SA RCA Service Configuration Item Association

[sa_rca_svc_ci_assoc]

Associations between CIs and services.
SA RCA SMC Config Base

[sa_rca_smc_config_base]

State Model Configuration base.

User defined RCA configurations. Each configuration is associated with one or more rules in the SA RCA SMC Rule Base [sa_rca_smc_rule_base] table, if applies.

SA RCA SMC Rule Base

[sa_rca_smc_rule_base]

Service Analytics (SA) Root Cause Analysis (RCA) State Model.

Individual rules that are associated with RCA configuration in the SA RCA SMC Config Base [sa_rca_smc_config_base] table.

SA RCA SMC Config

[sa_rca_smc_config]

RCA Configuration revisions table.

Snapshots of RCA configurations generated during configuration comparisons.

SA RCA SMC Rule

[sa_rca_smc_rule]

Service Analytics (SA) Root Cause Analysis (RCA) State Model.

Snapshots of the rules associated with RCA configurations from the SA RCA SMC Config [sa_rca_smc_config] table.

SA RCA SMC Deployment

[sa_rca_smc_deployment]

Information about the current revision of the RCA configuration that is in effect, and the RCA configuration that is set to be deployed at the next daily run cycle of the Learner.
SA RCA SMC Run

[sa_rca_smc_run]

RCA SMC (State Model Configuration) Run table.

All comparisons between two RCA configurations that the user ran.

SA Alert Aggregation Learned Pattern

[sa_agg_pattern]

Learned patterns from alert aggregation.
SA Alert Aggregation Learned Pattern Elements

[sa_agg_pattern_element]

CI/Metric Name pairs associated with learned patterns.
SA Alert Aggregation Query Group Patterns

[sa_agg_group_pattern]

Relationships between groups discovered in alert aggregation queries and patterns found in learning.
SA Alert Aggregation Query -- Staged (Recent) Alerts

[sa_agg_group_alert_staging]

A staging table for alerts that have not yet been associated with any aggregated alert group.
SA Value Report

[sa_value_report table]

Details for the Value Report. Trending information about alert coverage rate, alert compression rate, and user feedback on alert groups.
SA Agg Pattern Attribute

[sa_agg_pattern_attribute table]

CI/alert attributes to be used for finding patterns for alert aggregation.
SA Alert Attribute Populator Status

[sa_alert_attribute_populator_status table]

State and statistics for attribute populator job.
SA Alert Aggregation Learned Pattern Elements Pair wise Mutual Information and Joint Probability

[sa_agg_pattern_element_pair]

Pairwise probabilities for pattern elements.
EM Agg Group Prediction

[em_agg_group_prediction]

Alert predictions for alert groups.

Properties installed with Event Management

Properties that are included when Event Management is activated. Changes to property values result in changes to default behavior.

Event Management adds these properties. Be cautious when changing Event Management property values, as these settings can greatly affect overall system performance.
Note: To open the system properties list, navigate to Event Management > Settings > Properties. After modifying the required properties, click Save.
Property Description
Number of events to handle for event rules processes

evt_mgmt.event_rules.num_of_events_to_handle

Number of events to check when calculating event grouping that is used for creating event rules.
  • Type: integer
  • Default value: 50000
  • Location: Event Management > Settings > Properties
Page size of CIs from the Technical Service to be fetched at once while calculating Technical Service Impact Tree

evt_mgmt.query_based_service_graph_handler.page_count

Page size of CIs from the technical service to be fetched at once while calculating technical service Impact Tree Page size in a single fetch of CIs while calculating the Impact Tree for a technical service.
  • Type: integer
  • Default value: 100
  • Location: Event Management > Settings > Properties
Enable multi node event processing

evt_mgmt.event_processor_enable_multi_node

Enable multi node event processing
  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
  • Learn More: Alert binding procedures
Number of scheduled jobs processing events

evt_mgmt.event_processor_job_count

Number of scheduled jobs processing events
Maximum events to be processed by every scheduled job

evt_mgmt.max_events_processing_per_job

Maximum events to be processed by every scheduled job
  • Type: integer
  • Default value: 5000
  • Location: Event Management > Settings > Properties
Enable alert group support

evt_mgmt.impact_calulation.alert_group_support

Enable alert group support
  • Type: true | false
  • Default value: true
  • Location: Event Management > Settings > Properties
Include alerts with maintenance flag set in alert console

evt_mgmt.include_maint_alerts_in_console

Include alerts with maintenance flag set in alert console
  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
Auto close interval (in hours), within which open alerts will be automatically closed; Setting to 0 disables the feature.

evt_mgmt.alert_auto_close_interval

Auto close interval (in hours), within which open alerts will be automatically closed. Do not set the property to 0 to disable this feature.

The number of hours the system waits until it automatically closes an expired alert.

Active interval (in seconds), within which a new event reopens a closed alert

evt_mgmt.active_interval

Active interval (in seconds), within which a new event reopens a closed alert

Determines the time interval within which a new event that is identified as a recurrence of an existing issue updates the existing alert or, if the alert has been closed, reopens the alert.

Test connector timeout interval

evt_mgmt.connector_test.progress_timeout

Test connector timeout interval

The number of seconds the Test Connector UI action waits for a response before timing out.

  • Type: integer
  • Default value: 120
  • Location: Event Management > Settings > Properties
Display logs for debugging

evt_mgmt.log_debug

Display logs for debugging

Determines whether Event Management logs event and alert processing.

  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
Timeout for the impact calculation (in minutes)

sa.impact.crash_interval

Timeout for the impact calculation (in minutes)

If the calculation is not complete within the specified period, it is assumed as failed and any free calculation thread/node will attempt to re-calculate.

  • Type: integer
  • Default value: 10
  • Location: Event Management > Settings > Properties
Flap interval (in seconds), within which an alert enters the flapping state

evt_mgmt.flap_interval

Flap interval (in seconds), within which an alert enters the flapping state

Determines the time interval within which an alert enters into the flapping state. An alert enters the flapping state if its flap count—that is, the number of times it has fluctuated between states—meets or exceeds the flap frequency value within the flap interval time period.

  • Type: integer
  • Default value: 120
  • Location: Event Management > Settings > Properties
  • Learn More: Configure alert flapping
Flap frequency, frequency an alert must reoccur to enter the flapping state. An alert enters the flapping state if its flap count meets or exceeds the specified value within the time period specified by the flap interval property

evt_mgmt.flap_frequency

Flap frequency, frequency an alert must reoccur to enter the flapping state. An alert enters the flapping state if its flap count meets or exceeds the specified value within the time period specified by the flap interval property.

Determines the number of times an event must reoccur within the flap interval time period for the alert to enter the flapping state. An alert enters into the flapping state if its flap count meets or exceeds the flap frequency within the flap interval.

  • Type: integer
  • Default value: 10
  • Location: Event Management > Settings > Properties
  • Learn More: Configure alert flapping
Flap quiet interval (in seconds), quiet time that must pass for an alert to exit the flapping state. An alert exits the flapping state if the difference between the alert's last flap time and the time of the new event exceeds the specified value

evt_mgmt.flap_quiet_interval

Flap quiet interval (in seconds), quite time that must pass for an alert to exit the flapping state. An alert exits the flapping state if the difference between the alert's last flap time and the time of the new event exceeds the specified value.

Determines the time interval that determines whether an alert exits the flapping state. An alert exits the flapping state if the time between alert's last flap update and the time of the new event exceeds this property.

  • Type: integer
  • Default value: 300
  • Location: Event Management > Settings > Properties
  • Learn More: Configure alert flapping
Maximum alerts to show on the dashboard and services bottom panel

evt_mgmt.max_alerts_to_display

Maximum number of alerts to show on the Event Management alert panel on the dashboard and map

Specifies the upper limit of the number of alerts that are displayed in the alert panel under the Event Management dashboard and map. For example, if the value 5 is specified and there are 6 alerts, only 5 alerts are displayed. To see all the alerts without regard to this upper limit, open the Alert Console.

  • Type: integer
  • Default value: 500
  • Location: Event Management > Settings > Properties
Fetch limit, number of queued events to be fetched by the event processor in a single fetch

evt_mgmt.fetch_limit

Fetch limit, number of queued events to be fetched by the event processor in a single fetch

Determines the number of queued events to be fetched at a time by Event Management.

  • Type: integer
  • Default value: 500
  • Location: Event Management > Settings > Properties
Time (in seconds) of valid processing duration of event in event rules evaluating.

evt_mgmt.valid_processing_duration_of_event_rule

Time (in seconds) of valid processing duration of event in event rules evaluating.
  • Type: integer
  • Default value: 60
  • Location: Event Management > Settings > Properties
Acknowledge an alert when manually closing it

evt_mgmt.alert_ack_on_close

Acknowledge an alert when manually closing it

Determines if manually closing an alert acknowledges the alert.

Enable alert correlation calculation

evt_mgmt.enable_alert_correlation

Enable alert correlation calculation
  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
Closing alerts (action to take)

evt_mgmt.alert_closes_incident

Closing alerts determines the system action when an alert is closed
Reopening alerts (action to take)

evt_mgmt.alert_reopens_incident

Reopening alerts determines the system action when an incident is reopened
Resolving an incident closes the associated alerts

evt_mgmt.incident_closes_alert

Resolving an incident closes the associated alerts.

Determines if associated alerts are closed when an incident is resolved.

Number of connected CI levels when importing a legacy business service into a new manual service

evt_mgmt.import_service.levels

Number of connected CI levels when importing a Fuji Event Management business service into a new manual service
  • Type: integer
  • Default value: 4
  • Range of possible values: 1-11
  • Location: Event Management > Settings > Properties
Default MID server for connectors

mid.server.connector_default

Default MID Server for connectors

Determines the MID Server connectors to use when no MID Server is specified. Must match a MID Server name.

  • Type: select string from the list
  • Value: enter the name of an existing MID Server, for example, SNC MID Server
  • Location: System Property [sys_properties] table
Enable Event Management self-health monitoring

evt_mgmt.self_health_active

Enable Event Management self-health monitoring

Assists in monitoring and tracking many Event Management features.

  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
Minimum time in seconds before updating an alert for identical events

evt_mgmt.update_alert_restricted_fields_elapsed_time

Minimum time in seconds to wait before updating an alert for identical events
Maximum number of alerts to show on the dashboard

evt_mgmt.max_alerts_to_display

Maximum number of alerts to show on the dashboard
Max alert work notes

evt_mgmt.max_worknotes_on_alert

Maximum alert work notes. When the maximum number is reached, further work notes are purged from the alert.
  • Type: integer
  • Default value: 50
  • Location: Event Management > Settings > Properties
URL of the instance for incident management

evt_mgmt.remote_incident_url

URL of the instance for incident management
  • Type: string
  • Location: Event Management > Settings > Properties
Name from Credentials list defining what credentials to use in access to remote incident management instance

evt_mgmt.remote_incident_credentials

Name from the credentials list that defines which credentials to use when accessing a remote incident management instance
  • Type: string
  • Location: Event Management > Settings > Properties
Enable limitation of business service maps drawing by number of nodes and edges. Default: true, not recommended to disable.

sa.map.LIMIT_MAX_GRAPH_SIZE

Enable limitation of business service maps drawing by number of nodes and edges. Set a value for this property and do not disable it.
  • Type: true | false
  • Default value: false
  • Location: Event Management > Settings > Properties
Maximal number of displayable nodes on business service map. Maps with larger values will not be displayed. Default: 5000, not recommended to increase.

sa.map.MAX_NODES_FOR_LAYOUT

Maximal number of displayable nodes on business service maps. Maps with larger values are not displayed. Specify a value under 5000.
  • Type: integer
  • Default value: 5000
  • Location: Event Management > Settings > Properties
Global flag to allow or disable spanning tree view for maps. true (default) - allows but not forces spanning tree view on maps.

sa.map.ALLOW_SPANNING_TREE_VIEW

Global flag to allow or disable spanning tree view for maps.

true (default) - this allows, but does not force spanning tree view on maps.

  • Type: true | false
  • Default value: true
  • Location: Event Management > Settings > Properties
Maximal number of displayable edges on business service map before spanning tree view applied. Default: 1000.

sa.map.MAX_EDGES_FOR_FULL_LAYOUT

Maximal number of displayable edges on business service map before spanning tree view applied. Default: 1000.
  • Type: integer
  • Default value: 1000
  • Location: Event Management > Settings > Properties
Maximal number of displayable edges on business service map. Maps with larger values will not be displayed. Default: 100K. Do not specify a higher value.

sa.map.MAX_EDGES_FOR_LAYOUT

Maximal number of displayable edges on business service map. Maps with larger values will not be displayed. Default: 100K. Do not specify a value above 100K.
  • Type: integer
  • Default value: 100000
  • Location: Event Management > Settings > Properties
Maximal degree of node on business service map for large map mode. Maps with smaller degrees will be displayed in regular mode. Maps with larger degrees will apply more edges merging for more compact view. Default: 1000. Do not specify a higher value.

sa.map.LIMIT_GRAPH_DEGREE

Maximal degree of node on business service map for large map modes. Maps with smaller degrees are displayed in regular mode. Maps with larger degrees apply more edge merging for a view that is more compact. Do not specify a value above 1000.
  • Type: integer
  • Default value: 1000
  • Location: Event Management > Settings > Properties
Limit of amount of services that displayed on Services Tree on maps. Then this limit reached, Services Tree will be blocked. Default: 7000.

sa.service_tree.MAX_ITEMS_TO_DISPLAY

Limit of amount of services that displayed on Services Tree on maps. When this limit is reached, the Services Tree is blocked.
  • Type: integer
  • Default value: 7000
  • Location: Event Management > Settings > Properties
Expiration period (sec) for metrics mapping, for records without bound CI.

sa.metric.map.without.ci.expiration.sec

Expiration period (sec) for metrics mapping, for records without bound CI.
  • Type: integer
  • Default value: 86400
  • Location: Event Management > Settings > Properties
Expiration period (sec) for metrics mapping, for records with bound CI.

sa.metric.map.with.ci.expiration.sec

Expiration period (sec) for metrics mapping, for records with bound CI.
  • Type: integer
  • Default value: 432000
  • Location: Event Management > Settings > Properties
Activate binding fallback option. If Identification Engine fails to bind CI to metric try to bind it to host

sa.metric.binding.fallback.activated

Activate binding fallback option. If Identification Engine fails to bind CI to metric, try to bind it to host.
  • Type: true | false
  • Default value: true
  • Location: Event Management > Settings > Properties
Delay (seconds) before processing events that arrive to the DB. The events processing job processes all events in "ready" state whose "created on" value is older than current time less this delay.

evt_mgmt.events_processing_delay_sec

Delay (seconds) before processing events that arrive to the DB. The events processing job processes all events in "ready" state whose "created on" value is older than current time less this delay.

  • Type: integer
  • Default value: 5
  • Location: Event Management > Settings > Properties
Use normalized text for event rule recommendation to group events

eventrule.group.usenormalizedtext

Use normalized text for event rule recommendation to group events.
  • Type: true | false
  • Default value: true
  • Location: Event Management > Settings > Properties
Event Management adds the following properties to support alert aggregation and RCA.
Property Usage
Enable root cause analysis for business services

sa_analytics.rca_enabled

Enables RCA for alerts associated with business services and manual services, to identify root cause CIs.
  • Type: true | false
  • Default value: false
  • Location: Event Management > Alert Aggregation and RCA > Properties
Enable alert aggregation

sa_analytics.aggregation_enabled

Enables aggregation of correlated alerts for services and alert groups.
  • Type: true | false
  • Default value: true
  • Location: Event Management > Alert Aggregation and RCA > Properties
Include CIs associated with business services, in alert aggregation

sa_analytics.aggregation.include_service

  • Type: true | false
  • Default value: true
  • Location: Event Management > Alert Aggregation and RCA > Properties
Time interval (in seconds) criteria for grouping alerts

sa_analytics.rca.learner_group_interval_secs

Interval that alerts must be created in, to be included in a group.

  • Type: integer
  • Default value: 60
  • Range of possible values: 60–900
  • Location: Event Management > Alert Aggregation and RCA > Properties
Length of time period (in seconds) from which to include alerts for analysis

sa_analytics.rca.learner_query_interval_secs

The interval that the learner uses to chunk the alert data for processing.
  • Type: integer
  • Default value: 86400
  • Range of possible values: 43200-–86400
  • Location: Event Management > Alert Aggregation and RCA > Properties
Confidence score % threshold, above which correlated alert groups will be displayed in the Event Management dashboard and Alert Console

sa_analytics.rca.query_probability_threshold

The confidence score that must be met by the identified root cause CI for the associated alerts to be displayed.
  • Type: integer
  • Default value: 0
  • Range of possible values: 0–100
  • Location: Event Management > Alert Aggregation and RCA > Properties
Purge staging tables (in days)

sa_analytics.rca.input_purge_days

Number of days that RCA input is kept before it is purged.
  • Type: integer
  • Default value: 90
  • Range of possible values: 30–180
  • Location: Event Management > Alert Aggregation and RCA > Properties
sa_analytics.rca.output_purge_days Number of days that RCA output is kept before it is purged.
  • Type: integer
  • Default value: 3
  • Range of possible values: 3–5
  • Location: System Property [sys_properties] table
Generate event when MID Server file system usage space exceeds limit (0–100%)

sa_analytics.rca.mid_max_allowed_space

When the file system of the MID Server exceeds the percentage threshold, an event is generated.
  • Type: integer
  • Default value: 20
  • Range of possible values: 0–100
  • Location: Event Management > Alert Aggregation and RCA > Properties
CMDB property to be used for grouping the alerts used in alert aggregation

sa_analytics.agg.learner_group_by_property

A property from the [cmdb_ci] table that can be used to group alerts by. The Alert Aggregation Learner then learns those properties and uses them for grouping.

When left empty, the alerts are learned together without being grouped.

  • Type: string
  • Default value: none
  • Other possible values:
    • A column that is not a reference from the cmdb_ci table such as po_number.
    • A column that is a reference to another table such as location.name (the name field in the location table which is referenced from cmdb_ci)
  • Location: Event Management > Alert Aggregation and RCA > Properties
sa_analytics.agg.learner_domain_level Sets the level of the domain to be used by the alert aggregation learner.
For optimal analysis, you should set the domain level such that:
  • All CIs that impact the services are contained within the domain
  • There are no shared infrastructures across domains
  • Type: integer
  • Default value: 2
  • Location: System Property [sys_properties] table
Enable CMDB Correlation for Alert Aggregation

sa_analytics.agg.query_cmdb_correlation_enabled

Enables alert correlation based on CMDB CIs and relationships.
  • Type: true | false
  • Default value: true
  • Location: Event Management > Alert Aggregation and RCA > Properties
CMDB Groups: Relationship level

sa_analytics.agg.query_cmdb_graph_walk_nodes

Number of levels of CMDB hosting rules, containment rules, and endpoints to walk and to be considered for CMDB group formation during alert aggregation.
  • Type: integer
  • Default value: 5
  • Location: Event Management > Alert Aggregation and RCA > Properties
Enable Suggested Relations for CMDB Correlation

sa_analytics.agg.query_cmdb_suggested_relationship_enabled

Use any manually defined suggested relationship when forming CMDB alert groups, in addition to using hosting and containment relationships.

Helpful when Discovery was not used for discovering relationships, and instead, users manually define them.

  • Type: true | false
  • Default value: true
  • Location: Event Management > Alert Aggregation and RCA > Properties
Use customer feedback in forming new Alert Aggregation Groups

sa_analytics.agg.query_customer_feedback_enabled

Incorporate customer feedback of manually adding/removing alerts while forming automated alert groups.
  • Type: true | false
  • Default value: false
  • Location: Event Management > Alert Aggregation and RCA > Properties
Enable Alert Prediction

sa_analytics.pred.cl_enabled

Enables alert prediction for automated alert groups.
  • Type: true | false
  • Default value: true
  • Location: Event Management > Alert Aggregation and RCA > Properties
sa_analytics.agg.mi_graph_enabled Internal property that enables alert prediction for automated alert groups.
  • Type: true | false
  • Default value: true
  • Location: System Property [sys_properties] table
Alert Prediction Minimum Confidence Score (%) Threshold

sa_analytics.pred.cl_mon_conditional_probability

Predicted alerts probability threshold. The probability of a predicted alert to be actually generated, must meet this threshold to be displayed in the Alert Console.
  • Type: integer
  • Default value: 10
  • Location: Event Management > Alert Aggregation and RCA > Properties
Enable Alert Correlation RCA

sa_analytics.agg.learner_rca_detection

Enable RCA for automated alert groups.
  • Type: true | false
  • Default value: true
  • Location: Event Management > Alert Aggregation and RCA > Properties

Roles installed with Event Management

Roles used by the Event Management application.

Event Management adds these roles.
Role title [name] Description Contains roles
Event Management Administrator

[evt_mgmt_admin]

Has read and write access to all Event Management features to configure Event Management.
  • evt_mgmt_user
  • template_editor_global
Event Management Operator

[evt_mgmt_operator]

In addition to the evt_mgmt_user permissions, can also activate operations on alerts such as acknowledge, close, open incident, and run remediations.
  • evt_mgmt_user
Event Management User

[evt_mgmt_user]

Has read access to all Event Management features. Has write access to alerts to manage the alert life. Has the itil role to be able to manage incidents that are created from alerts.
  • itil
Event Management Integrator

[evt_mgmt_integration]

Has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.

Script includes installed with Event Management

Script includes that are provided when Event Management is activated. Advanced script includes are provided as placeholders and can be replaced with your custom code.

Script includes

These script includes are added in the base instance.

Script include Description
EvtMgmtIncidentHandler Creates an incident for an alert based on the incident template defined in the alert action rule.
SaAlertsQuery Displays alerts information on the dashboard.
SaAlertsQueryByCI Displays alerts information for a selected CI.
EventRuleUtil Used in Event Rules form for upgrade from ServiceWatch to event rules.
EvtMgmtCustomIncidentPopulator Placeholder for a custom script used to populate incident fields from an alert.
EvtMgmtKBHandler Associates knowledge article to any alert and acknowledge alert based on the found alert action rules.
ConnectorUtil Connector handler.

Advanced script includes

The advanced script includes are located here Event Management > Settings > Advanced scripts.

The advanced custom script includes that are provided by the base system are placeholders and are used for example purposes. To enable the code, edit or replace it with your custom code, as required.

Advanced script include Description
EvtMgmtCustomIncidentPopulator Placeholder for custom script to assign additional fields from the alert to the task that is opened by default to an incident.
EvtMgmtCustom_PostTransformHandler Advanced script to manipulate the Event object after transform. This script can also be used to abort Event processing, effectively ignoring the event.
EvtMgmtCustom_PostBind_Update Advanced script to manipulate the Alert object after the related Configuration Item is identified, and before the Alert is updated in the database. This script can also be used to abort Alert update.
EvtMgmtCustom_PostBind_Create Advanced script to manipulate the Alert object after the related Configuration Item is identified, and before the Alert is created in the database. This script can also be used to abort Alert creation.

Business rules installed with Event Management

Business rules that are provided when Event Management is activated.

Event Management adds these business rules.
Business rule Table Description
Add message key if missing Alert

[em_alert]

Constructs a message key from the Source, Node, Type, and Resource field values.
After insert (async) Alert

[em_alert]

Updates the parent field of an alert, creates mapping between alerts and CMDB services, and automatically creates incidents based on the alert action rules.
Alert Parent Validation Alert

[em_alert]

Check cycles in alerts.
After update (async) Alert

[em_alert]

Creates incidents automatically based on the alert action rules.
Apply overwrite rule and validate Alert

[em_alert]

Applies and validates overwrite rules.
Change definition by Impact On Impact Rule

[em_impact_rule]

Synchronizes the impact rule with impact definition according to impact on field.
Close associated incident Alert

[em_alert]

Closes the incident associated with an alert as defined by the evt_mgmt.alert_closes_incident property.
Convert Clear severity to Info Event Management SLA [em_CI_severity_task] Sets the severity to Info.
Delete related Threshold Staging records Alert

[em_alert]

Removes closed alerts from the Threshold Staging [em_threshold_staging] table.
Disable default rule edit Impact Rule

[em_impact_rule]

Reverts changes in the default impact rule.
Event rule grouping calculation Event rule calculation

[em_event_rule_calculation]

Calculates suggested grouping for events.
Forward stats Event Processing Statistics

[em_event_stats]

Forwards event statistics to usage analytics instance.
Handle Classification Change Alert

[em_alert]

Removes alert from impact calculation if it is reclassified as a security alert.
Handle Delete alert Alert

[em_alert]

Removes deleted alert from impact calculation.
Handle deleted event rule Event Rule [em_match_rule] Removes deleted event rule.
Handle SLA configuration delete SLA Configuration [em_sla_configuration] When SLA configuration filters are deleted, deletes CIs in the em_ci_severity_task table.
Name and pattern cannot be empty Event Type

[em_event_type]

Verifies that the Name and Pattern fields have values.
Notify impact Impact Rule

[em_impact_rule]

Notifies impact calculation about modifications to impact rules, triggering an impact recalculation as needed.
Prevent duplicate records Impact Rule

[em_impact_rule]

Reverts a change to impact rules if the change causes duplication.
Rebuild Impact Tree on InfraDef change Infrastructure Relations

[em_impact_infra_rel_def]

Notifies impact calculation about changes to the definition of infrastructure relationships, triggering an impact recalculation as needed.
Reset service hashes Alert

[em_alert]

Notifies the dashboard that an alert has changed.
Reopen associated closed incident Alert

[em_alert]

Reopens the incident associated with an alert, as defined by the evt_mgmt.alert_reopens_incident property.
Run automatic remediation actions Alert

[em_alert]

Runs the remediation task defined for an alert.
Save type in userPreference Alert Rule

[em_alert_rule]

Passes parameters between alert action rule update forms.
SLA Configuration Service Filter Updated SLA Configuration [em_sla_configuration] Updates the em_ci_severity_task table with the records that match the filter in the SLA configuration records.
Update Instance Parameters Connector Instance

[em_connector_instance]

Refreshes connector instance parameters in memory before connecting.
Validate BS Impact Rule

[em_impact_rule]

Verifies the business service in an impact rule.
Validate CI Impact Rule

[em_impact_rule]

Verifies the CI in an impact rule.
Validate contribution type Impact Rule

[em_impact_rule]

Verifies the contribution type in an impact rule.
Validate contribution value Impact Rule

[em_impact_rule]

Verifies the contribution value in an impact rule.
Validate impact definition Impact Rule

[em_impact_rule]

Verifies the impact definition in impact rule.
Validate Inputs Connector Definition

[em_connector_definition]

Validates entries in the Name and Schedule fields.
Validate Inputs Event Match Rule

[em_match_rule]

Validates entries in the Name field.
Validate Inputs Event Mapping Rule

[em_mapping_rule]

Validates entries in the Name, From field, and Field to fields.
Validate severity fields Impact Rule

[em_impact_rule]

Verifies severity fields of impact rule.
Verify overwrite template table Alert Rule

[em_alert_rule]

Verifies that the overwrite template of the alert action rule is defined in the Alert table.
Verify template is on Incident Alert Rule

[em_alert_rule]

Verifies that the incident template of the alert action rule is defined in the Incident table.

Scheduled jobs installed with Event Management

List of scheduled jobs that are provided with Event Management.

To review the list of scheduled jobs, navigate to System Scheduler > Scheduled Jobs. Event Management adds the following scheduled jobs.
Scheduled job Description
Event Management - Connector execution job Compares current time with time when active connector instances were last run and sets relevant connectors to execute. Runs every 10 seconds.
Event Management - Delete Work Notes Trim content of alert work notes. When the maximum number of work notes (default is 50) is reached, further work notes are purged from the alert. Modify the default using the evt_mgmt.max_worknotes_on_alert property. Runs every hour.
Event Management - Impact Calculator Trigger Trigger the impact calculation. Runs every 19 seconds.
Event Management - Update stuck connectors

Release connector instances that are stuck. Runs every 2 minutes.

Event Management - Alert Priority Queue Calculate alert priority. Two Alert Priority Queue jobs are active and available and can be run multi-thread. Runs every minute.
Event Management - auto close alerts Alerts that are idle longer than 7 days (default time period) are closed. Modify the default using the evt_mgmt.alert_auto_close_interval property. Runs every 10 minutes.
Event Management - close flapping alerts Close flapping alerts. Runs every 5 minutes.
Event Management - close threshold alerts Close threshold alerts. Runs every 2 minutes.
Event Management - create/resolved incidents by alerts Job to:
  • Create incidents for alerts according to alert action rules.
  • Update incidents according to alert state.
Runs every 11 seconds.
Event Management - Insert Health Monitor Job to produce the ServiceNow Event Management manual service. Runs once every hour.
Event Management - Maintenance Calculator Calculate the maintenance for CIs. Runs every minute.
Event Management - Node Count Calculate license usage. Runs once every hour.
Event Management - Queue connector processor Bi-directional functionality. Processes all pending alerts in the Update Queue and sends them to the MID Server. By default, this dequeue process is performed in batches of 1,000 alerts. Runs every 30 seconds.
Event Management - Update Health Monitor Update the ServiceNow Event Management manual service. Runs once every hour.
Event Management - Update SLA Configuration Result Synchronizes the CIs that match the SLA configuration filter with the Event Management SLA [em_ci_severity_task] table. Runs every 10 minutes.
Event Management - Update SLA Severity Updates Event Management SLA [em_ci_severity_task] table with the new severity. Runs once every hour.

Event Management adds the following scheduled jobs to support alert aggregation and RCA.

Name Description
Service Analytics Purge Old Observation Data - Daily Cleans the staging data.
Service Analytics Prepare RCA Learner Input Data - Daily Prepares RCA input data. Stores and probes MID server to learn statistical information about alerts.
Service Analytics group alerts using RCA/Alert Aggregation Applies RCA and alert aggregation to open alerts and prepares automated alert groups.
Service Analytics Alert Aggregation Learner - Daily Learns information about existing alerts and groups new open alerts.
Service Analytics RCA Configuration Configures root cause analysis.
Service Analytics Check File System Space on Analytics MID -Daily Checks disk usage on the dedicated MID Server, and generates an event if it exceeds the threshold set in the sa_analytics.rca.mid_max_allowed_space property.
Service Analytics Gather Value Report Data - Daily Gathers data for the Value Report.
Service Analytics - Update virtual alerts for aggregation groups Update the virtual alerts that were created to represent alert aggregation groups, with any changes to alerts belonging to that group. Runs every minute.
Service Analytics Attribute Populator for Historical Alerts Populate attributes used in feature identifier for historical alert data using event rules. Runs on demand.