Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Components installed with Event Management

Log in to subscribe to topics and get notified when content changes.

Components installed with Event Management

Activating the Event Management (com.glideapp.itom.snac) plugin adds several roles, scheduled jobs, and tables.

Note: To view all other components installed with this plugin or application, see the Application Files table. For instructions, see Find components installed with an application.

Roles installed with Event Management

Roles used by the Event Management application.

Event Management adds these roles.
Role title [name] Description Contains roles
Event Management Administrator


Has read and write access to all Event Management features to configure Event Management.
  • evt_mgmt_user
  • template_editor_global
Event Management Operator


In addition to the evt_mgmt_user permissions, can also activate operations on alerts such as acknowledge, close, open incident, and run remediations.
  • evt_mgmt_user
Event Management User


Has read access to all Event Management features. Has write access to alerts to manage the alert life. Has the itil role to be able to manage incidents that are created from alerts.
  • itil
Event Management Integrator


Has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.

Scheduled jobs installed with Event Management

List of scheduled jobs that are provided with Event Management.

To review the list of scheduled jobs, navigate to System Scheduler > Scheduled Jobs. Event Management adds the following scheduled jobs.
Scheduled job Description
Event Management — Connector execution job Compares current time with time when active connector instances were last run and sets relevant connectors to execute. Runs every 10 seconds.
Event Management — Handle Impact Stuck Service Releases stuck services and marks them as requiring rebuilding in the Impact Changes table to rebuild the impact tree.

Runs every 2 minutes, 31 seconds.

Event Management — Impact Calculator Trigger Trigger the impact calculation. The Event Management dashboard and impact tree are refreshed using the calculated figures.

Runs every 19 seconds.

Event Management — Impact Topology Consumer Consumes topology changes and marks the related services as ‘require rebuilding’ in the Impact Changes table to rebuild their impact trees.

Runs every 19 seconds.

Event Management — Update stuck connectors Release connector instances that are stuck.

Runs every 2 minutes.

Event Management — Alert Priority Queue Calculate alert priority. Two Alert Priority Queue jobs are active and available and can be run multi-thread.

Runs every minute.

Event Management — auto close alerts Alerts that are idle longer than 7 days (default time period) are closed. Modify the default using the evt_mgmt.alert_auto_close_interval property.

Runs every 10 minutes.

Event Management — Calculate Alert Priority Grouping Runs and calculates the priority groups: urgent, high, moderate and low for the alerts according to the highest and lowest priority score in the system.

Runs every 30 minutes.

Event Management — close flapping alerts Close flapping alerts.

Runs every 5 minutes.

Event Management — close threshold alerts Close threshold alerts.

Runs every 2 minutes.

Event Management — Evaluate Alert Management Rules Execute alert management rules.

Runs every 11 seconds.

Event Management — create/resolved incidents by alerts Job to:
  • Create incidents for alerts according to alert action rules.
  • Update incidents according to alert state.

Runs every 11 seconds.

Event Management — Impact Tree Builder Handles all services with changes from the em_impact_changes table and rebuilds their impact trees.

Runs every 11 seconds.

Event Management — Insert Health Monitor Job to produce the ServiceNow Event Management application service.

Runs once every hour.

Event Management — Maintenance Calculator Calculate the maintenance for CIs.

Runs every minute.

Event Management — Node Count Calculate license usage.

Runs once every hour.

Event Management — process events Job that runs and processes each Ready event (apply event rule, mapping rule, and create or update alert)

Runs every 5 seconds.

Event Management — process metric binding Process metric binding.

Runs every 5 seconds.

Event Management — Queue connector processor Bi-directional functionality. Processes all pending alerts in the Update Queue and sends them to the MID Server. By default, this dequeue process is performed in batches of 1,000 alerts.

Runs every 30 seconds.

Event Management — Recalculate impact for groups By default, this job is not active. Can be run on demand to correct the impact on service groups.

Runs on demand.

Event Management — recover stuck events Handle all events that are in queued state and switch back to Ready to handle events from the beginning.

Runs at system startup.

Event Management — Update Health Monitor Update the ServiceNow Event Management application service.

Runs once every hour.

Event Management — Update SLA Configuration Result Synchronizes the CIs that match the SLA configuration filter with the Event Management SLA [em_ci_severity_task] table.

Runs every 10 minutes.

Event Management — Update SLA Severity Updates Event Management SLA [em_ci_severity_task] table with the new severity.

Runs once every hour.

Event Management — convert IT service Run this property on demand to convert manual services to application services.

Runs every 30 minutes.

Event Management — Collect xmlstats

Collect event processing statistics.

Runs once every minute.

Event Management adds the following scheduled jobs to support alert aggregation and RCA.

Name Description
Service Analytics Purge Old Observation Data — Daily Cleans the staging data.
Service Analytics Prepare RCA Learner Input Data -— Daily Prepares RCA input data. Stores and probes MID server to learn statistical information about alerts.
Service Analytics group alerts using RCA/Alert Aggregation Applies RCA and alert aggregation to open alerts and prepares automated alert groups.
Service Analytics Alert Aggregation Learner — Daily Learns information about existing alerts and groups new open alerts.
Service Analytics RCA Configuration Configures root cause analysis.
Service Analytics Check File System Space on Analytics MID -Daily Checks disk usage on the dedicated MID Server, and generates an event if it exceeds the threshold set in the sa_analytics.rca.mid_max_allowed_space property.
Service Analytics Gather Value Report Data — Daily Gathers data for the Value Report.
Service Analytics — Update virtual alerts for aggregation groups Update the virtual alerts that were created to represent alert aggregation groups, with any changes to alerts belonging to that group. Runs every minute.
Service Analytics Attribute Populator for Historical Alerts Populate attributes used in feature identifier for historical alert data using event rules. Runs on demand.

Tables installed with Event Management

Tables that are provided when Event Management is activated.

Event Management adds these tables.
Table Description


Alerts that Event Management manage.
Alert Correlation Rule [em_alert_correlation_rule] Rules specifying primary and secondary correlated alerts.
Alert Aggregation Group Alerts


Stores alerts associated with aggregated alert groups.
Alert Aggregation Group


Relationships between aggregated groups and primary alerts.
Alerts History


History of alerts. Used for impact calculation.
Alert Rule


Mappings of alert fields to the Incident [incident] table.
Alert Template


Alert templates. This table extends the Template [sys_template] table.
Event Management SLA


Event Management SLA tasks for CIs and business services.
Connector Definition


Settings for gathering events from external event sources.
Connector Instance


Connection details for external event sources.
MID Server to Connector Instance


Mappings of MID Servers to connector instances.


Events received by Event Management.
Event Filter


Storage for defined event filters.
Event Match Rule


Updated events for alert processing. Used by event rules.
Event Match Field


Mappings of event fields to alert fields. Simple mapping. Used by Event Rules.
Event Compose Field


Mappings of event fields to alert fields. Composite mapping. Used by Event Rules.
Event Mapping Rule


Updated event fields for alert processing.
Event Processing Statistics


Statistics on Event Management performance.
Event Type


Event types.
Task Template


Templates that define how to populate new tasks. For example, how fields of an incident that is being created from an alert, must be populated. This table extends the Template [sys_template] table.
Registered Nodes


Registered nodes data.
Threshold Rule


Alert threshold rules.
Binding Device Map


Event binding to network paths and storage paths.
Process to CI Type Mappings


Event binding to specific processes.
CI Remediation


Remediation rule definitions.
Impact Graph


Impact tree of CIs containing CI hierarchy and impact rules to be used for impact calculation.
Impact Graph History


History of changes in impact tree.
Impact Rule Definitions


Definition of rules used for impact calculation.
Impact Rule instance


Rules based on impact rule definitions.
Infrastructure Relations


Child-parent pairs or CI types. CIs matching these definitions are added to impact trees.
Impact Maintenance CIs


CIs that are in maintenance and therefore are excluded from impact calculation.
Impact Status


Calculated status of CIs and services to be displayed in the dashboard and business service maps for technical services.
SLA Configuration


SLA configuration records that identify the CIs that SLAs can run on.
Service Analytics Metric Type Registration


Source registration details for processing raw data.
Application service


Stores records that represent Business Services that were created manually using Event Management > Services > Application Services capabilities, or imported from the Business Service [cmdb_ci_service] table. The added functionality of the Business Service table [cmdb_ci_service_manual] is that it supports Business Service maps and impact calculations.
Health monitor scripts


These scripts determine how to monitor or check, for example, when using the Connectors Monitor script. You can create customized script to monitor a device or an entity. The scripts provided with the base instance are:
  • Check delay in event processing
  • Connectors Monitor
  • Get Event Processing state
  • MID Server Threshold Alerts
Monitoring configuration


Use this table to configure what to monitor according to the scripts that are listed.

Configure how often to run each script. If a script has a threshold, it determines what alert severity to display. Threshold values are in units of minutes and specify the delay time. Navigate to Event Management > Settings > Self-Health configuration to see the list of Monitoring Configurations or to create a new one. Use this script to test Data Center Monitoring.

The scripts provided with the base instance are:
  • Connector's idle state monitoring-monitor to verify whether any of the connectors was in idle state that surpassed the threshold [in minutes] that was configured.
  • Connectors Status- monitor to track the active status of the connectors.
  • Delay in event processing-monitor to track the duration [in minutes] of events that remained in 'ready' state and were not processed.
  • Event Processing job-monitors the state of the event processing jobs.
  • MID Server Threshold Alert-monitors MID Server health.
Monitoring state


Use this table to set the threshold for each connector. When there is a value above the threshold, an alert is generated. A business service displays the status, for example, in the Event Management dashboard or Alert Console.
EM XMLStats Data


Self-health statistics and diagnostic details for Operational Intelligence and Event Management, which are used to produce the XMLStats page.

Event Management adds the following tables to support alert aggregation and RCA.

Table Description
SA RCA Status


Information (such as IDs) for the latest messages that were sent to the ECC Queue for a service during RCA.
SA RCA Output

[sa_rca_output ]

RCA learner output data.
SA RCA Group


Automated alert groups for the RCA query.
SA Analytics Alert Staging

[sa_analytics_alert ]

Staging table for alerts used for analytics.
SA RCA Input


Input data for the RCA learner.
SA Analytics Status


Last run information to be used for alert aggregation and RCA.
SA RCA Group Alert

[sa_rca_group_alert ]

Alerts associated with automated alert groups.
SA RCA Service Configuration Item Association


Associations between CIs and services.
SA RCA SMC Config Base


State Model Configuration base.

User defined RCA configurations. Each configuration is associated with one or more rules in the SA RCA SMC Rule Base [sa_rca_smc_rule_base] table, if applies.

SA RCA SMC Rule Base


Service Analytics (SA) Root Cause Analysis (RCA) State Model.

Individual rules that are associated with RCA configuration in the SA RCA SMC Config Base [sa_rca_smc_config_base] table.



RCA Configuration revisions table.

Snapshots of RCA configurations generated during configuration comparisons.



Service Analytics (SA) Root Cause Analysis (RCA) State Model.

Snapshots of the rules associated with RCA configurations from the SA RCA SMC Config [sa_rca_smc_config] table.

SA RCA SMC Deployment


Information about the current revision of the RCA configuration that is in effect, and the RCA configuration that is set to be deployed at the next daily run cycle of the Learner.


RCA SMC (State Model Configuration) Run table.

All comparisons between two RCA configurations that the user ran.

SA Alert Aggregation Learned Pattern


Learned patterns from alert aggregation.
SA Alert Aggregation Learned Pattern Elements


CI/Metric Name pairs associated with learned patterns.
SA Alert Aggregation Query Group Patterns


Relationships between groups discovered in alert aggregation queries and patterns found in learning.
SA Alert Aggregation Query -- Staged (Recent) Alerts


A staging table for alerts that have not yet been associated with any aggregated alert group.
SA Value Report

[sa_value_report table]

Details for the Value Report. Trending information about alert coverage rate, alert compression rate, and user feedback on alert groups.
SA Agg Pattern Attribute

[sa_agg_pattern_attribute table]

CI/alert attributes to be used for finding patterns for alert aggregation.
SA Alert Attribute Populator Status

[sa_alert_attribute_populator_status table]

State and statistics for attribute populator job.
SA Alert Aggregation Learned Pattern Elements Pair wise Mutual Information and Joint Probability


Pairwise probabilities for pattern elements.
EM Agg Group Prediction


Alert predictions for alert groups.