Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

View alert information

Log in to subscribe to topics and get notified when content changes.

View alert information

View a list of all alerts for business services and application services, and then manage individual alerts as necessary.

Before you begin

Role required: evt_mgmt_admin, evt_mgmt_operator, or evt_mgmt_user

About this task

Multiple related events may correlate into a single alert. Event Management only creates alerts when one or more events meet the conditions defined in event rules, alert action rules, and alert configuration settings.


  1. Navigate to Event Management > All Alerts.
  2. To view or manage an alert, click the alert number.
  3. Review the information on the Alert form.
    You can click tabs on the form for further information.
    • To view flapping information, click the Flapping tab.
    • To view alert history, click the History tab.
    Table 1. Alert form
    Field Description
    Number If an alert was created as a result of the event, this field contains the unique ID that Event Management generates to identify the alert.
    Source Event monitoring software that generated the event, such as SolarWinds or SCOM. This field has a maximum length of 100 digits.
    Node Node name, fully qualified domain name (FQDN), IP address, or MAC address that is associated with the event, such as IBM-ASSET. This field has a maximum length of 100 digits.
    Type Pre-defined event type, such as high CPU, which is used to identify an event record. This field has a maximum length of 100 digits.
    Resource Node resource that is relevant to the event. For example, Disk C, CPU-1, the name of a process, or service. This field has a maximum length of 100 digits.
    Configuration item JSON string that represents a configuration item. For example, {"name":"SAP ORA01","type":"Oracle"}. The CI identifier that generated the event appears in the Additional information field. This field has a maximum length of 1000 digits. Note: Reference pop-ups and click-throughs are hidden by default for read-only fields. For Configuration item and other read only fields, you can optionally change the read-only setting. For more information, see Configure pop-ups on read-only fields . Click Dependency view icon to open the alert in dependency view.
    Task The corresponding task for the alert, such as an incident, change, or problem.
    Metric Name Unique name that describes which metric data is collected.
    Description The alert description.
    Message key Unique event identifier to identify multiple events that relate to the same alert. If this value is empty, it is generated from the Source, Node, Type, Resource, and Metric Name field values. This field has a maximum length of 1024 digits.
    Severity The severity of the event. The value for this field is copied from the event unless the event closes the alert, in which case the previous severity is retained for reporting.
    • Critical: Immediate action is required. The resource is either not functional or critical problems are imminent.
    • Major: Major functionality is severely impaired or performance has degraded.
    • Minor: Partial, non-critical loss of functionality or performance degradation occurred.
    • Warning: Attention is required, even though the resource is still functional.
    • Info: An alert is created. The resource is still functional.
    • Clear: No action is required. An alert is not created from this event. Existing alerts are closed.
    State The state of the alert.
    • Open: The alert requires user action.
    • Reopen: The previously closed alert requires additional user action.
    • Flapping: After the alert has been closed, it receives a high frequency of identical events from the same source that causes many alert reopenings. User action is required.
    • Closed: The alert is closed and no further user action is required.
    Acknowledged Select to show that a user has acknowledged the alert.
    Maintenance A check box that shows whether the resource is affected by the alert is in maintenance.
    Updated The most recent time that the alert information was updated.
    • If this field is blank, you can specify an alert number. The current alert becomes a secondary alert to this parent alert.
    • If an alert number is displayed, then the current alert is already a secondary alert to this current alert, which is the parent alert.
    Feedback This field appears in alert forms only if the alert being modified is a parent alert. Your response provides feedback about the accuracy and usefulness of the group. Possible values are:
    • None - No value was selected.
    • No Feedback - There is no feedback for this alert.
    • Yes - The alert group is accurate and useful.
    • No - The alert group is not accurate and not useful.
    For more information, see Provide feedback for an alert group.
    Knowledge article The knowledge article associated with the alert, if any.
    Overall Event Count The counter is increased every time an event is bound to the alert. The count value is kept even after the actual event has been purged. Primary alerts (virtual alerts) are updated based on their secondary alerts. The actual number of events that affected the alert is displayed.
    Note: Do not create an Alert Group based on Event Count. Where an Alert Group is based on Event Count, the impact of the group does not calculate properly because the Event Count field is not copied to the em_alert_history table for impact calculation.
    Source instance The name of the machine or software that generated the event. For example, SolarWinds on
    User name and role The user and role of the person who made the most recent alert updates.
    Acknowledged The Acknowledged check box value after the most alert recent update.
    • True: The Acknowledged is selected.
    • False: The Acknowledged check box is cleared.
    Correlated Alerts section The secondary alerts that are correlated with this alert, where this alert is the primary alert. For more information, see Alert correlation rules.
    Primary Alerts section The primary alert that is correlated with this alert, where this alert is a secondary alert. For more information, see Alert correlation rules.

    Additional tabs.

    Field Description
    Impacted Services tab
    Impacted Services The impacted services that are related to this alert are listed. For more information, see View the impact tree.
    Flapping tab
    Flap count The number of times the alert has flapped—that is, has fluctuated between a closed and a non-closed state—within the flap interval since the start time in the Flap start window.
    Flap start window The initial start time to measure the flapping occurrences.
    Flap last update time The last time flapping occurred. This time is the ServiceNow processing time, not the source system time.
    Flap last state The state before the alert entered the flapping state.
    History tab
    Initial event generation time The time when the event that generated the alert first occurred. This time is the ServiceNow processing time, not the source system time.
    Last event generation time The last time the event that is linked to the alert occurred. This time is the ServiceNow processing time, not the source system time.
    Created The alert creation time.
    Work notes The additional notes about the alert.
    Activities tab
    Activity A record of the work that was performed. The text has a date and time stamp.
    More Information tab
    Priority Breakdown Displays the computation of the alert priority score.
    Additional information A JSON string that gives more information about the event. The JSON data is supported for String values only, other value types are not supported. You must convert numbers to String values by enclosing them in double quotes. For example, this value is not supported: {"CPU":100 } while this value is supported: {"CPU":"100"}. Another example of a valid JSON string is: {"evtComponent":"Microsoft-Windows-WindowsUpdateClient","evtMessage":"Installation Failure: Windows failed. Error 0x80070490"}. This information can be used for third-party integration or other post-alert processing. Values in the Additional information field of an Event that are not in JSON key/value format are normalized to JSON key/value format when the event is processed. For example, assume that the following plain text is in the Additional information field “Connection instance is successful”. When the event is processed, all this plain text becomes one JSON string and might not be useful within an alert. In the resultant alert, this string is in the Additional information field in JSON key/value format, containing the data: {“additional_content”: “Connection instance is successful"}.
    For more information about the Calculate Related Tasks command and the alert insight tabs, see View alert insight information.

What to do next

You can respond to the alert in the following ways:
Table 2. Alert response options
Option Description
Submit Save the modifications that were made to the form and return to the Alerts list.
Acknowledge the alert. Click Acknowledge. If the alert is reopened, this button reappears so you can reacknowledge the alert.
Create an incident. Click Create incident. For more information, see Create an incident or security incident from an alert.
If Security Incident Response is activated, create a security incident response. Click Create Security Incident.
Designate that the alert is in maintenance. Select the Maintenance check box. For more information, see View all alerts by the maintenance status.
Close the alert. Click Close. For more information, see Close an Event Management alert.