Home Orlando IT Operations Management IT Operations Management ITOM Health Event Management Alert aggregation and RCA CMDB alert groups

CMDB alert groups

Alerts are grouped by Event Management alert aggregation and root cause analysis (RCA) using different methods of correlation. For CIs without historical data, alerts are correlated based on those CIs relationships in the CMDB. CMDB alert groups are displayed in the alert list in Alert Intelligence and in the Event Management dashboard (for instances upgraded from a release before Orlando).

To correlate alerts into groups, alert aggregation and RCA learns from historical alert data and then forms alert patterns. Alert aggregation and RCA then attempts to match new alerts with these patterns to correlate alerts and create alert groups. However, in some situations, such as, with a new implementation, or with a new set of CIs, there is no historical data to learn from. In these situations, alert aggregation and RCA can automatically correlate alerts based on CI relationships. This correlation is based on hosting rules, containment rules, and suggested relationships. For example, the alerts for the CIs in the following relationships can be correlated into a CMDB alert group:

A server hosting a computer
Processes that are running on a specific server

You can view all alert groups by navigating to Event Management > Alert Intelligence. The icon in the Group column denotes the alert group type. Alerts that do not have an entry in the Group column are not correlated with any group.

If your ServiceNow instance uses domain separation, domain names are considered when forming groups.

RCA for CMDB alert groups

Alert aggregation and RCA apply RCA to identify a root cause alert within the CMDB alert group if the following properties are set to true:

Enable CMDB Correlation for Alert Aggregation [sa_analytics.agg.query_cmdb_correlation_enabled]
Enable root cause analysis for CMDB groups [sa_analytics.agg.query_cmdb_rca_enabled]

When these properties are set to true, the RCA algorithm calculates the group's root cause alert. The identified root cause alerts appear with a star in the Alert Group Timeline view in Alert Intelligence.

Figure 1. RCA indicator on alerts timeline

If a root cause alert is identified for a CMDB alert group, that alert is designated as the primary alert of the group.

Configure automatic creation of CMDB alert groups

Use the properties listed in this table to control which alerts are automatically included in CMDB alert groups. For more information about Event Management properties, see Components installed with Event Management.

Table 1. Properties to control CMDB alert groups
Property	Setting
Enable CMDB Correlation for Alert Aggregation sa_analytics.agg.query_cmdb_correlation_enabled	Enable to allow alert aggregation and RCA to automatically use CI relationships to correlate alerts and form CMDB alert groups.
Enable Suggested Relations for CMDB Correlation evt_mgmt.related_cis_use_suggested_relations_rules	Enable to use any suggested relationship that is defined in the system when forming CMDB alert groups.
CMDB Groups: Relationship level sa_analytics.agg.query_cmdb_graph_walk_nodes	Set the number of levels for which a CI bound to an alert is grouped with other CIs bound to alerts. For example, if this property is set to 3, a CI bound to an alert is automatically grouped with any other CIs bound to alerts that are within 3 hops or less. The setting for this property impacts the application of CMDB hosting rules, containment rules, and endpoints to CMDB group formation during alert aggregation.
evt_mgmt.related_cis_use_containment_rules	Set to `false` to disable CMDB alert groups from forming when using hosting and containment relationships. To add this property to your instance, navigate to System Properties > All Properties and click New. Specify these details: Name: sa_analytics.agg.query_cmdb_containment_enabled Type: true \| false Value: true Click Submit.
sa_analytics.agg.ignore_cmdb_applicative_flow	Set to `true` to prevent CMDB groups from forming due to applicative flow relations. To add this property to your instance, navigate to System Properties > All Properties and click New. Specify these details: Name: sa_analytics.agg.ignore_cmdb_applicative_flow Type: true \| false Value: false Click Submit.
sa_analytics.agg.query_cmdb_rca_enabled	Enable root cause analysis for CMDB groups. This property is enalbed by default. To access this property, navigate to Event Management > Alert Aggregation and RCA > Properties. Then select the Enable root cause analysis for CMDB groups check box.

Previous topic

Next topic

Send feedback

Release version

CMDB alert groups

A server hosting a computer
Processes that are running on a specific server

If your ServiceNow instance uses domain separation, domain names are considered when forming groups.

RCA for CMDB alert groups

Alert aggregation and RCA apply RCA to identify a root cause alert within the CMDB alert group if the following properties are set to true:

Enable CMDB Correlation for Alert Aggregation [sa_analytics.agg.query_cmdb_correlation_enabled]
Enable root cause analysis for CMDB groups [sa_analytics.agg.query_cmdb_rca_enabled]

If a root cause alert is identified for a CMDB alert group, that alert is designated as the primary alert of the group.

Configure automatic creation of CMDB alert groups

Table 1. Properties to control CMDB alert groups
Property	Setting
Enable CMDB Correlation for Alert Aggregation sa_analytics.agg.query_cmdb_correlation_enabled	Enable to allow alert aggregation and RCA to automatically use CI relationships to correlate alerts and form CMDB alert groups.
Enable Suggested Relations for CMDB Correlation evt_mgmt.related_cis_use_suggested_relations_rules	Enable to use any suggested relationship that is defined in the system when forming CMDB alert groups.
CMDB Groups: Relationship level sa_analytics.agg.query_cmdb_graph_walk_nodes	Set the number of levels for which a CI bound to an alert is grouped with other CIs bound to alerts. For example, if this property is set to 3, a CI bound to an alert is automatically grouped with any other CIs bound to alerts that are within 3 hops or less. The setting for this property impacts the application of CMDB hosting rules, containment rules, and endpoints to CMDB group formation during alert aggregation.
evt_mgmt.related_cis_use_containment_rules	Set to `false` to disable CMDB alert groups from forming when using hosting and containment relationships. To add this property to your instance, navigate to System Properties > All Properties and click New. Specify these details: Name: sa_analytics.agg.query_cmdb_containment_enabled Type: true \| false Value: true Click Submit.
sa_analytics.agg.ignore_cmdb_applicative_flow	Set to `true` to prevent CMDB groups from forming due to applicative flow relations. To add this property to your instance, navigate to System Properties > All Properties and click New. Specify these details: Name: sa_analytics.agg.ignore_cmdb_applicative_flow Type: true \| false Value: false Click Submit.
sa_analytics.agg.query_cmdb_rca_enabled	Enable root cause analysis for CMDB groups. This property is enalbed by default. To access this property, navigate to Event Management > Alert Aggregation and RCA > Properties. Then select the Enable root cause analysis for CMDB groups check box.

How search works:

Topics are ranked in search results by how closely they match your search terms

CMDB alert groups

CMDB alert groups

RCA for CMDB alert groups

Configure automatic creation of CMDB alert groups

On this page

CMDB alert groups

CMDB alert groups

RCA for CMDB alert groups

Configure automatic creation of CMDB alert groups

Log in to personalize your search results and subscribe to topics