ServiceNow Incident Management - Reduce Events via Event Correlation - Evanios

ServiceNow Incident Management – Reduce Events via Event Correlation

Why is ServiceNow incident management, including reduction of events through correlation, becoming such a widely deployed solution?

Most enterprises have implemented multiple monitoring tools. (system, database, network, security, application performance, virtual … ) While each of these point products provides a necessary function, the sheer volume of the events they produce has created many challenges, one of them being the abundance creation of service desk tickets.

A lot of these enterprises have also implemented discovery tools to discover the relationships between components in their environment. In most cases, the communication between the CMDB and their monitoring tools has been challenging because of the disparate technology used in each silo.

Evanios Operations is a powerful event management application that runs on the ServiceNow platform. Bridging the gap between the CMDB and the monitoring events is now possible with no coding or complexity. Large number of events can be associated, and the few events that are really important can be shown.

With the new release of Evanios Operations (Monaco), preconfigured logic allows events to be associated based on the relationships of the attached CI’s in the CMDB. When events are correlated, an action can be taken and multiple events can be merged into a single incident. It’s an automated way to handle ServiceNow incident management.

ServiceNow Incident Management

Example Use Cases

  • Virtual Server to Physical Host correlation – In a typical environment, if the ESX server is experiencing performance issues, the virtual machine it’s hosting will be experiencing availability or performance issues as well. If the ESX issue has already created an incident, alerts from the virtual servers hosted on this ESX need to be on the same incident.
  • Router to servers: If a router is experiencing availability issues, servers reporting to this router will be experiencing availability issues as well. These should be downgraded or suppressed.
  • Server to Database instances: If a server is experiencing performance or availability issues, more than likely the database running on that server will be experiencing issues as well. These should be linked.
  • Application to Servers: If multiple servers supporting an application are failing, correlate that the application is impacted.
  • Transactions to Application: if multiple transactions supporting an application are failing, determine the application impact.


  • Build associations between multiple events based on content similarities and/or relationships of the CI’s
  • Take action on associated events as a group. Run workflow, Trigger orchestration, Enrich events, Close events, Change event states, Notify a person and much more…
  • Upstream and downstream relationship analysis, understand and visualize the impact, and drill into the root cause


By reducing multiple events to single incidents, we and help the technician restore service faster!