Moogsoft Docs

Alert Builder Moolet

The Alert Builder Moolet assembles from Events, sent by the LAMs across the MooMS bus, the Alerts that are visible through the Alert View in the User Interface (UI). The Alert Builder Moolet is also responsible for:

  • Updating all the necessary data structures. For example, when a duplicate Alert arrives in the system with the same signature
  • Ensuring copies of the old Alert state are stored in the snapshot table in moogdb, relevant events are created and the old Alert record is updated to reflect the new events arriving into the system

Alert Builder Configuration Walk-through

The behaviour of the Alert Builder is defined in the moog_farmd configuration file in a section titled AlertBuilder.

{  
    name:"AlertBuilder",
    classname:"CAlertBuilder",
    run_on_startup:true,
    moobot:"AlertBuilder.js",
    event_streams:[  
        "AppA"
    ],
    threads:4,
    metric_path_moolet:true,
    events_analyser_config:"events_analyser.conf",
    priming_stream_name:null,
    priming_stream_from_topic:false
}

AlertBuilder only contains a few parameters: name, classname , and run_on_startup are shared with other Moolets.  See the table below for more information:

Parameter Description

name

name is hardcoded and should never be changed from AlertBuilder

classname

the classname, CAlertBuilder , is hardcoded and should never be changed

run_on_startup

by default, run_on_startup is set to true, so that when moog_farmd starts, it automatically creates an instance of the Alert Builder. In this case you can stop it using farmd_ctrl

events_analyser_config

allows configurations for tokeniser rules to be specified on a moolet-by-moolet basis.  If no config is specified, the system default is used

priming_stream_name

the stream name under which the events_analyser was run in order to calculate alert entropies. If set to null all alerts are factored into the entropy calculation

priming_stream_from_topic

if set to true the priming_stream_name is extracted from the event's stream. If set to false the stream to use is the value configured in priming_stream_name

moobot

moobot specifies a JavaScript file found in $MOOGSOFT_HOME/moobots , which defines the AlertBuilder Moobot, which creates Alerts

event_streams

a list of sub event streams, which the Moolet in this instance of farmd will process. The LAMs can be configured to send events on different sub streams. farmd, as specified in the Alert Builder configuration, then decides whether or not to process them. If MOOG runs multiple farmd’s, you can have different event sub streams being processed by different Alert Builder Moolets

by default, you can comment out event_streams , or provide an empty list; subsequently, the Alert Builder will process every event that is published on the default /Events topic on the MooMS bus

you configure the Alert Builder Moolet by giving it a list of strings, for example, [“App A”,“App B”] . The result is that the Alert Builder will listen for events published on /Events/AppA , as well as, /Events/AppB and process that data. Importantly, in this example, events published to /Events or any other substream are ignored. You can have farmd’s that are processing completely separate event streams, or, multiple farmd’s that process some different event streams and some common event streams. You would do this when some of the Alerts are common to all of the applications that are being processed, but some are specific only to a given application. In this way, you would cluster Alerts separately for each application, as the Sigaliser only processes alerts from its upstream Alert Builder Moolet

for example, if you have two separate applications that share the same network infrastructure: in farmd 1, you can have as the event streams, application A and networks, and, in farmd 2, you can have application B and networks. So you can detect Alerts and then create Situations that are relevant for just application A; however, if there is common networking infrastructure and problems occur with network failures, you will get those clustered into Situations, and similarly for application B

threads

the number of threads in the Alert Builder is chosen to match the event rate experienced by the system and allows time Alert creation. By default, the Alert Builder is only run in single threaded mode


AlertBuilder.js

Most of the activity of the Alert Builder is undertaken in the Moobot, AlertBuilder.js , associated with the Alert Builder Moolet. The JavaScript function, newEvent , is called when the Alert Builder Moolet processes an event:

events.onEvent ("newEvent", constants.eventType("Event")).listen();
  • newEvent contains a call to create an Alert
  • The newly created Alert is broadcast on the MooMS bus

The Alert Builder Moobot is explained in full in the Moobot and Moobot Language documentation.