Moogsoft Docs

Alert Rules Engine

The Alert Rules Engine (ARE) applies business logic to event processing in Moogsoft AIOps. You can define rules in ARE to hold alerts for a period of time , identify missing events or change the state of events .

For example, common uses of ARE include:

  • Link Up-Link Down - delays an alert to see if a link recovers.
  • Heartbeat Monitor - detects any missing network health signals.
  • Closing Events - close events of a particular type or severity.

The ARE controls event processing by placing alerts in different virtual buckets called Action States . These determine the period of time an alert is held for or if it should be passed to the next Moolet or Sigaliser algorithm in the chain. You define when an alert moves from one Action State to another using transitions , a configurable set of conditions and filters. Transitions moving alerts from one state to another results in the following:

  • Alerts moving from one Moolet to the next moolet in the chain
  • Alerts being passed to a Sigaliser and clustered into Situations.

Configure the Alert Rules Engine

You can configure Alert Rules Engine in $MOOGSOFT_HOME/config/moog_farmd.conf using the following parameters :

run_on_startup

Determines whether Alert Rules Engine runs when AIOps starts up.

Type : Boolean
Default : false

persist_state

Enables Alert Rules Engine to save its state for High Availability systems. When a failover occurs, the standy moogfarmd continues processing events from where the primary stopped .

Type : Boolean
Default : false

metric_path_moolet

Determines whether or not AIOps factors ARE into the Event Processing metric for Self Monitoring .

Type : Boolean
Default : false

moobot

The name of the Alert Rules Engine JavaScript source. The file must reside at $MOOGSOFT_HOME/bots/moobots . The default, AlertRulesEngine.js , provides the standard modules. You can c ustomize it to meet your needs.

Type : String
Default : " AlertRulesEngine.js "

process_output_of

Defines the input source for the Alert Rules Engine. This determines the Alert Rules Engine's place in the event processing workflow.

Type : List
Default : "MaintenanceWindowManager"

The default Alert Rules Engine parameter values are as follows:

{
 name            : "AlertRulesEngine",
 classname       : "CAlertRulesEngine",
 run_on_startup  : false,
 persist_state   : false,
 metric_path_moolet : true,
 moobot          : "AlertRulesEngine.js",
 # Configuration for Netcool LAM
 # moobot          : "AlertRulesEngineNetcool.js",
 process_output_of : "MaintenanceWindowManager"
}

Note

The classname is hardcoded and should not be changed.

After you have configured ARE to meet your needs, save the changes and restart the moog_farmd service:

service moogfarmd restart

Define Action States and Transitions

After you have configured the Alert Rules Engine, set up Action States and transitions in the AIOps UI under Settings > Automation :

  • Action States - determine the length of time AIOps retains alerts before forwarding them to a Sigaliser or closing them.
  • Transitions - defines the set of conditions an alert must meet before it moves from one state to another in the Alert Rules Engine. Higher priority transitions take precedence over those with lower priorities.

For more information see Action States and Transitions .

T he initial state for all alerts is the 'Ground' state. After an alert enters 'Ground' state, AIOps transitions it to another state or forwards it to a Sigaliser. If the Action State has a 'Remember Alerts For' set to a positive number then AIOps retains an alert in that state for this period of time.

If you enable 'Cascade on Expiry' and nothing happens to an alert within that period, AIOps returns it to 'Ground' state before forwarding it to a Sigaliser. This is because the 'Ground' state has “Forward Alerts" enabled. If an alert does not match any transitions, AIOps does not return it to 'Ground' state and it is closed.

Note

Action States are not enabled until you have defined a transition.

Link up/Link Down Example

This example demonstrates how to configure Alert Rules Engine so that when a link-down event arrives at moog_farmd , AIOps holds it for a period of time to provide an opportunity for the link-up to arrive . If nothing arrives, AIOps forwards it to a Sigaliser.

If the link-up arrives, the system closes and discards both alerts without sending anything to the Sigaliser. This ensures neither the link-down or link-up events appear in Situation s .

To try out this example, set up the following:

  1. Create three Action States: 'Ground' (default), 'Link Up' and 'Link Down'.
  2. Create two transitions: 'LinkDown Transition' and 'LinkUp Transition'.

In this scenario, if a 'Link Down' alert arrives at the ARE and no 'Link Up' alert arrives within 120 seconds, then the 'Link Down' alert returns 'Ground State' and ARE passes it to a Sigaliser.

Heartbeat Monitor Example

For instructions on how to set this up see Heartbeat Monitor .