Moogsoft Docs

Cookbook Recipes

Introduction

This is where you can create and edit the Cookbook Recipes that are built using factors such as Event filtering, rate calculations and flexible similarity comparisons.

Factors can be the frequency and/or temporal proximity of Alerts or Events with specific characteristics, as well as triggers and other logical conditions.

Creating a new Recipe

Click the button to add a new Recipe. This opens the Cookbook Recipes edit screen:

Recipe Tab

Fill in the available fields on the Recipe Tab to configure the Recipe as required. See the table below:

Field Input Description
Name String
(Mandatory)
The name of the Recipe
Situation Description String

The Situation Description for the Recipe

Note

Please note : This text will appear in the Situation View

Trigger Filter Filter
(Optional)
The Trigger Filter sets criteria to be met for Alerts to be included in cluster creation
Exclusion Filter Filter
(Optional)
The Exclusion Filter sets criteria to be met for Alerts to be excluded from cluster creation
Rate Filter Boolean If enabled, you can select further criteria for Events to be considered for cluster creation
*Rate Integer The rate in Events per minute (between 0 and 1000000)
*Min Sample Size Integer

The minimum sample size in Events (between 2 and 1000000)


*Max Sample Size Integer

The maximum sample size in Events (between 2 and 1000000)

Warning

The Max Sample Size cannot be less than the Min Sample Size

Alert Threshold Integer The Alert threshold sets the minimum number of Alerts which are clustered before a Situation is created (between 1 and 1000000)
Cook For Integer

This sets the duration of hours, minutes and/or seconds that Events are clustered for before the Recipe forgets and begins Event analysis again

Note

Please note : This will override the Cookbook cook_for value

Cluster By
  • Default (From Cookbook)
  • First Matching Cluster
  • Closest Matching Cluster
  • The default 'Cluster by' option is to use the Cookbook setting in the Cookbook the Recipe is added to
  • First Matching Cluster adds an Alert to the first cluster that matches the criteria from the Recipe
  • Closest Matching Cluster adds an Alert to the cluster that most closely matches the criteria from the Recipe

Note

* Please note : These fields are only enabled if the Rate Filter checkbox is checked

Clustering Tab

Click Clustering to configure how the Recipe clusters the Alerts.

First click Add Field to add a new field which the Recipe can base its clustering on.

Select an attribute by clicking the drop-down arrow under Cluster by and fill the field entry below if required.

Move the Similarity Threshold slider to the desired percentage value to determine how identical the Events should be for them to be clustered.

Note

Please note : The Match List Items field is only enabled if 'custom_info' is selected at the Cluster by attribute. For more information read the Matching List Items section below

Click Save Changes to save and continue.

Editing a Recipe

Select the Recipe you want to edit from the list to the left of the window.

Alternatively type the name of the Recipe into the search box and press Enter.

Edit any fields as described in the Create a New Recipe section above.

Note

Please note : You cannot edit the Recipe Name. If you need to do this, create a duplicate, give it a new name and then delete the original

Click Save Changes . If you want to discard all changes, click Revert Changes .

Note

Please note : If you edit a Recipe which is in an active Cookbook (set in the Cookbook selector), you are warned that the Cookbooks will be restarted. Click Yes to save the changes and restart the Cookbooks, or No to return to the Recipe builder

Duplicating a Recipe

1. Select the Recipe you want to copy and click Duplicate .

2. A new Recipe will be created with the same settings. This will be named "Copy of...." the original Recipe by default.

3. Edit the Recipe name and any of the other fields as required.

4. Click Save Changes to continue.

Deleting a Recipe

1. Select the Recipe you want  to delete from the list on the left. If the list is long, type in the search box to narrow the list.

2. Click Delete to remove the Recipe.

3. Click Yes to confirm the deletion. The Recipe is removed from the list.

Note

Please note : If the Recipe is used in any Cookbooks, the Delete button is disabled and you will not be able to delete it

Matching List Items (Custom_Info Only)

It is possible to create Recipes and configure clustering around the use of 'custom_info' list-based fields in Alert Custom Info.

You can also set whether list-based clustering of a custom_field is applied. If not, the field will be treated as string.

1. Click on the Clustering tab and select the 'custom_info' attribute from the Cluster By list. Enter the custom_info field name in the box below.

2. Check the box next to Match List Items to match individual items in custom_info lists.

Note

You can also set list based matching for Cookbook Recipes defined in moog_farmd.conf
To do this, add a qualifier treat_as: "list" for any custom_info components in the matcher:

recipes :[
             {
                          chef : "CValueRecipe",
                          name : "ListParamCustomInfo",
                          description : "List with custom info.",
                          recipe_alert_threshold : 0,
                          exclusion : null,
                          trigger : null,
                          rate : 0,
                          rate_samples : 5,
                          matcher : {
                                      components: [ { name: "custom_info.cities", similarity: 0.5, treat_as: "list" } ] 
                          }
             }
],

Example

The following Alerts arrive in the system. They all meet the conditions of a Recipe's trigger/exclusion filter, and arrive within the set cook_for period:


Alert 1: custom_info.offices = [“London"]
Alert 2: custom_info.offices = [“London”, “San Francisco”, “Venice”, “Bangalore"]
Alert 3: custom_info.offices = [“Venice”, “Bangalore"]
Alert 4: custom_info.offices = [“Bangalore”]


• No custom_info list matching:

If the Recipe has a matcher configuration of:

matcher : {
             components: [ { name: "custom_info.cities", similarity: 1.0 } ]
          }

In this example, the custom_info field is not treated as a list. The Recipe treats each custom_info field as a single string and (if the recipe alert_threshold was 1) each Alert ends up in a separate Situation, with no clustering:

  1. Situation with Alert 1
  2. Situation with Alert 2
  3. Situation with Alert 3
  4. Situation with Alert 4

• custom_info list matching enabled:

If the Recipe has a matcher configuration of:

matcher : {
             components: [ { name: "custom_info.cities", similarity: 1.0, treat_as: "list" } ] 
          }

The custom_info field is treated as a list. The Recipe bases its clustering and similarity comparisons around the individual items in the lists, and four distinct clusters are produced:

  1. Cluster 1 with Alerts 1 & 2 (matched on London )
  2. Cluster 2 with Alert 2 (matched on San Francisco )
  3. Cluster 3 with Alerts 3 & 4 (matched on Venice )
  4. Cluster 4 with Alerts 2, 3 & 4 (matched on Bangalore )

This can produce four separate Situations as per the four clusters above, or two Situations because cluster C4 contains all the Alerts in clusters C2 and C3:

  1. Situation with Alerts 1 & 2
  2. Situation with Alerts 2,3 & 4

Note

  • This feature is only available for custom_info fields and Event Value Recipes
  • The Single recipe matching option still works with lists of components, but an Alert may appear in multiple clusters generated by the same Recipe if this functionality is used
  • If treat _as is set to "list" for a custom_info field, ensure that the field is a JSON list containing strings or numbers
  • If the custom_info field list contains complex values, such as sub-lists, for example:

Alert 5: custom_info.offices = [“Venice”, “Bangalore", ["New York","Munich"], "Tokyo"]
  • The sub-lists are treated as pure strings. In the above example the list items Venice , Bangalore and Tokyo are used for matching, but the sub-list is treated as one entire string: ["New York","Munich"]