Moogsoft Docs

Events Analyser Reference

This is a reference for the Events Analyser utility. The Events Analyser configuration properties are found in $MOOGSOFT_HOME/config/events_analyser.conf .

entropy_calc : Entropy calculation method. Moogsoft recommends using the EntropyV2 calculation method for more accurate entropy values.

Type : String
Required : Yes
One of : EntropyV2 , EntropyClassic
Default : "EntropyV2"

priming_source_data : Source data to use when priming the entropy value database table, that is, running the Events Analyser to calculate entropy values. By default, the priming source data is taken from tables in the main database schema called moogdb. timestamp_column is a column in the snapshots_table .

Type : String
Required : Yes
Default :

{
    "alerts_table" : "alerts",
    "events_table" : "events",
    "snapshots_table" : "snapshots",
    "timestamp_column" : "last_event_time"
  }

partition_by : Identifies the properties in each event that is used to partition them so that they are grouped separately by the Sigalisers. If partitioning is enabled, the following properties can be configured independently for each partition. See Configure Events Analyser for further details on partitions and configuration examples.

Type : String
Required : Yes
Default : null
Example : "partition_by" : "source"

fields : Properties in each event that contribute to the entropy value calculation.

Type : List of s trings
Required : Yes
Default : "description"

mask : Token types to be included or excluded from entropy calculations. If a token type is set to false ,  the entropy calculation includes it. If it is set to true , the entropy calculation excludes the token type. Masking token types, such as dates or numbers, ensures that tokens are not given a higher entropy value than they should have because of unique numbers or dates.

Type : Boolean
Required : No
Default :

{
    "ip_address" : false,
    "mac_address" : false,
    "oid" : false,
    "date_time" : true,
    "number" : true,
    "path" : false,
    "number" : false,
    "path" : false,
    "guid" : false,
    "hex" : false,
    "url" : false,
    "email" : false,
    "word" : false,
    "stop_word" : false
  }

casefold : Whether tokens that differ only by case should be considered the same in entropy calculations.

Type : String
Required : Yes
Default : true

stop_words : Whether specific tokens should be ignored in entropy calculations. Stop words are small common words such as 'about', 'at' or 'the'.

Type : String
Required : Yes
Default : true

stop_word_length : Any token of this length or shorter is considered a stop word and is excluded from entropy calculations. The default of 0 means that no words are considered as stop words.

Type : Number
Required : Yes
Default : 0

stop_word_file : Path (optional) and name of the file containing a list of stop words to be excluded from entropy calculations. If you provide a file name only, the Events Analyser assumes the path $MOOGSOFT_HOME/config/ . The Events Analyser uses the full path if you provide it. The default Moogsoft AIOps implementation provides a file named stopwords in $MOOGSOFT_HOME/config/ , which contains a list of common stop words.

Type : String
Required : Yes
Default : "stopwords"

priority_words : Whether priority words are included in entropy calculations. Alerts containing priority words are automatically given a maximum entropy value of 1.

Type : String
Required : Yes
Default : false

priority_word_file : Path (optional) and name of the file containing a list of stop words to be excluded from entropy calculations. If you provide a file name only, the Events Analyser assumes the path $MOOGSOFT_HOME/config/ . The Events Analyser uses the full path if you provide it. The file prioritywords in $MOOGSOFT_HOME/config/ is empty in the default Moogsoft AIOps implementation.

Type : String
Required : Yes
Default : "prioritywords"

stemming : Whether words with the same word stem are to be considered as the same word in entropy calculations. For example, should 'fail', 'failed' and 'failing' all be considered as the same word.

Type : String
Required : Yes
Default : false

stemming_language : Language used in the events.

Type : String
Required : Yes
Default : "english"