## Events Analyser Reference

This is a reference for the Events Analyser utility. The Events Analyser configuration properties are found in  $MOOGSOFT_HOME/config/events_analyser.conf  . entropy_calc : Entropy calculation method. Moogsoft recommends using the EntropyV2 calculation method for more accurate entropy values. Type : String Required : Yes One of :  EntropyV2  ,  EntropyClassic  Default :  "EntropyV2"  priming_source_data : Source data to use when priming the entropy value database table, that is, running the Events Analyser to calculate entropy values. By default, the priming source data is taken from tables in the main database schema called moogdb.  timestamp_column  is a column in the  snapshots_table  . Type : String Required : Yes Default : { "alerts_table" : "alerts", "events_table" : "events", "snapshots_table" : "snapshots", "timestamp_column" : "last_event_time" } partition_by : Identifies the properties in each event that is used to partition them so that they are grouped separately by the Sigalisers. If partitioning is enabled, the following properties can be configured independently for each partition. See Configure Events Analyser for further details on partitions and configuration examples. Type : String Required : Yes Default :  null  Example :  "partition_by" : "source"  fields : Properties in each event that contribute to the entropy value calculation. Type : List of s trings Required : Yes Default :  "description"  mask : Token types to be included or excluded from entropy calculations. If a token type is set to  false  , the entropy calculation includes it. If it is set to  true  , the entropy calculation excludes the token type. Masking token types, such as dates or numbers, ensures that tokens are not given a higher entropy value than they should have because of unique numbers or dates. Type : Boolean Required : No Default : { "ip_address" : false, "mac_address" : false, "oid" : false, "date_time" : true, "number" : true, "path" : false, "number" : false, "path" : false, "guid" : false, "hex" : false, "url" : false, "email" : false, "word" : false, "stop_word" : false } casefold : Whether tokens that differ only by case should be considered the same in entropy calculations. Type : String Required : Yes Default :  true  stop_words : Whether specific tokens should be ignored in entropy calculations. Stop words are small common words such as 'about', 'at' or 'the'. Type : String Required : Yes Default :  true  stop_word_length : Any token of this length or shorter is considered a stop word and is excluded from entropy calculations. The default of 0 means that no words are considered as stop words. Type : Number Required : Yes Default :  0  stop_word_file : Path (optional) and name of the file containing a list of stop words to be excluded from entropy calculations. If you provide a file name only, the Events Analyser assumes the path $MOOGSOFT_HOME/config/  . The Events Analyser uses the full path if you provide it. The default Moogsoft AIOps implementation provides a file named  stopwords  in  $MOOGSOFT_HOME/config/  , which contains a list of common stop words. Type : String Required : Yes Default :  "stopwords"  priority_words : Whether priority words are included in entropy calculations. Alerts containing priority words are automatically given a maximum entropy value of 1. Type : String Required : Yes Default :  false  priority_word_file : Path (optional) and name of the file containing a list of stop words to be excluded from entropy calculations. If you provide a file name only, the Events Analyser assumes the path $MOOGSOFT_HOME/config/  . The Events Analyser uses the full path if you provide it. The file  prioritywords  in  \$MOOGSOFT_HOME/config/  is empty in the default Moogsoft AIOps implementation.

