Clustering Algorithm Guide
Sigalisers are the clustering algorithms in Moogsoft AIOps that group alerts based on factors such as time, language, similarity and proximity.
The clustering algorithms available include:
You can configure and run multiple different clustering algorithms on the same instance of Moogsoft AIOps. The algorithms you choose depend on your specific use case and the type of Situations you want your operators to receive.
You can also apply entropy and Vertex Entropy calculations to add another degree of filtering to the alerts you want to correlate. For example, you can use an entropy threshold if you want to exclude alerts with low operational value or include alerts with high operational value. See Vertex Entropy and Entropy for more details.
Cookbook
Cookbook is a clustering algorithm that creates clusters defined by the relationships between alerts and their attributes.
Type: Attribute-based clustering.
Use case: You can use Cookbook if you want more control in how you correlate alerts based on patterns in the text similarity. Example use cases include:
-
Grouping alerts with a similar description and from the same application or service.
-
Grouping alerts from the same host or location.
Benefits: Cookbook offers the following advantages:
-
Very customizable and configurable using Recipes.
-
Able to create Situations when an alert exceeds a defined rate of occurrence.
-
Can include and exclude alerts that meet specific criteria such as Vertex Entropy.
-
Able to partition alerts into Situations using textual similarity-based comparison.
Configuration: Both UI and backend configuration. See Cookbook for details.
Tempus
Tempus is a time-based algorithm that clusters alerts into Situations based on the similarity of their timestamps.
Type: Time-based clustering.
Use case: You want to match alerts based on patterns in their timestamps or on a timeline. Use Tempus if you want your alerts to be clustered in real-time. The logic behind Tempus is that a triggering event causes additional subsequent failures within a short timeframe. Works well in scenarios where there is a causal chain such as:
-
Cascading failures
-
Performance failures
-
Brownouts.
Benefits: Tempus offers the following advantages:
-
No enrichment required. See Enrichment.
-
Good for availability alerts.
-
Good for performance alerts.
Configuration: Backend configuration only. See Tempus for details.
Feedback
Warning
Feedback is a Beta feature.
Feedback is the neural-based algorithm that learns and unlearns actions based on user feedback.
Type: Neural/learns user feedback.
Use case: Feedback is currently a prototype and should not be used in production environments. You can use it if the other clustering algorithms did not correlate anything, as you can teach it what to cluster. For example, if you have a set of alerts that you want to cluster but they didn't cluster through time or attribute similarity, you can teach the system and it learns to cluster those alerts.
Alternatively, you might want to use Feedback if you want to manually create Situations and teach Moogsoft AIOps to cluster the same type of alerts. Another use case is to use Feedback alongside Tempus. If you have several team members looking at time-based correlation with an inherent degree of fuzziness, they can use Feedback to train the system to remember good Situations and forgot about bad Situations and persist that behavior in future. For example, you could teach it to remember when there was a server failure but to ignore the printer ink failure and persist that behavior.
Benefits: Feedback offers the following advantages:
-
No enrichment required. See Enrichment.
-
Allows operators to push domain knowledge back into the system.
-
Can be trained to only create the Situations you are interested in.
Configuration: Both UI and backend configuration. See Feedback for more details.