Clustering Algorithm Guide

Sigalisers are the clustering algorithms in Moogsoft AIOps that group alerts based on factors such as time, language, similarity and proximity.

The clustering algorithms available include:

You can configure and run multiple different clustering algorithms on the same instance of Moogsoft AIOps. The algorithms you choose depend on your specific use cases and the type of Situations you want your operators to receive.

You can also apply entropy and Vertex Entropy calculations to add another degree of filtering to the alerts you want to correlate. For example, you can use an entropy threshold if you want to exclude alerts with low operational value or include alerts with high operational value. See Vertex Entropy and Entropy for more details.

Cookbook

Cookbook is a clustering algorithm that creates clusters defined by the relationships between alerts and their attributes. See Cookbook for more information.

Type: Attribute-based clustering.

Use cases: You can use Cookbook if you want more control in how you correlate alerts based on patterns in the text similarity. Example use cases include:

  • Grouping alerts with a similar description and from the same application or service.

  • Grouping alerts from the same host or location.

  • Topology-based correlation using Vertex Entropy.

Benefits: Cookbook offers the following advantages:

  • Very customizable and configurable using Recipes.

  • Able to create Situations when an alert exceeds a defined rate of occurrence.

  • Can include and exclude alerts that meet specific criteria such as Vertex Entropy.

  • Able to partition alerts into Situations using textual similarity-based comparison.

  • Possible to base alert clustering on topological relationships.

Configuration: To configure Cookbook Recipes and Cookbook via the Moogsoft AIOps UI, see Configure a Cookbook Recipe and Configure a Cookbook. You can also configure Cookbook and its Recipes via the Graze API.

Tempus

Tempus is a time-based algorithm that clusters alerts into Situations based on the similarity of their timestamps. See Time-based Clustering with Tempus for more information.

Type: Time-based clustering.

Use cases: You want to match alerts based on patterns in their timestamps or on a timeline. Use Tempus if you want your alerts to be clustered in real-time. The logic behind Tempus is that a triggering event causes additional subsequent failures within a short timeframe. Works well in scenarios where there is a causal chain such as:

  • Cascading failures

  • Performance failures

  • Brownouts.

Benefits: Tempus offers the following advantages:

  • No enrichment required. See Enrichment Overview.

  • Good for availability alerts.

  • Good for performance alerts.

Configuration: To configure Tempus via the Moogsoft AIOps UI, see Configure Tempus. You can also configure Tempus via the Graze API.

Feedback

Warning

Feedback is a Beta feature.

Feedback is the neural-based algorithm that learns and unlearns actions based on user feedback. See Feedback for more information.

Type: Neural/learns user feedback.

Use cases: Feedback is currently a prototype and should not be used in production environments. You can use it if the other clustering algorithms did not correlate anything, as you can teach it what to cluster. For example, if you have a set of alerts that you want to cluster but they didn't cluster through time, attribute similarity or topological proximity, you can teach the system and it learns to cluster those alerts.

Alternatively, you might want to use Feedback if you want to manually create Situations and teach Moogsoft AIOps to cluster the same type of alerts. Another use case is to use Feedback alongside Tempus. If you have several team members looking at time-based correlation with an inherent degree of fuzziness, they can use Feedback to train the system to remember good Situations and forgot about bad Situations and persist that behavior in future. For example, you could teach it to remember when there was a server failure but to ignore the printer ink failure and persist that behavior.

Benefits: Feedback offers the following advantages:

  • No enrichment required. See Enrichment Overview.

  • Allows operators to push domain knowledge back into the system.

  • Can be trained to only create the Situations you are interested in.

Configuration: Both UI and backend configuration. See Configure Feedback for more information.