Merge Groups

Moogsoft AIOps uses merge groups to control the minimum number of alerts in a Situation and how it merges Situations that different clustering algorithms create.

Use merge groups to control:

  • Clustering algorithms that you want Moogsoft AIOps to merge similar Situations together.

  • The alert threshold which defines the minimum number of alerts that Moogsoft AIOps will cluster into a Situation.

  • Situation similarity threshold which defines the percentage of alerts two Situations must share before they are merged.

You can use the default merge group in Moogsoft AIOps or you can create custom merge groups. If you use the default merge group, Moogsoft AIOps merges all the Situations that all of your clustering algorithms create if they meet the alert threshold and Situation similarity threshold criteria. You can create custom merge groups to override the default behavior of the default merge group. This is useful not only for adjusting the alert threshold and the Situation similarity threshold, but also if you want Moogsoft AIOps to merge Situations with more granularity.

In addition to the alert threshold in a merge group, you can also set an alert threshold in Tempus (via the Graze API) and in Cookbook Recipes (using the Moogsoft AIOps UI or the Graze API). When a clustering algorithm considers whether or not to cluster alerts into a Situation, it compares the alert threshold in the merge group and the clustering algorithm. It then uses the higher value to determine how many alerts it requires to create a Situation.

See Configure Merge Groups for information on how to configure default and custom merge groups.

See Field Behavior in Merged Situations for details of the behavior of individual fields in Situations which are merged.

Default merge group

If you do not create any custom merge groups, all the clustering algorithms use the default merge group settings.

The default merge group has a Situation similarity threshold of 0.7. This means that Moogsoft AIOps merges two Situations if they have at least 70% of the same alerts.

The default merge group has an alert threshold of 2. If you have a clustering algorithm with an alert threshold of 1, that uses this default value of 2, since Moogsoft AIOps uses the higher alert threshold value to determine the number of alerts required to create a Situation, Moogsoft AIOps will never create Situations containing a single alert regardless of the alert threshold setting in the clustering algorithm.

If you want the clustering algorithms to create Situations containing a single alert, change the alert threshold in the default merge group to 1. You must use the Graze API if you want to change the default merge group values.

Custom merge groups

If you create a custom merge group for one or more clustering algorithms, they will only merge the Situations they produce among themselves. Situations from clustering algorithms outside of a merge group cannot merge with Situations inside a merge group.

You can configure custom merge groups in the Moogsoft AIOps UI or using the Graze API.

Moogsoft AIOps provides a Cookbook called "Default Cookbook" and a custom merge group also called "Default Cookbook". This merge group has a similarity threshold of 0.8 and an alert threshold of 1. You can change the similarity threshold in the Moogsoft AIOps UI. You must use the Graze API if you want to change the alert threshold for this custom merge group. You can also delete this custom merge group using the Graze API if you do not want to use it.

Example

You have defined the following clustering algorithms:

  • Tempus algorithm that clusters alerts that arrive in Moogsoft AIOps at a similar time.

  • Cookbook 1 with three Recipes; one Recipe clusters alerts on 'Description', another Recipe clusters alerts on 'Host', and the third Recipe clusters alerts with a 'Severity' of Critical (5).

  • Cookbook 2 with a single Recipe that clusters alerts on 'Impacted Services'.

  • Cookbook 3 with a single Recipe that creates Situations containing a single alert with a high entropy value.

If you use the default merge group only, all the Situations created by all these clustering algorithms will be merged if they meet the alert threshold and Situation similarity threshold criteria. But you want greater granularity than that so you create the following custom merge groups:

  • Custom merge group 1 - Cookbooks 1 and 2: Merges clusters created by Cookbook 1 and Cookbook 2 if they meet the following criteria:

    • Alert threshold = null, so it uses the default merge group value of 2. If you create a custom merge group in the UI, the alert threshold is set to null so it automatically uses the default merge group value.

    • Situation similarity threshold = 80%, so it will only merge clusters from Cookbook 1 and Cookbook 2 if they have 80% or more of the same alerts.

  • Custom merge group 2 - Cookbook 3: You want to keep these Situations with a single alert separate so you configure this merge group as follows:

    • Alert threshold = 1, so a single alert clusters into a Situation. This overrides the default merge group value of 2. You must use the Graze API endpoint updateMergeGroup to change this value.

    • Situation similarity threshold = 100%, so unless the alerts in two Situations are identical, the Situations will not be merged.

  • You do not create a custom merge group for Tempus so it will use the default merge group values of:

    • Alert threshold = 2.

    • Situation similarity threshold = 70%.

In this section: