Match List Items in Recipes
You can create Cookbook Recipes and configure clustering around the use of list-based fields in alert custom info. You can also set whether list-based clustering of a custom field is applied. If not, the field is treated as a string.
A list in custom info is a properly formed JavaScript array. To see if a custom info item is a list, examine the custom info details in the UI. If the list can be expanded and has a value of x items at the top level, then it is a list. For example:
A text field containing comma separated values is not considered a list.
Configure Match List Items for a Custom Info Field
To match list items for a custom_info field:
On the Settings tab, select Cookbook Recipes from the Algorithms section, select the Recipe you want to configure, and click on the Clustering tab.
In the Cluster By field, select the custom_info attribute from the drop-down list. Enter the custom_info field name in the box below.
Check the Match List Items check box to match individual items in custom_info lists and use the slider to select the similarity threshold for this custom_info field.
Comparison of Match List Items
The Cookbook Recipe applies the similarity threshold that you set to compare each individual item in the list, not all the items in the list.
For example, you have the following lists in two alerts and the similarity threshold is 100%:
Alert 1: [ ABC , DEF ] Alert 2: [ ABC123, DEF123, ABC, DEF ]
This results in similarity comparisons between:
ABC and ABC123
ABC and DEF123
ABC and ABC
ABC and DEF
DEF and ABC123
DEF and DEF123
DEF and ABC
DEF and DEF
Since there are two identical matches, [ ABC and ABC ] and [ DEF and DEF ], the Cookbook Recipe clusters these alerts together.
If you want to calculate the total similarity of list items, that is, how many items in list 1 appear in list 2, you should not select Match List Items and set Language Processor to Words so that the Cookbook Recipe treats the list as a string. In the above example, there is a 50% match of items in both lists, [ ABC and DEF ], so if the similarity threshold is 100%, the Cookbook Recipe does not cluster these alerts together.
Example
You configure your Recipe to treat the custom_info field 'cities' as a list and set the similarity threshold to 100%, as shown above.
After configuring the Recipe, Moogsoft Enterprise receives the following four alerts:
Alert 1: custom_info.cities = ["London"] Alert 2: custom_info.cities = ["London", "San Francisco", "Venice", "Bangalore"] Alert 3: custom_info.cities = ["Venice", "Bangalore"] Alert 4: custom_info.cities = ["Bangalore"]
This configuration would produce four candidate clusters:
Cluster A: Alert 1 and alert 2 match on "London".
Cluster B: Alert 2 matches on "San Francisco".
Cluster C: Alert 2 and alert 3 match on "Venice".
Cluster D: Alerts 2, 3 and 4 match on "Bangalore".
Cookbook creates two Situations because cluster D contains all the alerts in clusters B and C:
Cluster A (alerts 1 and 2) becomes Situation X.
Clusters B, C, and D (alerts 2, 3, and 4) become Situation Y.
You must be careful when setting the similarity threshold if you are using list-based clustering. If the similarity threshold is low enough, you may end up with Situations containing blended list similarity. In the above example, alert 2 is common to both Situation X (London) and Situation Y (Bangalore). If the similarity were set to 25%, these two Situations would merge.
If the Recipe does not see 'custom_info.cities' field as a list, it treats the field as a single string. This means that, in this example, all four alerts would end up in separate Situations with no clustering.