Recipe Types
The Cookbook clustering algorithm uses the following Recipe types to define alert relationships and control how it clusters alerts:
The Value Recipe V2 and CValueRecipe use different methods to calculate the textual similarity between alerts. The CBotRecipe is a customizable recipe that allows you to call specific functions from a Moobot.
Value Recipe v2
Value Recipe v2 extracts and analyzes groups of consecutive characters to measure text similarity between alerts. It is the default Recipe in Cookbook for new Moogsoft Enterprise installations and for any new Cookbooks you create.
This recipe uses the bag-of-words model and shingling natural language processing methods to calculate the text similarity between alerts. Shingling is the process in which Cookbook extracts groups of consecutive characters called shingles from a source string. Potential sources include the alert source ID or description. To measure similarity, Cookbook calculates the number of identical shingles. You can control the calculation using the shingle size property.
In the Clustering tab in the Cookbook Recipes window in Settings, you select whether Cookbook treats string values as shingles or words for each field you use to cluster alerts. If you select shingles, you can choose what you want the shingle size to be. The default shingle size settings in the Value Recipe v2 are optimal for most use cases.
For example, if you set the shingle size for source IDs to 2 and Cookbook receives two alerts with the source IDs:
webserver0100
webserver0200
Cookbook extracts the following shingles from the source ID strings:
we eb bs se er rv ve er r0 01 10 00
we eb bs se er rv ve er r0 02 20 00
Ten out of the 12 shingles are identical which indicates a high similarity.
If you set the shingle size to 0 or less, Cookbook treats the string values as words in its text similarity calculation.
For example, if Cookbook receives two alerts with the source IDs: "database01" and "database02", it treats them as:
database01
database02
These two words are not identical so the two alerts would be given a low similarity.
Value Recipe
The first version of the Value Recipe uses a string comparison mechanism to cluster alerts by textual similarity.
Value Recipe uses string metric algorithms to calculate similarity. The calculation breaks strings up into partitions and performs a character-by-character comparison of each partition to measure similarity.
For example, if you set a Cookbook Recipe to cluster alerts with source IDs and descriptions with a Similarity Threshold of 100%, in a scenario where Cookbook receives the following alerts:
Alert | source_id | description |
---|---|---|
A | 001 | database |
B | 001 | webserver |
C | 002 | database |
D | 002 | database |
Cookbook creates three clusters: one containing alert A, one containing alert B and one containing alerts C and D which have identical source IDs and descriptions. The string may contain non-alphabetical characters. Value Recipe can also convert numeric values to strings for comparison.
The Value Recipe uses the case sensitive property to enable or disable case sensitivity as a factor in text similarity matching. For example, you can enable the Case Sensitivity property for source ID so Cookbook only matches if the case is identical but you can disable it for descriptions if you do not want descriptions to be case sensitive.
If you enable case sensitivity, then an alert from a source called "WebServer1" and an alert from a source called "webserver1" would have a lower similarity.
To make Cookbook match each value in a list individually in custom info fields, check the Match List Items check box in the Cookbook Recipe tab. See Match List Items in Recipes for details.
Bot Recipe
Bot Recipe is a customizable Cookbook Recipe that allows you to call certain functions from the Cookbook.js Moobot. You can configure the Bot Recipe using the Cookbook Graze API. Bot Recipes are not available in the UI.
You can configure the Bot Recipe to call functions defined in the Cookbook.js Moolet. The Cookbook Moolet defines two functions, an initialization function called initialize_function
and a member_function
.
You can call the initialize_function
once to set up any necessary initialization of the algorithms you want to write in the Moobot.
You can call the member_function
once for every event that passes the trigger. Cookbook considers each of these events for matching and for every candidate cluster in the system. For example, Cookbook calls the member_function
100 times if there are 100 candidate clusters for each alert that comes through the system. Cookbook compares the alert to candidate clusters that are potential Situations. If the alert's similarity matches or exceeds the matcher value, Cookbook adds the alert to the candidate cluster.