Page tree
Skip to end of metadata
Go to start of metadata

This is a reference for the Cookbook Sigaliser algorithm and its associated Recipes. The Cookbook configuration properties are found in  $MOOGSOFT_HOME/config/moolets/cookbook.conf.

Moolet

name: Name of the Cookbook Sigaliser algorithm. Do not change.

Type: String
Required: Yes
Default: "Cookbook"

class: Moolet class name. Do not change.

Type: String
Required: Yes
Default"CCookbook"

run_on_startup: Determines whether Cookbook runs when Moogsoft AIOps starts. If you enable this property, Cookbook captures all alerts from the moment the system starts, without you having to configure or start it manually.

Type: Boolean
Required: No
Defaultfalse

metric_path_moolet: Determines whether Moogsoft AIOps includes Cookbook in the Moogfarmd calculation for Self Monitoring .

Type: Boolean
Required: No
Defaulttrue

moobot: Specifies which associated Moobot the Cookbook Moolet loads at startup.

Type: String
Required: Yes
Default: "Cookbook.js"

process_output_of: Defines the Moolet source of the alerts for Cookbook.

Type: List
Required: Yes
One of: AlertBuilder, AlertRulesEngine, MaintenanceWindowManager, EmptyMoolet
Default: "MaintenanceWindowManager"

Algorithm

membership_limit: Maximum number of Situations an alert can be part of. This does not impact alerts in merged Situations. Smaller limits result in fewer Situations with many alerts and many Situations with fewer associated alerts. Larger limits result in many Situations with few alerts and a few Situations with many alerts. The optimal value is between 1 and 5.

Type: Integer
Required: Yes
Default: 1

scale_by_severity: Cookbook treat alerts with a high severity like alerts with a high entropy value. Moogsoft AIOps divides the severity number by the maximum severity (5) to calculate the scale.  For example, for an alert with minor severity, the entropy would be 3/5. 

Type: Boolean
Required: No
Default: False

entropy_threshold: Minimum entropy value that an alert must have for Cookbook to consider it for clustering into a Situation. Cookbook does not include any alerts with an entropy value below the threshold in Situations. Set to a value between 0.0 and 1.0. The default of 0.0 means Cookbook processes all alerts.

Type: Decimal
Required: No
Default: 0.0

single_recipe_matching: Enable  single_recipe_matching  for Cookbook to treat Recipes in priority order, based on the order of configuration in cookbook.conf. The first recipe in the list takes highest priority. If an alert appears in a Situation that a recipe with a low priority order creates, it may reappear in a Situation that a Recipe with a higher priority creates.

Type: Boolean
Required: No
Defaultfalse

cluster_match_type: Defines how Cookbook matches clusters. You can select the first_match in order so Cookbook adds alerts to the first cluster over the similarity threshold value. This is the default behavior for Cookbook. Alternatively, select  closest_match to add alerts to the cluster with the highest similarity greater than the similarity threshold value. This option may be less efficient because Cookbook needs to compare alerts against each cluster in a Recipe. The Recipe-level match type configuration overrides the Cookbook-level definition.

Type: List
Required: No
One of: first_match, closest_match
Default: "first_match"

cook_for: Minimum time period, in seconds, that Cookbook clusters alerts for before the Recipe resets and determines when to start a new cluster. You can set a different cook_for time for a Recipe, and this overrides the Cookbook value. Recipes without  cook_for  values inherit the value from the Cookbook.

Type: Integer
Required: No
Default: "5000"

cook_for_extension: Time period, in seconds, that Cookbook can extend clustering alerts for before the Recipe resets and starts a new cluster.  Setting this value enables the cook for auto-extension feature for this Cookbook. As Cookbook receives related alerts, it continues to extend the total clustering time until the max_cook_for period is reached. Used in conjunction with the max_cook_for value, the cook_for_extension helps to ensure that Cookbook continues to cluster alerts together that are related to the same failure. The cook_for_extension only applies to new related alerts; it does not apply to existing alerts that are updated with new events.

For example, cook_for is set to 1 hour (3,600 seconds), cook_for_extension is set to 30 minutes (1,800 seconds), and max_cook_for is set to 2 hours (7,200 seconds). If Cookbook receives a new related alert 40 minutes after the Recipe started clustering alerts, the Recipe extends the total clustering time by 30 minutes from that time to 1 hour and 10 minutes, then:

  • If Cookbook receives another alert 1 hour and 5 minutes after the Recipe started clustering, because Cookbook received it within the extended time of 1 hour and 10 minutes, Cookbook further extends the total clustering time to 1 hour and 35 minutes. Cookbook continually extends the total clustering time as it receives more related alerts, provided that they are received within the extended time. Cookbook can extend the total clustering time until the max_cook_for time is reached. If Cookbook receives further related alerts after the max_cook_for time of 2 hours has elapsed, the Recipe resets and adds them to a new cluster.
  • If Cookbook does not receive any further alerts, it stops clustering alerts after the extended time of 1 hour and 10 minutes elapses. If Cookbook then receives another alert after this time has elapsed, the Recipe starts a new cluster.

You can set a different cook_for_extension time for a Recipe, and this overrides the Cookbook value. Recipes without cook_for_extension values inherit the value from the Cookbook.

Type: Integer
Required: No
Default: "1000"

max_cook_for: Maximum time period, in seconds, that Cookbook can extend clustering alerts for before the Recipe resets and starts a new cluster. It is used in conjunction with the cook_for_extension to help to ensure that Cookbook continues to cluster alerts together that are related to the same failure. This value is ignored unless cook_for_extension is specified. If max_cook_for is not specified, it defaults to three times the cook_for period.

Type: Integer
Required: No
Default: 3 x cook_for value

Recipes 

Recipes determine how Cookbook detects relationships between alerts and considers them for clustering into Situations. You can configure Recipes with different event filters, triggers and similarity comparisons using these parameters:

chef: The recipe type: CValueRecipeV2, CValueRecipe or CBotRecipe. The Value Recipes cluster according to the recipe definitions whereas Bot Recipes follow custom clustering logic defined by a Moobot. See Configure a Cookbook Recipe for more details.

Type: String
Required: Yes
One of: CValueRecipeV2, CValueRecipe, CBotRecipe
Default: "CValueRecipeV2"

name: Name of the Recipe. Use a unique or descriptive name. 

Type: String
Required: Yes
Default"SplitBySourceAndDescription"

description: Description of the Recipe.

Type: String
Required: No
Default"Value Recipe outage"

recipe_alert_threshold: Maximum number of alerts to cluster before Cookbook creates a Situation. If left as '0', a single alert can generate a new Situation.

Type: Integer 
Required: Yes
Default0

exclusion: Filter that determines the alerts to exclude from Situation creation. By default Cookbook excludes all alerts with a severity less than critical. For details on creating a filter, see Filter Search Data.

Type: String
Required: No
Default: "severity < 5"

trigger: Filter that determines the alerts that Cookbook considers for Situation creation. Cookbook ignores alerts that match the exclusion filter. 

Type: String
Required: No
Default: "null"

seed_alert: Filter that determines whether to create a Situation from a seed alert if it meets both trigger and seed_alert filter criteria. Cookbook considers subsequent alerts for clustering if they meet the trigger filter criteria. Alerts that arrived prior to the seed alert that met the trigger filter criteria do not form Situations.

The seed_alert filter is a mechanism to ensure that only specific events create Situations. For example, if you create a seed_alert filter if the description matches 'Switch failure', alerts are eligible for clustering only after a seed alert with the matching description arrives to create a Situation.

Type: String
Required: No
Default"null" 
Example'Description' MATCHES "Switch failure"

rate: Filter that determines the minimum event rate per minute required for Cookbook to create a Situation. Cookbook only calculates the rate after the cluster meets the threshold defined by min_sample_size or    max_sample_size.

Type: Integer (Number of events per minute).
Required: No
Default: "0"

min_sample_size: Minimum number of events contained in a cluster before Moogsoft AIOps calculates the rate.

Type: Integer
Required: No
Default: "5"

max_sample_size: Maximum number of events contained in a cluster before Moogsoft AIOps calculates the rate.

Type: Integer
Required: No
Default"10"

cluster_match_type: Defines how Cookbook matches alerts to clusters. The first_match default option adds alerts to the first cluster above the similarity threshold value. The alternative is closest_match to add alerts to the cluster with the highest similarity greater than the similarity threshold value. The latter option might be less efficient because it needs to compare alerts against each cluster in a Recipe.

Type: String
Required: No
Default: "first_match"

cook_for: Minimum time period, in seconds, that Cookbook clusters alerts for before the Recipe resets and determines when to start a new cluster. Different cook_for times per Recipe are useful for monitoring systems with different fail rates, to ensure the Recipe clusters all the relevant events relating to a failure. For example:

  • A Recipe monitoring for network link failures, which have a fast fail rate and many events in a short time, should have a short cook_for time.
  • A Recipe monitoring for disc or CPU issues, which have a slower fail rate as the issue builds, should have a longer cook_for time.

If you set a different cook_for time for a Recipe, this overrides the Cookbook value. Recipes without cook_for values inherit the value from the Cookbook.

Type: Integer
Required: No
Default: "5000"

cook_for_extension: Time period, in seconds, that Cookbook can extend clustering alerts for before the Recipe resets and starts a new cluster.  Setting this value enables the cook for auto-extension feature for this Recipe. As Cookbook receives related alerts, it continues to extend the total clustering time until the max_cook_for period is reached. Used in conjunction with the max_cook_for value, the cook_for_extension helps to ensure that Cookbook continues to cluster alerts together that are related to the same failure. The cook_for_extension only applies to new related alerts; it does not apply to existing alerts that are updated with new events.

For example, cook_for is set to 1 hour (3,600 seconds), cook_for_extension is set to 30 minutes (1,800 seconds), and max_cook_for is set to 2 hours (7,200 seconds). If Cookbook receives a new related alert 40 minutes after the Recipe started clustering alerts, the Recipe extends the total clustering time by 30 minutes from that time to 1 hour and 10 minutes, then:

  • If Cookbook receives another alert 1 hour and 5 minutes after the Recipe started clustering, because Cookbook received it within the extended time of 1 hour and 10 minutes, Cookbook further extends the total clustering time to 1 hour and 35 minutes. Cookbook continually extends the total clustering time as it receives more related alerts, provided that they are received within the extended time. Cookbook can extend the total clustering time until the max_cook_for time is reached. If Cookbook receives further related alerts after the max_cook_for  time of 2 hours has elapsed, the Recipe resets and adds them to a new cluster.
  • If Cookbook does not receive any further alerts, it stops clustering alerts after the extended time of 1 hour and 10 minutes elapses. If Cookbook then receives another alert after this time has elapsed, the Recipe starts a new cluster.

If you set a different cook_for_extension time for a Recipe, this overrides the Cookbook value. Recipes without cook_for_extension values inherit the value from the Cookbook.

Type: Integer
Required: No
Default: "1000"

max_cook_for: Maximum time period, in seconds, that Cookbook clusters alerts for before the Recipe resets and starts a new cluster. It is used in conjunction with the cook_for_extension to help to ensure that Cookbook continues to cluster alerts together that are related to the same failure. This value is ignored unless cook_for_extension is specified. If max_cook_for is not specified, it defaults to three times the cook_for period.

If you set a different max_cook_for time for a Recipe, this overrides the Cookbook value. Recipes without max_cook_for values inherit the value from the Cookbook.

Type: Integer
Required: No
Default: 3 x cook_for value

Matcher

hop_limit: Maximum number of hops between the alert source nodes in order for the alerts to qualify for clustering. Moogsoft AIOps measures hop limit from the first alert that formed the Situation and always follows the shortest possible route in the network. You can only use hop limit if you have imported your network topology into the system. See Import a Topology for details.

A hop is the jump between two directly connected nodes in a network. For more information on hops, see Vertex Entropy.

Type: Integer
Required: No
Default: "2"

components: Values that alerts must match for Cookbook to include them in a Situation. You can provide multiple values such as source, description, service or using custom_info fields.

The Value Recipe V2 uses the shingle_size component to determine the similarity between different strings. See Recipe Types for more details.

You can enable or disable case sensitivity with CValueRecipe V1. You can also configure Cookbook to match each value in the list individually. See CValue Recipe for details.

Type: String
Required: No
Default:  { name: "source_id", similarity: 0.75, shingle_size: 4 },
        { name: "description", similarity: 0.75, shingle_size: -1 }

  • No labels