Change the Situation Merge Settings

Adjusting the Merge Settings

Situation merge works differently for the sigalizers configured in the file system and in the UI. Learn the difference as well as how to make a change to the default settings.

File-Based

By default all back end configured, Sigalisers are part of the default merge group which has a situation similarity limit set to 0.7. This means that any situations produced by sigalisers that have not been listed in a separate merge group are candidates for a similarity merge if they share a similarity score of 0.7.

....       
# Expanded sig_resolution section containing merge_groups configuration.sig_resolution :
{
    # The default section is mandatory and must contain both
    # "alert_threshold" and "sig_similarity_limit" values. Any moolet
    # not defined as a member of a merge group will belong to the
    # default group.
    default:
    {
        alert_threshold      : 1,
        sig_similarity_limit : 0.7
    },
 
....

During similarity merge, it is difficult to predict which situation will become the parent and incorporate the rest of the merge situations. You might consider lowering the default situation similarity value however this might result in unrelated alerts being part of the same situation.

During the situation design, you should consider carefully what situation contexts you might need to be merged together given a minimum amount of alert overlap. Here is an example of how you might configure a specific group to merge Location and Application-centered, context-wise, situations while leaving the default similarity limit for situations produced by any other Sigalisers.

.... 

sig_resolution :
{
    default:    
    {        alert_threshold      : 1,
             sig_similarity_limit : 0.7
    },
    merge_groups:
    [
        {
           name: "LocationApplicationOverlap",
           moolets: ["LocationCookbook", "ApplicationCookbook"],
           sig_similarity_limit : 0.5
        }
    ]
 ....

UI Based

You can enable the similarity merge between situations produced by any of the UI enabled Cookbooks as below. Unlike with the Sigalisers in the file system, you cannot set up merge_groups in the UI. The similarity value from the slider works for all enabled cookbooks.

Screen_Shot_2019-06-05_at_1_38_05_PM.png

Note

You cannot combine UI based Cookbooks and the config file Sigalisers into the same merge group. A single Sigaliser can also only exist in one merge group.

Disabling Similarity Merge

When To Disable Similarity Merge

If you want the resultant situations of two or more recipes to never merge you can put them into separate Cookbooks and have these cookbooks in separate merge groups. For example, you might have two recipes with separate contexts, one indicating technology incident, the other clustering around the same location. Even if the situations produced by the two recipes share the same alerts, you never want the results to merge.

How To Disable Similarity Merge

Here is an example of how you could configure to disallow inter recipe merging. LocationCookbook and TechnologyCookbook each contain the corresponding recipe and then are placed in separate merge groups. The below indicates that any situations produced by the LocationCookbook can merge with each other if they have a similarity of 0.65. The Tech merge_group though allows situations produced by the TechnologyCookbook only to merge if they are exact matches.

....

            merge_groups:
[
    {
       name: "Location",
       moolets: ["LocationCookbook"],
       sig_similarity_limit : 0.65
    },
    {
       name: "Tech",
       moolets: ["TechnologyCookbook"],
       sig_similarity_limit : 1.0
    }
]
 
....

Similarly, to disable the merging of situations produced by separate UI based Cookbooks, configure as below. Note that this doesn't stop situations produced by the same Cookbook to be merged based on the situation similarity value taken from the masked out slider (default value is set to 80). The setup below reads as: only merge situations as produced by the same Cookbook based on a 100% match.

Screen_Shot_2019-06-05_at_1_41_02_PM.png

Note that any time you change the value on the similarity slider, you need to save changes first, even if you then need to click back to the resulting situation NOT to be merged. Otherwise, the changes will not be applied.

Accessing Merge History

A merge between multiple already existing situations will result in a parent situation which will incorporate all the alerts from the merged situations. The type of merge will be indicated under the Visualize Tab in the parent Situation room. The rest of the already existing situations that have been merged into the parent will have their status set to Dormant and category to Superseded.

The merged situations will share the same story ID which is set to Situation ID of the parent Situation. Note that unless happening within a single recipe match enabled Cookbook, the Superseding merge might not even be apparent or noticeable much in the UI. To access the merge tree click on the merge icon by the Situation ID. Here is an example of a merge whereby Situation ID 108 incorporated Situations 109 and 110. The story ID across all three situations will be 108.

Screen_Shot_2019-06-05_at_1_43_00_PM.png