Moogsoft Docs

Configure Merge Groups

Moogsoft AIOps uses merge groups to control the minimum number of alerts in a Situation and how it merges Situations that different clustering algorithms create.

Use merge groups to control:

  • Clustering algorithms that you want Moogsoft AIOps to merge similar Situations together.

  • The alert threshold which defines the minimum number of alerts that Moogsoft AIOps will cluster into a Situation.

  • Situation similarity threshold which defines the percentage of alerts two Situations must share before they are merged.

You can use the default merge group in Moogsoft AIOps or you can create custom merge groups. If you use the default merge group, Moogsoft AIOps merges all the Situations that all of your clustering algorithms create if they meet the alert threshold and Situation similarity threshold criteria. You can create custom merge groups to override the default behavior of the default merge group. This is useful not only for adjusting the alert threshold and the Situation similarity threshold, but also if you want Moogsoft AIOps to merge Situations with more granularity.

In addition to the alert threshold in a merge group, you can also set an alert threshold in Tempus (via the Graze API) and in Cookbook Recipes (using the Moogsoft AIOps UI or the Graze API). When a clustering algorithm considers whether or not to cluster alerts into a Situation, it compares the alert threshold in the merge group and the clustering algorithm. It then uses the higher value to determine how many alerts it requires to create a Situation.

Default merge group

If you do not create any custom merge groups, all the clustering algorithms use the default merge group settings.

The default merge group has a Situation similarity threshold of 0.7. This means that Moogsoft AIOps merges two Situations if they have at least 70% of the same alerts.

The default merge group has an alert threshold of 2. If you have a clustering algorithm with an alert threshold of 1, that uses this default value of 2, since Moogsoft AIOps uses the higher alert threshold value to determine the number of alerts required to create a Situation, Moogsoft AIOps will never create Situations containing a single alert regardless of the alert threshold setting in the clustering algorithm.

If you want the clustering algorithms to create Situations containing a single alert, change the alert threshold in the default merge group to 1. You must use the Graze API if you want to change the default merge group values.

Custom merge groups

If you create a custom merge group for one or more clustering algorithms, they will only merge the Situations they produce among themselves. Situations from clustering algorithms outside of a merge group cannot merge with Situations inside a merge group.

You can configure custom merge groups in the Moogsoft AIOps UI or using the Graze API.

Example

You have defined the following clustering algorithms:

  • Tempus algorithm that clusters alerts that arrive in Moogsoft AIOps at a similar time.

  • Cookbook 1 with three Recipes; one Recipe clusters alerts on 'Description', another Recipe clusters alerts on 'Host', and the third Recipe clusters alerts with a 'Severity' of Critical (5).

  • Cookbook 2 with a single Recipe that clusters alerts on 'Impacted Services'.

  • Cookbook 3 with a single Recipe that creates Situations containing a single alert with a high entropy value.

If you use the default merge group only, all the Situations created by all these clustering algorithms will be merged if they meet the alert threshold and Situation similarity threshold criteria. But you want greater granularity than that so you create the following custom merge groups:

  • Custom merge group 1 - Cookbooks 1 and 2: Merges clusters created by Cookbook 1 and Cookbook 2 if they meet the following criteria:

    • Alert threshold = null, so it uses the default merge group value of 2. If you create a custom merge group in the UI, the alert threshold is set to null so it automatically uses the default merge group value.

    • Situation similarity threshold = 80%, so it will only merge clusters from Cookbook 1 and Cookbook 2 if they have 80% or more of the same alerts.

  • Custom merge group 2 - Cookbook 3: You want to keep these Situations with a single alert separate so you configure this merge group as follows:

    • Alert threshold = 1, so a single alert clusters into a Situation. This overrides the default merge group value of 2. You must use the Graze API endpoint updateMergeGroup to change this value.

    • Situation similarity threshold = 100%, so unless the alerts in two Situations are identical, the Situations will not be merged.

  • You do not create a custom merge group for Tempus so it will use the default merge group values of:

    • Alert threshold = 2.

    • Situation similarity threshold = 70%.

Updating the default merge group

You must use the Graze API to update the default merge group. You cannot update it using the UI. See the following topics for instructions on updating or viewing the details of the default merge group:

Configuring custom merge groups

You can configure a custom merge group in the UI or using the Graze API.

Before you begin

Before you create a custom merge group, ensure you have met the following requirements:

  • You have configured at least two different clustering algorithms, for example, Cookbook and Tempus.

  • Your LAMs or integrations are running and Moogsoft AIOps is receiving events.

Configure a custom merge group in the UI

To configure a custom merge group in the UI:

  1. Navigate to the Settings tab.

  2. Click Merge Groups in the Algorithms section.

  3. Select an existing custom merge group and click Edit, or click Add Merge Group to add a new one.

  4. Configure the custom merge group settings:

    • Name: Enter a name for the custom merge group.

    • Sigaliser: Select the clustering algorithms to include in the custom merge group. To include additional clustering algorithms, click Add Sigaliser.

    • Similarity Threshold: The percentage of alerts two Situations must share before they are merged. Enter a value between 0 and 100. The default similarity threshold in the default merge group is 70%. Set a lower value if you want Moogsoft AIOps to merge Situations with a lower percentage of alerts shared between them, which is likely to increase the number of Situations that will merge. Set a higher value if you want to decrease the number of Situations that Moogsoft AIOps will merge. If you set this value to 0, Moogsoft AIOps uses the default merge group value.

  5. Click Save to finish configuring the custom merge group.

  6. If you want to change the alert threshold for this custom merge group, use the Graze API endpoint updateMergeGroup.

After you configure a custom merge group, Moogfarmd automatically restarts and begins using it.

Configure a custom merge group using the Graze API

See the following topics for instructions on creating custom merge groups via the Graze API:

Field behavior

When Moogsoft AIOps merges two or more Situations, it updates the fields of the Situations as follows:

Field

Old Situations

New Situation

Category

Superseded.

Created.

Created At

No change.

Time of merge.

Description

No change.

Merge of Situations [X, Y, Z] where X, Y, and Z represent the Situation IDs of the superseded Situations.

First Event Time

No change.

The First Event Time for the combined Situations.

ID

No change.

The next sequential Situation ID.

Last Change

No change.

The time that the merge took place.

Last Event Time

No change.

The value of the Situation in first position in the merge list.

Owned By

No change.

Default (none).

Participants

No change.

Default (none).

Process Impacted

No change.

Combined values.

Queue

No change.

The queue of the Situation in first position in the merge list.

Rating

No change.

Default (none).

Scope

No change.

Combined values.

Scope Trend

No change.

Combined values.

Services Impacted

No change.

Combined values.

Sev Trend

No change.

Combined values.

Severity

No change.

The highest severity of the merged Situations.

Status

Dormant.

Opened.

Story

Adopts ID of new Situation.

The Story ID is the same as the Situation ID of the new Situation.

Teams

No change.

All Teams monitoring the merged Situations.

Total Alerts

No change.

The sum of the Alerts of all merged Situations.

User Comments

No change.

Default (none).