Configuring a Cookbook to Use Entropy

Often, the most frequently recurring alerts are not actionable. When you activate entropy filtering in your Cookbooks, low-entropy alerts will not be clustered into Situations.

You can maintain your system by periodically examining included and excluded alerts in the Alert Analyzer. You can also configure your system to intercept alerts below a fixed entropy value and re-route them for occasional review by your operators, but that is outside the scope of this lab.

Overview

Configure a Cookbook to exclude low-entropy alerts.

  1. Reduce the alert threshold in the Source Recipe from 2 to 1, and edit the Source Cookbook to use manager-specific entropy thresholds. Any managers without subset thresholds will use the global default threshold.

  2. Send data into your system using the ChatOps command '@bot get_lab_events_entropy.

  3. In the Open Alerts view, make the entropy column visible and verify that entropy values have been set for the live data. Verify that low-entropy alerts have been excluded from Situations.

Step-by-Step Instructions
  1. After reviewing the entropy distribution of your historic alerts, you have decided that you want to be able to see all of your incoming alerts, except the low-entropy ones, on a single pane of glass, and you want multiple alerts from the same host to be clustered in Situations. To accomplish this, go to Settings>Algorithms>Cookbook Recipes and select the Source recipe.

  2. Change the Alert Threshold from '2' to '1' so that all alerts will be included in Situations. Leave the other settings the same.

  3. Check the Clustering tab to verify that alerts from the same source (host) will be clustered into the same situation.

  4. Save changes.

  5. Go to Settings>Algorithms>Cookbooks and choose 'Source Cookbook'.

  6. Under Entropy Threshold, choose 'Use the Manager-Specific Entropy Thresholds'. This will activate the filtering of alerts using the subset thresholds you set. Alerts from any manager without a subset threshold will be filtered according to the Global Default Threshold that you set.

  7. Under Selected Recipes, verify that only the 'Source' Recipe is selected.

  8. Leave the other settings the same, and save changes.

  9. Go to Settings>Algorithms>Cookbook Selection.

  10. Verify that the Source Cookbook is active and that no other Cookbooks are active.

  11. Go to Workbench>Open Situations and click on the Situation you created earlier.

  12. Go to the Collaborate tab and enter the ChatOps command @bot get_lab_events entropy in the comment box.

  13. Go to the Open Alerts view and then to the View menu in the upper right-hand corner. Select 'Entropy' to make the Entropy column visible.

  14. Scroll right to see the Entropy column. As you can see, Moogsoft Enterprise has calculated entropy values for arriving alerts using the entropy model that Alert Analyzer calculated from the historic database.

  15. Click on the Entropy column to sort alerts by entropy, and compare the entropy values and alert descriptions.

  16. Look at the Situations column, and verify that low-entropy alerts below the thresholds you set have not been assigned to Situations. Go to the Open Situations view to examine the actionable Situations.

This concludes the lab.