Correlate alerts into incidents

datapipelinecorrincidents.png

Correlation is the process of clustering related alerts into incidents. Moogsoft Cloud uses correlation definitions that specify the data fields of interest to determine if an alert and incident are correlated. To define an effective correlation, you need to determine the following:

  1. How you want to correlate your alerts — such as by node, service, or location.

  2. The alert fields in your data that contain the relevant information.

The correlation engine

Watch a concept explainer: Algorithms vs Rules in Moogsoft ►

The Correlation Engine uses advanced algorithms to detect correlations between different alerts and cluster these alerts into incidents. You can easily define smart correlations that make sense for your organization, even with no previous knowledge of your environment.

Each definition specifies the relevant data fields and the degree of similarity needed to correlate different alerts. Moogsoft then uses natural-language processing and other advanced algorithms, along with your definitions, to correlate new alerts with previous ones.

This approach is far more robust and scalable than traditional AIOps approaches based on hard-coded rules and pattern matching. This is especially true for complex environments and dynamic environments that rely on containers and microservices. A rules-based approach often leads to unpredictable results and a long, random list of simplistic and often contradictory rules. Most environments, even very complex ones, require only a handful of correlation definitions. One definition can do the analytical work of hundreds or thousands of rules.