Correlation time window
You can specify the length of time for clustering similar alerts into the same incident, starting from the incident creation time. When the correlation period ends, Moogsoft Cloud correlates alerts into a new incident.
The correlation engine auto-extends an incident's correlation period if it adds alerts near the end of the specified period. Auto-extension works like this:
The correlation engine maintains an extension time that is 50% of the specified correlation window.
If a new matching alert is added to the incident in the last 50% of the specified correlation window, the new correlation period is the alert arrival time plus the extension time.
This process can extend the correlation window up to a maximum of 24 hours.
Suppose you specify a correlation window of 16 minutes. In this case, the extension time is 8 minutes. The correlation period can extend as follows:
The timer starts when the engine creates the incident.
If the engine does not add an alert after 8 minutes, the correlation period closes at 16 minutes.
Suppose the engine adds an alert at 12 minutes. The correlation period extends to 12 minutes plus 8 minutes = 20 minutes.
Suppose another alert gets added at 19 minutes. The correlation period extends to 19 + 8 = 27 minutes.
This correlation period for this incident can auto-extend up to a maximum of 24 hours.
