Glossary

Moogsoft Glossary

Alert

A set of one or more unique events that all relate to a specific performance measure. Moogsoft deduplicates events into alerts. Then it correlates alerts into incidents. See Events, alerts, and incidents.

Anomaly

The first observed data point after a time series metric switches from normal to anomalous performance. The ingestion engine treats each anomaly as a performance-impacting event.

Collector

An installable, Rust-based agent running on a server that does the following:

  • Observes time series metrics – either actively, at the source, or by ingesting a stream passively

  • Forwards the raw metrics to Moogsoft. The ingestion engine treats anomalies as performance-impacting events and aggregates them into alerts, which you can view in the Alerts page.

Correlation

The process of finding correlations between alerts, based on similarities between data fields of interest, and clustering correlated alerts into actionable incidents. See Correlate alerts into incidents.

Deduplication

A stage in the ingestion process where the ingestion engine eliminates any event that is identical to a previously-seen event.

Deduplication eliminates noise and ensures that each ingested event is unique.

Deduplication Key

A auto-generated signature that Moogsoft generates for each new event and uses to determine if that event is a duplicate. By default the dedupe key is based on the source, service, and check fields.

Detector

The algorithm that a Managed Object uses to detect anomalies in a metric. Every metric observed by a Managed Object has an associated detector.

Document

A single entry in a data catalog that contains information about a specific node. A document is equivalent to a single row in a CSV.

Enrichment

The process of adding or normalizing newly ingested events with information from your environment. Enrichment is strongly recommended and has the following benefits:

  • You can include enrichment data in your correlation definitions. This provides more flexibility to cluster alerts into the incidents you want.

  • Enrichment data can enable your operators to analyze and troubleshoot incidents more quickly and effectively.

  • You can use event workflows and enrichment data to normalize events that come from different sources and have different formats.

Enrichment is useful when you want to customize how Moogsoft correlates alerts and clusters them into incidents. You might also want to enrich your alerts to make the resulting incidents more informative and readable.

Event

A data object that describes an event of operational interest. An event might be based on an event notification from an external tool or a metric anomaly from a Collector or AWS CloudWatch. Examples include:

  • A network switch went down 35 seconds ago

  • Average free memory on a server was 10% over the past minute

  • A collector detected an anomaly in a key performance metric 43 seconds ago

Events form the initial raw data for Moogsoft, which does the following:

  1. Converts each ingested notification and anomaly into a generic event object.

  2. Deletes duplicate events.

  3. Aggregates similar events into alerts

Incident

A cluster of alerts that all relate to the same actionable incident. Moogsoft clusters alerts based on the similarity of their time stamps and data fields. The Settings > Correlation Engine page has a simple UI where you can define the correlation behavior that makes sense for your organization.

Managed Object

A set of collector policies for observing metrics from a specific data source such as Linux OS, AWS, Docker, Logstash, etc. Each Managed Object defines the set of metrics to observe and the configuration settings for each metric.

Metric

A set of data points, each with its own timestamp, that measures a specific aspect of performance such as response time or utilization. Collectors can monitor performance on remote servers, detect performance anomalies locally at the source, and send anomalies and raw metrics directly to Moogsoft.

Severity

Each anomaly, alert, and incident has an associated severity that indicates the degree of difference between the observed performance and normal performance. The severity generally indicates how urgently the performance issue requires corrective action. The degrees of severity are:

  • Critical (red)

  • Major (orange)

  • Minor (yellow) 

  • Warning (blue)

  • Unknown (purple)

  • Clear (green)

Moogsoft calculates severities as follows:

  • Metric anomalies — Moogsoft considers each new anomaly within a distribution of all previous anomalies for that metric.

  • Events from external tools —Moogsoft maps the severities from the external tool's schema to the Moogsoft event schema.

  • Alerts — The alert severity is the severity of the most recent event used to update the alert.

  • Incidents — The incident severity is the highest current severity of any member alert.

Superseded

An incident that has been merged and replaced with another incident.