Plan your implementation

Moogsoft converts the raw monitoring data from your environment into actionable incidents. Before you start setting up Moogsoft, consider what kind of actionable incidents you want to generate. This will determine the monitoring data you want to use and how you set up Moogsoft to process this data.

This topic outlines the questions you should ask initially and includes an example of how a Moogsoft user answers these questions in a simple deployment scenario.

  • The key to fine-tuning your Moogsoft settings is to start your thinking from the end result you desire.

  • For example, suppose you want to cluster alerts by the impacted services, but only in the same global region. But the regional information is formatted like EMEA-fr005-ABA. You only need the first chunk “EMEA”, so we need to extract it during data normalization. In this example, identifying the desired correlation led to identifying the need for data parsing.

  • Or, suppose you want to cluster alerts by the information not available in the source event data. In this case, identifying the clustering needs led to discovering the need for data enrichment. So take a moment to consider your goal. What do you want to accomplish by using Moogsoft? And to achieve that goal, how do you want to see your alerts correlated?

Use the following guidelines to plan your implementation.

  • How do you want to see your alert data grouped?

  • What data do you currently have? Do you need to normalize any part of it? Is it missing any information you need to cluster alerts?

  • What additional information do you need to correlate alerts meaningfully? Do you have a CMDB you want to look up?

  • Answering these questions will in turn define your configuration requirements.