Skip to main content

Reorder correlation definitions

The Moogsoft Cloud correlation engine includes one correlation definition called Similar Sources. You can add additional custom correlation definitions if needed. When you have multiple definitions, you can enable correlation definition reordering, which changes the way the correlation engine processes alerts for inclusion in incidents.

NOTE: You can delete all of your correlation definitions, but incidents will not form.

To enable correlation definition ordering:

  1. Navigate to Correlate & Automate > Correlation Engine.

  2. Toggle the Correlation Definition Order setting to Use Ordering to enable it.

    Important

    Be sure to read the following sections to understand how changing the ordering setting affects correlation.

  3. Drag and drop the definitions into the preferred order.

    NOTE: You can leave your correlation definitions in the same order but leverage the alternative alert processing behavior.

  4. Click Save and confirm your changes in the confirmation dialog.

When Use Ordering is already enabled, you can click Edit Order and move the definitions to the preferred locations.

Tip

If you want to leave ordering turned off, but you want your correlation definitions in a different order, you can turn ordering on, reorder your definitions, and then turn it off again.

When ordering is enabled, you have the option of using the Catch All. See Use the Catch All with correlation ordering for more information.

Correlation behavior when ordering is off

By default, correlation ordering is turned off. In this scenario, alerts are evaluated by each correlation definition for inclusion in incidents, starting with the first correlation definition at the top of the list and proceeding to the bottom. Alerts may be clustered into multiple incidents by different correlation definitions.

Correlation behavior when ordering is on

When correlation ordering is turned on, alerts are evaluated by the correlation definitions similarly as when the feature is turned off, starting at the top of the list and moving down through the definitions in order. The difference, however, is that as soon as a match is found, processing stops and the alert is not evaluated by additional definitions. Each alert can be clustered into just one incident using this method (unless lengthy time windows are used).

You can reorder alerts into the preferred processing sequence when ordering is turned on. One potential strategy of changing the order would be to include very specific correlation definitions at the top of the list, and the more general definitions toward the end.

Example scenarios

Note

The clustering of alerts into incidents is also dependent on the correlation time window. For more information on the impact of time on clustering, see Correlation time window.

For the following examples, assume the following two correlation definitions are configured and enabled:

Definition A
  • Evaluates the source field for similarity (Fields to Correlate = source)

  • Matches at 100% similarity

Definition B
  • Evaluates the manager_id field for similarity (Fields to Correlate = manager_id)

  • Matches at 100% similarity

Assume two alerts with the following fields and values:

Alert 1

Alert 2

"source" = "AWS",

"manager_id" = "VPC",

"check" = "disk space",

class = "cloud"

"source" = "AWS",

"manager_id" = "VPC",

"check" = "memory",

"class" = "network"

Example 1. Ordering on, Definition A is listed first

One incident forms using the source field. Alert 1 and Alert 2 are members of the incident (both match on the source field at 100%).

Because the evaluation of alert similarity stops as soon as a match is found when ordering is on, the alerts are never evaluated by Definition B because both alerts find a match using the definition listed first (Definition A).



Example 2. Ordering on, Definition B is listed first

One incident forms using the manager_id field. Alert 1 and Alert 2 are members of the incident.

Because the evaluation of alert similarity stops as soon as a match is found when ordering is on, the alerts are never evaluated by Definition A because both alerts find a match using the definition listed first (Definition B).



Example 3. Ordering off (Ignore ordering)

Two candidate incidents form, one using the source field and one using the manager_id field. Alert 1 and Alert 2 are members of both candidate incidents.

Because alerts are evaluated by all correlation definitions when ordering is off, two candidate incidents form with both alerts included because both alerts are 100% matches for both correlation definitions.

Important

Because Moogsoft Cloud merges identical candidate incidents (those composed of the same Alert IDs) into the same incident, the two incidents resulting from these two alerts would not actually be observed unless additional configuration settings (such as filters) were added. During the merging process, one of the two candidate incidents would be chosen to create the incident, and the other candidate would be merged with it.

The Ignore ordering option becomes more important when an alert potentially matches multiple existing incidents created by different correlation definitions. In this situation, the alert can be included in multiple incidents.

If these two active incidents already existed on your system:

Incident 1

Incident 2

"source" = "AWS",

"manager_id" = "VPC",

"check" = "logs",

class = "database"

"source" = "AWS",

"manager_id" = "VPC",

"check" = "response time",

"class" = "application"

Then Alert 1 and Alert 2 would be evaluated by both A and B correlation definitions and become members of both incidents.