Correlation Engine overview
The Correlation Engine clusters related alerts together to create incidents. Correlation definitions listed on the Correlation Engine page, in conjunction with Correlation Group settings, contain the information that control how this process occurs. Moogsoft Cloud includes a default correlation group and a default correlation definition to get you started. These default settings may work for you, though you can create additional or replacement correlation groups and definitions to work to your specifications. Moogsoft recommends trying the defaults first to get an idea of how correlation works before making additions or changes.
To access the Correlation Engine page, navigate to Correlate & Automate > Correlation Engine.
For more information on correlation, see Correlate alerts into incidents and Concept explainer: Alert correlation - how it works ►.
The Correlation Engine interface includes the following areas:
Correlation groups
The top level unit for correlation is the correlation group. Correlation groups give you the ability to logically separate data correlation into multiple groups. Each group can have a different configuration, so it's possible to treat different types of data in different ways. Correlation group settings also allow you to create incidents from alerts that were not correlated due to definition settings.
Some reasons for having different correlation groups:
One correlation group can have different similarity requirements for incidents before they are candidates for merging.
If an organization has multiple teams with different correlation requirements, each team can create their own correlation group with their own configuration settings. This allows each team to generate incidents according to their different needs.
All correlation definitions must be part of a group in order to correlate alerts.
For more information, see Create a correlation group.
Default Group
The first correlation group is the Default Group, which is included in every Moogsoft instance. The Similar Sources correlation definition is included in this group. You can modify the Default Group or create new correlation groups with additional correlation definitions as needed.
Reorder
When the "match one" option is selected in the Correlation Matching configuration of a correlation group, and there are two or more correlation definitions in the group, the Reorder option becomes available. Click Reorder to drag the correlation definitions into a new order. This changes the processing order of the definitions. See Understand correlation group settings and definition order to understand the impact of changing the order of correlation definitions.
See Create a correlation group for information on the options available for correlation groups.
Add Correlation Definition
Click Add Correlation Definition to begin creating a new correlation definition. For step-by-step guidance and a detailed explanation of each setting, see Create a new correlation definition.
Correlation definition list
All correlation definitions in this instance are included in the list. For each definition, you have access to the following:
Order
The processing order for the correlation definitions within this correlation group.
Correlation Name
Incidents
Opens the Incidents page to show a filtered view of incidents generated by this correlation definition.
Status
Displays the current status of the correlation definition
Created By
The ID of the user who created the correlation definition
Copy (two pages icon)
Creates a copy of the correlation definition which you can then modify.
Delete (trash can icon)
Removes the correlation definition permanently from the system. Before the definition is permanently deleted, you are prompted to confirm.
View definition (right arrow icon)
Opens the correlation definition so you can view it. Click Edit on the correlation definition configuration page to edit it.