Skip to main content


Moogsoft Cloud glossary


A set of one or more unique events that all relate to a specific performance measure. Moogsoft Cloud deduplicates events into alerts. Then it correlates alerts into incidents. See Events, alerts, and incidents.


The first observed data point after a time series metric switches from normal to anomalous performance. The ingestion engine treats each anomaly as a performance-impacting event.


An installable, Rust-based agent running on a server that does the following:

  • Observes time series metrics – either actively, at the source, or by ingesting a stream passively

  • Forwards the raw metrics to Moogsoft Cloud. The ingestion engine treats anomalies as performance-impacting events and aggregates them into alerts, which you can view in the Alerts page.


The process of finding correlations between alerts, based on similarities between data fields of interest, and clustering correlated alerts into actionable incidents. See Correlate alerts into incidents.


A stage in the ingestion process where the ingestion engine eliminates any event that is identical to a previously-seen event.

Deduplication eliminates noise and ensures that each ingested event is unique.

Deduplication key

A auto-generated signature that Moogsoft Cloud generates for each new event and uses to determine if that event is a duplicate. By default the dedupe key is based on the source, service, and check fields.


The algorithm that a Managed Object uses to detect anomalies in a metric. Every metric observed by a Managed Object has an associated detector.


The process of adding or normalizing newly ingested events with information from your environment. Enrichment is strongly recommended and has the following benefits:

  • You can include enrichment data in your correlation definitions. This provides more flexibility to cluster alerts into the incidents you want.

  • Enrichment data can enable your operators to analyze and troubleshoot incidents more quickly and effectively.

  • You can use event workflows and enrichment data to normalize events that come from different sources and have different formats.

Enrichment is useful when you want to customize how Moogsoft Cloud correlates alerts and clusters them into incidents. You might also want to enrich your alerts to make the resulting incidents more informative and readable.


A data object that describes an event of operational interest. An event might be based on an event notification from an external tool or a metric anomaly from a collector or Amazon CloudWatch. Examples include:

  • A network switch went down 35 seconds ago

  • Average free memory on a server was 10% over the past minute

  • A collector detected an anomaly in a key performance metric 43 seconds ago

Events form the initial raw data for Moogsoft Cloud, which does the following:

  1. Converts each ingested notification and anomaly into a generic event object.

  2. Aggregates similar events into alerts:

    • Creates new alerts from events which do not match any existing alerts.

    • Updates existing alerts with new events which are similar.


A cluster of alerts that all relate to the same actionable incident. Moogsoft Cloud clusters alerts based on the similarity of their time stamps and data fields. The Settings > Correlation Engine page has a simple UI where you can define the correlation behavior that makes sense for your organization.

Managed object

A set of collector policies for observing metrics from a specific data source such as Linux OS, AWS, Docker, Logstash, etc. Each Managed Object defines the set of metrics to observe and the configuration settings for each metric.


A set of data points, each with its own timestamp, that measures a specific aspect of performance such as response time or utilization. Collectors can monitor performance on remote servers, detect performance anomalies locally at the source, and send anomalies and raw metrics directly to Moogsoft Cloud.


Each anomaly, alert, and incident has an associated severity that indicates the degree of difference between the observed performance and normal performance. The severity generally indicates how urgently the performance issue requires corrective action. The degrees of severity are:

  • Critical (red)

  • Major (orange)

  • Minor (yellow) 

  • Warning (blue)

  • Unknown (purple)

  • Clear (green)

Moogsoft Cloud calculates severities as follows:

  • Metric anomalies — Moogsoft Cloud considers each new anomaly within a distribution of all previous anomalies for that metric.

  • Events from external tools —Moogsoft Cloud maps the severities from the external tool's schema to the Moogsoft Cloud event schema.

  • Alerts — The alert severity is the severity of the most recent event used to update the alert.

  • Incidents — The incident severity is the highest current severity of any member alert.


An incident that has been merged and replaced with another incident.

time series ()

An ordered sequence of data values recorded over a period of time. An example of a time series in Moogsoft Cloud is a metric.