Skip to main content

Clustering Algorithm Guide

Sigalisers are the clustering algorithms in Moogsoft Onprem that group alerts on the message bus into Situations based on factors such as time, language, similarity and proximity.

The clustering algorithms available include:

You can configure and run multiple different clustering algorithms on the same instance of Moogsoft Onprem. The algorithms you choose depend on your specific use cases and the type of Situations you want your operators to receive. The trade-off between Cookbook and Tempus is based on how much configuration a Sigaliser requires versus how deterministic the results will be.

You can also apply entropy and Vertex Entropy calculations to add another degree of filtering to the alerts you want to correlate. For example, you can use an entropy threshold if you want to exclude alerts with low operational value or include alerts with high operational value. See Vertex Entropy for more details.

Cookbook

Cookbook is a clustering algorithm that creates clusters defined by the relationships between alerts and their attributes. It offers more flexibility at the cost of higher configuration and planning. See Configure Deterministic Alert Clustering with Cookbook for more information.

Type: Attribute-based clustering.

Use cases: You can use Cookbook if you want more control in how you correlate alerts based on patterns in the text similarity. Example use cases include:

  • Grouping alerts with a similar description and from the same application or service.

  • Grouping alerts from the same host or location.

  • Topology-based correlation using Vertex Entropy.

Benefits: Cookbook offers the following advantages:

  • Very customizable and configurable using Recipes.

  • Able to create Situations when an alert exceeds a defined rate of occurrence.

  • Can include and exclude alerts that meet specific criteria such as Vertex Entropy.

  • Able to partition alerts into Situations using textual similarity-based comparison.

  • Possible to base alert clustering on topological relationships.

Configuration: To configure Cookbook Recipes and Cookbook via the Moogsoft Onprem UI, see and Configure a Cookbook. You can also configure Cookbook and its Recipes via the Graze API. The following can be configured through the Cookbook UI:

  • Entropy threshold

  • Value Recipe

  • Cook-for-extension

Tempus

Tempus is a time-based algorithm that clusters alerts into Situations based on the similarity of their timestamps. See Time-based Clustering with Tempus for more information.

Type: Time-based clustering.

Use cases: You want to match alerts based on patterns in their timestamps or on a timeline. Use Tempus if you want your alerts to be clustered in real-time. The logic behind Tempus is that a triggering event causes additional subsequent failures within a short timeframe. Works well in scenarios where there is a causal chain such as:

  • Cascading failures

  • Performance failures

  • Brownouts.

Benefits: Tempus offers the following advantages:

  • No enrichment required. See Enrichment Overview.

  • Good for availability alerts.

  • Good for performance alerts.

Configuration: To configure Tempus via the Moogsoft Onprem UI, see Configure Tempus. You can also configure Tempus via the Graze API.

The following video compares the Cookbook and Tempus clustering algorithms: