Data Processing Flow
Before you configure or customize data processing in Moogsoft Onprem, take some time to learn the components that comprise the basic flow for processing event, alert, and Situation data.
Except for the Link Access Modules (LAMs) that perform data ingestion, the rest of the data processing components are individual Moolets that run as part of the Moogfarmd. For more information, see Moogfarmd and Core Data Processing.
The following diagram shows a general data processing flow. Your specific flow may be different depending on your use case and any customizations you apply:
A) LAMs / Data Ingestion
The LAMs or Integrations ingest raw event data from your monitoring sources. LAMs do one of the following with the event data:
Map raw events into Moogsoft Onprem events.
Discard events based upon system configuration. For example a blacklisting rule.
See Introduction to Integrations for more information.
B) Event Workflow Engine
The Event Workflow Engine listens for events on the message bus and processes them based upon any active workflows.
See Workflow Engine for an overview of how the Workflow Engine UI works. See Workflow Engine Moolets for information on the Moolet.
C) Alert Builder
The Alert Builder deduplicates events into alerts and calculates the entropy value for alerts. Deduplicated events are visible in the UI after passing through the Alert Builder.
See Configure Alert Builder for more information.
D) Enricher
The Enricher is an optional moolet that you can use to enrich alert data from external data sources such as a CMDB. See Enrichment Overview for information about the enrichment process.
See Enricher Moolet for information on the Moolet.
E) Enrichment Workflow Engine
The Enrichment Workflow Engine listens for alerts on the message bus and processes them based upon any active workflows. For an example enrichment workflow, see Enrich Alerts Using a JDBC Data Source.
See Workflow Engine for an overview of how the Workflow Engine UI works. See Workflow Engine Moolets for information on the Moolet.
F) Maintenance Window Manager
The Configure Alert Behavior During a Maintenance Window prevents alerts from creating Situations during known maintenance downtimes.
To learn how to create a maintenance window, see Schedule Maintenance Downtime. See Configure Alert Behavior During a Maintenance Window for information on the Moolet.
G) Alert Workflow Engine
The Alert Workflow Engine listens for alerts on the message bus after they have passed through the Maintenance Window Manager. It processes alerts based upon any active workflows you have created. If you want to set up alert routing to a different clustering algorithm, you can use the Alert Workflow Engine. For example, you can forward alerts to Tempus.
See Workflow Engine for an overview of how the Workflow Engine UI works. See Workflow Engine Moolets for information on the Moolet.
H) Alert Rules Engine
If you upgraded from a previous version, you may have data processing configurations that use the Alert Rules Engine . The Alert Rules Engine lets you define criteria to process alerts according to different Transitions to move these alerts to different Action States. Before you start an implementation with the Alert Rules Engine, see if the Workflow Engine meets your needs.
See Alert Rules Engine for more information.
I) Clustering Algorithms
The clustering algorithms (Sigalisers) in Moogsoft Onprem group related alerts into Situations.
See the Clustering Algorithm Guide for an overview of the algorithms. To configure a clustering algorithm, see Configure Clustering Algorithms.
J) Situation Manager
The Situation Manager listens for Situation creation, update, and closure actions and lets you automate processes like data enrichment, assignment, or notification to a ticketing system.
The Situation Manager Labeler is part of the Situation Manager. See Situation Manager for more information.
K) Teams Manager
The Teams Manager Moolet listens for new Situation creation, update, and closure actions. It handles the team assignments you create in the Settings UI. See Manage Teams.
See Teams Manager Moolet for information on the Moolet.
L) Situation Workflow Engine
The Situation Workflow Engine listens for Situations on the message bus after they have passed through the Situation Manager. It processes Situations based upon any active workflows you have created.
See Workflow Engine for an overview of how the Workflow Engine UI works. See Workflow Engine Moolets for information on the Moolet.
The following video further explains the data processing flow: