Merge Groups
Moogsoft Onprem uses merge groups to control the minimum number of alerts in a Situation and the merge behavior of Situations from different clustering algorithms.
Use merge groups to control:
How Moogsoft Onprem merges similar Situations together.
The minimum number of alerts to cluster into a Situation.
The percentage of alerts two Situations must share to be merged.
You can use the default merge group or you can create custom merge groups. If you use the default merge group, Moogsoft Onprem merges Situations from all your clustering algorithms if they meet the alert and Situation similarity threshold criteria.
You can create custom merge groups to override the behavior of the default merge group. Custom merge groups are useful when you want to adjust the alert threshold and the Situation similarity threshold. They also enable you to control which clustering algorithms you want to be merged together. For example, the default merge group combines Situations that meet the alert and Situation similarity threshold criteria, regardless of which clustering algorithm created them. If you have three Cookbooks and Tempus, you might want to have a custom merge group that combines Situations from two Cookbooks together, another custom merge group that combines Situations from the third Cookbook and Tempus together.
In addition to the alert threshold in a merge group, you can also set an alert threshold in Tempus (via the Graze API) and in Cookbook Recipes (using the Moogsoft Onprem UI or the Graze API). When a clustering algorithm considers whether or not to cluster alerts into a Situation, it compares the alert threshold in the merge group and the clustering algorithm. The higher value determines how many alerts are required to create a Situation.
See Configure Merge Groups for information on how to configure default and custom merge groups.
See Field Behavior in Merged Situations for details of the behavior of individual fields in Situations which are merged.
Default merge group
If you do not create any custom merge groups, all of the clustering algorithms use the default merge group settings.
The default merge group has a Situation similarity threshold of 0.7. This means that Moogsoft Onprem merges two Situations if they have at least 70% of the same alerts. The default merge group has an alert threshold of 1, meaning that the clustering algorithms will create Situations containing a single alert. You must use the Graze API endpoint updateDefaultMergeGroup if you want to change these values.
Custom merge groups
Custom merge groups only affect Situations created by the specified clustering algorithms. They do not merge Situations created by clustering algorithms outside their own merge group.
You can configure custom merge groups in the Moogsoft Onprem UI or using the Graze API.
Moogsoft Onprem provides a Cookbook called "Default Cookbook" and a custom merge group also called "Default Cookbook". This merge group has a similarity threshold of 0.8 and an alert threshold of 1. You can change the similarity threshold in the Moogsoft Onprem UI. You must use the Graze API if you want to change the alert threshold for this custom merge group. You can also delete this custom merge group using the Graze API if you do not want to use it.
Example
You have defined the following clustering algorithms:
Tempus algorithm that clusters alerts that arrive in Moogsoft Onprem at a similar time.
Cookbook 1 with three Recipes; one Recipe clusters alerts on 'Description', another Recipe clusters alerts on 'Host', and the third Recipe clusters alerts with a 'Severity' of Critical (5).
Cookbook 2 with a single Recipe that clusters alerts on 'Impacted Services'.
Cookbook 3 with a single Recipe that creates Situations containing a single alert with a high entropy value.
If you use the default merge group only, all the Situations created by all these clustering algorithms are merged if they meet the alert threshold and Situation similarity threshold criteria. If you want more granular control of the merge behavior, you can create the following custom merge groups:
Custom merge group 1 - Cookbooks 1 and 2: Merges clusters created by Cookbook 1 and Cookbook 2 if they meet the following criteria:
Alert threshold = null, so it uses the default merge group value of 1. If you create a custom merge group in the UI, the alert threshold is set to null so it automatically uses the default merge group value.
Situation similarity threshold = 80%, so it will only merge clusters from Cookbook 1 and Cookbook 2 if they have 80% or more of the same alerts.
Custom merge group 2 - Cookbook 3: You want to keep these Situations with a single alert separate so you configure this merge group as follows:
Alert threshold = 1, so a single alert clusters into a Situation. Use the Graze API endpoint updateMergeGroup to change this value.
Situation similarity threshold = 100%, so unless the alerts in two Situations are identical, the Situations will not be merged.
You do not create a custom merge group for Tempus so it will use the default merge group values of:
Alert threshold = 1.
Situation similarity threshold = 70%.