Skip to main content

updateTempus

A Graze API POST request that updates an existing Tempus Moolet.

Back to Graze API EndPoint Reference.

Request arguments

Endpoint updateTempus takes the following request arguments. You must supply the name of the Tempus algorithm plus at least one other argument that you want to change.

Name

Type

Required

Description

auth_token

String

Yes

A valid auth_token returned from the authenticate request. Alternatively, basic authenticate headers can be used in place of this parameter. See the authenticate endpoint for more information and usage examples.

name

String

Yes

Name of the Tempus algorithm. Must be unique.

description

String

No

Description of the Situations Tempus generates.

entropy_threshold

Number

No

Minimum entropy value for an alert to be clustered into a Situation. Tempus does not cluster any alerts with an entropy value below the threshold into Situations.

threshold_type

String

No

execution_interval

Number

No

Executes Tempus after a defined number of seconds.

window_size

Number

No

Determines the length of time when Tempus analyzes alerts and clusters them into a Situation each time it runs.

bucket_size

Number

No

Determines the time span of each bucket in which alerts are captured. Default bucket size is 5 seconds.

minimum_arrival_similarity

Number

No

How similar alerts must be to be considered for clustering.

alert_threshold

Number

No

Minimum number of alerts that match the clustering criteria before the Tempus algorithm creates a Situation.

When Tempus determines the number of alerts required to create a Situation, it compares the alert threshold values in Tempus and in the merge group that Tempus belongs to, and it uses the higher value. If you are using the default merge group which has an alert threshold of 2, Tempus will never create a Situation containing a single alert. If you want Moogsoft Onprem to create Situations with a single alert, consider changing the alert threshold in the default merge group to 1 or creating custom merge groups. See Merge Groups for more information on updating the default merge group and setting up custom merge groups.

process_output_of

List

Yes

Defines the source of the alerts that Tempus processes. You can specify none, one or more Moolets. Typically Tempus processes the output of its direct upstream neighbor in the processing chain. Usually this is "Alert Workflows" which are the output from the Alert Workflow Engine.

run_on_startup

Boolean

No

Whether this Tempus algorithm should start when Moogfarmd starts.

partition_by

String

No

Splits clustering according to the entered component. After alerts have been clustered and before they enter merging and resolution, you can split clusters into sub-clusters based on a component of the events. For example, you can use the manager parameter to ensure that Situations only contain events from the same manager.

Note

Moogsoft does not recommend partitioning by components.

pre_partition

Boolean

No

Partitions event streams before clustering. You specify a component field on which the event stream will be partitioned before clustering occurs. The alerts in the resulting Situations each contain a single value for the component field chosen.

significance_test

String

No

Calculation that determines how significant a cluster of alerts or a potential Situation must be for Tempus to detect it. Poisson1, looks at the data of a single alert cluster to calculate how significant it is. This more likely to detect all significant alert clusters but with a higher risk of creating insignificant alert clusters. Use this option when your alerts originate from different networks or unrelated topologies. Poisson2 is a more thorough test that looks at an alert cluster and all alerts outside the cluster with a similar event rate. It is more likely to exclude all insignificant alert clusters but with a high risk of excluding significant alert clusters. Use this option if you expect all of your alerts to come from the same connected network. See Poisson distribution for more information.

significance_threshold

Number

No

Sets the maximum significance score for Tempus to create a Situation. The score is proportional to the probability that the alert cluster or potential Situation was coincidence. The lower the score, the more significant the cluster and the least likely it was a coincidence. This score ranges from 0 to 100.

detection_algorithm

String

No

Detection algorithm that Tempus uses, one of: Louvain, LouvainMulti, or SmartLocal.

Response

Endpoint updateTempus returns the following response:

This endpoint returns an error code if the values of entropy_threshold and threshold_type are inconsistent. For example, if the entropy_threshold is set to 0.4 and threshold_type is set to global.

Examples

The following examples demonstrate typical use of endpoint updateTempus:

Request examples

Example cURL request to update the detection algorithm on Tempus algorithm 'newTempus':

curl -X POST -u graze:graze -k "https://localhost/graze/v1/updateTempus" -H "Content-Type: application/json; charset=UTF-8" --data \
'{ \
"name": "newTempus", \
"detection_algorithm": "LouvainMulti" \
}' 

Example cURL request to update Tempus algorithm 'newTempus' to use the global entropy threshold in Moogsoft Onprem:

curl -X POST -u graze:graze -k "https://localhost/graze/v1/updateTempus" -H "Content-Type: application/json; charset=UTF-8" --data \
'{ \
"name": "newTempus", \
"threshold_type": "global" \
}'

Example cURL request to update Tempus algorithm 'newTempus' to use an explicit entropy threshold of 0.22:

curl -X POST -u graze:graze -k "https://localhost/graze/v1/updateTempus" -H "Content-Type: application/json; charset=UTF-8" --data \
'{ \
"name": "newTempus", \
"entropy_threshold": 0.22, \
"threshold_type": "explicit_value" \
}'

Response example