Correlation Definition schema
{
"name":"US incidents by service"
"scope":"location in [us-west-1, us-east-1]"
"uuid":"dbd6168d-c96f-4d0e-b84c-eaf3a42f8c5e"
"fields_to_correlate": {
"service":0.4
}
"correlation_time_period":900
"incident_description":" unique(service) issue in unique(location)"
}
correlation_time_period
integer (seconds)
The time period for clustering similar alerts into the same incident. The timer starts when the incident is created. When the correlation period ends, Moogsoft correlates alerts into a new incident.
The correlation engine auto-extends an incident's correlation period if it adds alerts near the end of the specified period. See Correlation Time Period.
fields_to_correlate
JSON object
The set of alert fields and tags to consider for correlation, and the similarity required for a match between an alert and an incident. Two alerts are considered correlated if all the fields and tags in the definition meet the specified degree of similarity.
This object specifies field names as strings and similarities (from 0.0 to 1.0) as floats. For example:{"field_1" : 0.9, "field_2" : 0.5}
incident_description
string
You can specify incident descriptions and fields dynamically, based on the alert data in each incident. See Incident description.
name
string
The correlation name. Must be unique.
scope
string
An optional alert filter if you want to apply the correlation to certain alerts only. To define a filter, go to the Alerts table in the UI and do a search using the smart look-ahead feature.
uuid
string
The UUID if you want to fetch, update, or delete a specific correlation definition.