Correlation API Object

Here are two correlation definition examples. "Similar Sources" is the default correlation definition, which is why it has no created_by value.

      {
         "name":"Similar Sources",
         "scope":"",
         "uuid":"f209224e-3c66-4c28-a504-0198b664a526",
         "fields_to_correlate":{
            "source":0.45
         },
         "correlation_time_period":900,
         "incident_description":"unique_count(source) Source: unique(source,3) Affected unique(service,3) unique(class,3)",
         "created_by":null,
         "alert_threshold":1,
         "group_id":"b89927dd-4ef3-4a71-8073-bd16f6348170"
      },
      {
         "name":"Test Correlation",
         "scope":"class = Application",
         "uuid":"ac564b2d-737c-4fe4-91fd-63742ae8b8c8",
         "fields_to_correlate":{
            "description":1.0,
            "manager_id":1.0,
            "source":1.0
         },
         "correlation_time_period":1800,
         "incident_description":"This is a filtered correlation definition",
         "created_by":"[email protected]",
         "alert_threshold":1,
         "group_id":"b89927dd-4ef3-4a71-8073-bd16f6348170"
      }

alert_threshold
correlation_time_period
created_by
fields_to_correlate
group_id
incident_description
name
scope
uuid

alert_threshold

integer

The minimum number of alerts necessary to create an incident.

⬆ Correlation fields

correlation_time_period

integer (seconds)

The time period for clustering similar alerts into the same incident. The timer starts when the incident is created. When the correlation period ends, Moogsoft correlates alerts into a new incident.

The correlation engine auto-extends an incident's correlation period if it adds alerts near the end of the specified period. See Correlation Time Period.

⬆ Correlation fields

created_by

string (email address)

The email address of the Moogsoft Cloud user who created the correlation definition.

⬆ Correlation fields

fields_to_correlate

JSON object

The set of alert fields and tags to consider for correlation, and the similarity required for a match between an alert and an incident. Two alerts are considered correlated if all the fields and tags in the definition meet the specified degree of similarity.

This object specifies field names as strings and similarities (from 0.0 to 1.0) as floats. For example:{"field_1" : 0.9, "field_2" : 0.5}

See Alert field similarity.

⬆ Correlation fields

group_id

string

The internal identifier for the correlation group to which the correlation definition applies.

⬆ Correlation fields

incident_description

string

You can specify incident descriptions and fields dynamically, based on the alert data in each incident. See Incident description.

⬆ Correlation fields

name

string

The correlation name. Must be unique.

⬆ Correlation fields

scope

string

An optional alert filter if you want to apply the correlation to certain alerts only.

⬆ Correlation fields

uuid

string

The unique identifier which you can use to fetch, update, or delete a specific correlation definition.

⬆ Correlation fields