Manage Alert Correlation
Correlation patterns can be customized to fit the needs of your organization.
At its core, BigPanda's Algorithmic Correlation relies on pattern recognition. A pre-configured list of patterns is matched against alerts to identify alert clusters in real-time. To classify alerts into incidents, BigPanda looks at 4 properties:
- Source System
- Tags
- Time Window
- Filter (optional)
For example, you can create a pattern to correlate AppDynamics alerts with the same application, starting within 30 minutes of one another, in the production cluster.
If multiple correlation patterns match an incident, the pattern with the longest time window is the one that appears in the UI.
You can customize correlation patterns to tailor alert correlation to the specifics of your infrastructure. Correlation patterns are managed from the Correlation Patterns settings page.
Relevant Permissions
Roles with the following permissions can access Custom Tags and Correlation Patterns in the BigPanda Settings:
| Role Name | Description |
|---|---|
Custom_Tags_Read | Read-only - view existing custom tags in the BigPanda Settings. |
Custom_Tags_Full_Access | Full access - preview and create new and inactive Extraction and Composition tags in the BigPanda Settings. |
Correlations_Read | Read-only - view existing correlation patterns in the BigPanda Settings. |
Correlations_Full_Access | Full access - preview and create new correlation patterns in the BigPanda Settings. |
To learn more about how BigPanda's permissions work, see the Roles Management documentation.
Creating New Correlation Patterns
You can create new correlation patterns at any time. Once activated the correlation patterns will automatically begin correlating new alerts.
When you create or edit a correlation pattern or activate a previously disabled pattern, only new incidents will be correlated according to the pattern. Existing incidents and alerts will not be impacted. When you disable or delete a pattern, new alerts are no longer correlated according to it. However, existing incidents stay correlated according to the pattern logic for the remaining life cycle of the incident
To create a new correlation pattern:
- Navigate to Settings > Alert Correlation.
- Click New Pattern.
- Define the conditions that indicate the alerts are related.
Correlation Pattern Editor
| Field | Description |
|---|---|
| Source Systems | One or more integrated monitoring systems for which this pattern applies. |
| Enable cross source correlation | Option to correlate alerts from different source systems into the same incident. This option applies only if you select more than one source system for the pattern. Select the check box to correlate alerts from different source systems into the same incident, when applicable. Clear the check box to correlate only alerts from the same source into the same incident. The pattern still applies to every alert from every selected source, but will create different incidents for each source. |
| Correlation tags | Tag names to correlate alerts with matching values. For example, enter cluster and check to correlate all alerts that come from the same cluster and have the same check.You can enter up to five tags. The tags can be entered in any order. |
| Time Window | Maximum duration between the start time of correlated alerts in minutes. You can select a time window from 1 minute up to 4320 minutes (3 days). |
| Query Filter | (Optional) Query that further refines which alerts are correlated. Queries use BigPanda Query Language (BPQL) to filter alerts by alert tag data. For example, you can specify a tag of datacenter and then enter a query of check=ping to correlate only ping alerts by datacenter. When using the query filter, the Query Assist feature is available to help you build a query. See Query Assist for more information. |
| Note | (Optional) Short description of the pattern. E.g., a note that explains why the pattern is important and how it works. |
| Create As Inactive | Option to save the pattern definition without affecting your BigPanda instance. Select the check box to create the correlation pattern but not begin correlating alerts according to the pattern. Clear the checkbox to begin correlating new alerts according to the pattern immediately after it is created. |
Correlation Time Window
The correlation time window applies to the first event for a new alert. Alerts are correlated into the same incident only if their first event falls within the same time window (that is, they started around the same time).
- Click Create Pattern.
If more than one pattern matches an incident, the incident title is based on the pattern with the largest time window.
The Preview Pane
The Preview pane appears to the right of the Correlation Pattern editor and displays the effects this correlation pattern would have had. The Preview pane uses real historical data in BigPanda without affecting any live data.
The preview displays detailed information for up to 50 incidents that match the correlation pattern within a selected time frame. It correlates alerts from incidents that have been updated in the last 7 days and can be refreshed to update with real-time incoming events.
The Preview pane allows you to evaluate the correlation results for:
- Effectiveness—review the compression rate to see the percentage of alerts that are correlated into incidents. If a pattern is not as effective as it used to be, you may need to optimize the pattern to account for infrastructure changes.
- Accuracy—review how actual alerts would have been correlated into incidents according to this pattern. Confirm that alerts in each incident are related to the same problem.
Use the Preview pane to refine and adjust correlation patterns as you create or edit them.
Correlation Pattern Preview Pane
As you make adjustments to the correlation pattern settings, click Refresh to update the Preview pane to reflect the changes.
To the right, adjust the date range to see the impact the correlation pattern would have had on older alerts, or in a broader time window. The default time window is the past 48 hours.
Manage Alert Correlation
You can edit, duplicate, temporarily deactivate, or permanently delete each alert correlation pattern you created. You can filter the list of alert correlation patterns by entering a search term in the field above the list. Or, by using predefined filtering by correlation tag, source, and status.
Searching and Filtering Correlation Patterns
By default, the correlation patterns list is sorted by most recently created or edited pattern. You are able to search and filter the pattern list to make managing your patterns easier.
Enter a term into the search bar to look for correlation patterns with specific names and properties. For example, enter Nagios to see all of the correlation patterns that have Nagios included as a source system.
The filter dropdowns beneath the search allow you to further hone the correlation patterns list. Filter by Correlation Tag, Source, or Status by selecting options from the dropdown lists. To remove your filter settings, click Clear.
Analytics Insights
In the right pane, you can view data related to the selected correlation pattern. Information about Source System, Cross Source Settings, and Time Window are shown.
Deeper analytics into the effectiveness of your correlation patterns are available in the Correlation Patterns Insights dashboard. Click View Full Dashboard or navigate to Unified Analytics > Correlation Pattern Insights to open up the detailed reports. See Correlation Patterns Insights for more information.
Recent Activity
Edits to correlation patterns are tracked in the BigPanda Audit Log.
To manage alert correlation patterns:
- Navigate to Settings > Alert Correlation. A list of existing alert correlation patterns appears.
- Select the alert correlation pattern you wish to edit, activate/deactivate, or delete.
- Use any of the following options to modify the alert correlation pattern:
| Option | Description |
|---|---|
| Edit | Edit a correlation pattern at any time to adjust which alerts will be clustered together. a. Click the Pencil icon or click Edit Pattern Details in the details pane. b. In the Correlation Pattern editor, adjust the properties to fit your needs. c. Click Update pattern to apply the changes. If a pattern is saved as Active, new alerts will be correlated by the pattern. Open incidents will be correlated by the original pattern that formed the initial incident. |
| Duplicate | Duplicate a pattern to use a previously created pattern as a template for a new pattern. a. Click the Copy icon. b. Adjust the pattern as necessary to fit the new properties. The system will not allow duplicate patterns and will trigger an error message if you try to save the pattern while it is identical to any other pattern in the system. c. Click Duplicate Pattern when you are happy with the changes. |
| Active or Deactivate | Inactivating a correlation pattern stops BigPanda from using that correlation pattern to cluster alerts together, but still preserves the pattern if you would like to turn it on again. Inactivating a correlation pattern is common when you are researching which adjustments need to be made, or when you are unsure if a correlation pattern is adding meaningful correlation. Using the toggle button, select Active or Deactivate. |
| Delete | Delete a correlation pattern when you are sure that it no longer applies to your infrastructure or process. A deleted correlation pattern cannot be recovered. a. Click the Trash icon. b. Click Delete to confirm, or Cancel to return to the previous page. New incidents will not be correlated by the deleted pattern, but existing incidents will continue to use the correlation pattern that they were created under. |
Suggested Correlation Patterns
In general, correlation patterns are managed by Administrators and the BigPanda Customer Success team. BigPanda's machine learning engine will also automatically generate correlation pattern suggestions based on historical user data. Upon the integration of a monitoring tool, the review process begins and automatically generated patterns will be suggested in the correlation patterns list.
Suggested Correlation Pattern Flag
Suggested patterns are highlighted with the purple Suggested label and by default are not active. You are able to edit, activate, duplicate, and delete a suggested correlation pattern like any other correlation pattern, but they will always be marked as system recommended.
To activate a suggested pattern:
- Navigate to Settings > Alert Correlation.
- From the list of correlation patterns, select the suggested pattern that should be activated.
- To activate the pattern, click the Active toggle icon in the pattern details pane. The toggle will turn green.
New incoming alerts will be clustered by the correlation pattern.
Next Steps
Learn more about Alert Correlation Logic
Dig into Managing Incident Enrichment
Learn more about Navigating the Settings Menu
Updated 3 days ago