Correlation Patterns Run Order
Limited Availability
This feature is available in a limited release. If you are interested in enabling this functionality for your organization, contact your BigPanda account team.
BigPanda’s correlation engine matches incoming alerts to correlation patterns in a specific order. By default, this order is based on the time window of the correlation pattern, from largest time window to shortest. To learn more, refer to Creating Correlation Patterns.
However, there are scenarios where patterns with shorter time windows should be prioritized. For example, a data center outage is a high priority incident, but will likely have a shorter time window setting to prevent over-correlating.
Edit Pattern Order
To access the run order for correlation patterns, click the bidirectional arrow icon to the right of the correlation pattern search bar.
Access run order on the Alert Correlation screen
This will open a list of all your correlation patterns, both active and inactive. This list will also show you the time window for each correlation pattern, as well as the source system(s) and any filters.
Edit the pattern execution order
In this window, drag and drop correlation patterns to arrange them in the desired order. Once you save the new order, it will immediately be applied to all new alerts.
To reset the correlation pattern order, simply click **Reorder by time window** in the upper right corner of the window. The run order for all correlation patterns will be sorted from longest time window to shortest.
Learn more about correlation patterns in Manage Alert Correlation.
Correlation Patterns Run Order API Support
Correlation Pattern Run Order can be managed with the Correlation Patterns APIusing two new endpoints and the new execution-order field.
Limited Availability
This feature is available in a limited release. If you are interested in enabling this functionality for your organization, contact your BigPanda account team.
There are three changes to the Correlation Patterns API:
Retrieve a Correlation Pattern by ID now returns the execution_order field as part of its payload.
Update Correlation Patterns Order is a new endpoint that allows you to set the run order for specific correlation patterns via API.
Reset Correlation Patterns Order is a new endpoint that allows you to set all correlation patterns to run in order from largest time window to smallest.
Partial ordering
If you use the API to update the order of a partial set of your correlation patterns, the updated correlation patterns will be moved to the top of the run order. For example, if you have a list of seven correlation patterns and you only update the run order for three of them, those three will become the first three patterns to run.
New Field for Correlation Patterns Run Order
Attribute | Description | Type |
|---|---|---|
| The field to identify the correlation pattern order. For GET calls: Returned as a single integer as part of the correlation pattern object. For PUT calls: An array of correlation pattern ids in order by desired run order. | String or Integer |
Example Return for Retrieve a Correlation Pattern by ID
"item": [
{
"id": "393968c0-43ee-431b-9234-6cefe812ebd9",
"active": false,
"tags": [
"dc"
],
"cross_source": false,
"time_window": 120,
"filter": "source_system IN [ \"*\" ]",
"created_by": "63bd568977a8d60012bf3dbe",
"created_at": 1673374612,
"updated_by": "63bd568977a8d60012bf3dbe",
"updated_at": 1675360021,
"source_systems": [
"*"
],
"execution_order": 1
},Example Update Correlation Pattern Order
{
"execution_order":
[
"6646dd33-bce3-4af0-861b-5271897e5ac4",
"c1e8a9cc-8bbb-4fd3-8dec-c55eafd3d447",
"393968c0-43ee-431b-9234-6cefe812ebd9"
]
}