Correlation Recommendations

cfxOIA correlation engine can learn and provide new correlation recommendations using unsupervised ML clustering on historical alert data. OIA provides this recommendation in the form of list of problems or symptoms, each identified as a cluster, that are relatable in customer's environment. It also provides a confidence score %, indicating the level of similarity of messages in each cluster and higher the confidence score, more similar the messages are. Admins can run generate the recommendations on-demand by running ML experiments on historical alert data by selecting data from a certain time period, for example during past 3-months or past 6-months. An upcoming feature is to be able to schedule the ML experiments to be run on an periodic or ongoing basis. The way this clustering process works is it first devariablizes i.e takes out all variables, identities etc. from alert data and tries to arrive the core message tha alert represents. For example, if multiple alert messages with

user john.doe not able to login to cms1.acme.local
user mark.scott unable to open login into portal cms1.acme.local
user lucy.lu complaining of login failure cms1.acme.local

The real issue is with "unable to login" and not the user who complained. OIA gets to the real symptom by using devariablization and performing DBSCAN and HDBSCAN clustering algorithms to come up set of a symptoms or problem clusters found in the data.

Administrators can review new clustering recommendations by browsing through list of symptom clusters, select a symptom cluster and create a correlation policy out of the symptom cluster. This process can be repeate for other clusters. Admins can also rename symptom clusters and give an appropriate name to the cluster based on the messages in the clusters. For example, "Device not reachable", "Batch job failure", "Duplicate IP", "Disk Fragmentation high" etc.

Last updated