Announcement
We are pleased to announce a feature which is new to IBM Cloud Pak for AIOps in release 4.9.1: configurable time windows for topological alert correlation.
Background
AIOps uses a topology correlation policy to allow alerts to be correlated in the alert viewer based on their topological context: alerts whose related resources are members of the same topology resource group will be correlated together in the alert list. This allows operators to easily see that those alerts are likely to share a common cause.
In AIOps 4.9.0 and earlier, this topology correlation policy uses a default and non-editable rolling time window of 15 minutes. Depending on the nature of the topology in question, this could potentially result in one of two problems:
- If a 15-minute time window is too short, the correlation might not capture all of the alerts which are relevant to a single problem or root cause, and could also result in too many alert groups appearing
- If a 15-minute time window is too long, the correlation might capture too many alerts and lead to extremely large and difficult-to-use alert groups
With AIOps 4.9.1, these problems are resolved by allowing administrators to configure the size and behaviour of the correlation time windows for their topological groups.
How it works
The topological groupings which are used to correlate alerts can be either resource groups, or applications/services. In AIOps 4.9.1, correlation time window parameters can now be specified when defining these in the topology administration pages.
Configuring correlation for topology resource groups
When creating or editing a resource group template, in addition to the normal "correlation enabled" toggle, the admin user is now also presented with time window fields, as shown here:
If topological correlation is enabled for the groups that will be created from the template, then two time window fields will be shown:
Time window length (seconds)
This is the duration of the correlation time window that should be used when correlating alerts against groups that are created from the template. The value defaults to 900 seconds, which matches the 15-minute default that would have been used in AIOps 4.9.0 and earlier, but the user can change this to a higher or lower value, based on the nature of their topology.
Time window type
This is the type of correlation time window that should be used when correlating alerts against groups that are created from the template; it can be set to "Fixed" or "Rolling".
With a fixed time window, the topological correlation starts when the first relevant alert is received, and ends after exactly the number of seconds specified in the "time window length" field. Any alerts for the same resource group which appear after that time interval will form part of a new alert group, and will not be correlated with the earlier alerts.
With a rolling time window, the topological correlation again starts when the first relevant alert is received, but the end of the correlation is not fixed. Even after the specified time window duration has passed, further alerts will still be included in the same alert group, and this will only stop once no relevant alerts have been received within the specified duration. For example, with a time window length of 5 minutes, all new alerts which relate to that topology resource group will be added to the same alert group, until 5 minutes passes without any further relevant alerts, at which point the correlation will end and the alert group will stop growing.
Configuring correlation for applications/services
When creating or editing the definition of an application or service from the AIOps resource management page, the administrator now has the ability to toggle alert correlation on or off for that application/service. For an application/service where correlation is enabled, the user can then provide correlation time window configuration just like that described above. This is how the correlation fields appear in the application/service definition page:
Viewing the results of topological alert correlation
Once your topology resource groups have been created via the resource group templates, or your applications or services have been defined, alert correlation will begin to do its job as alerts get created in the system. The image below shows an example of an alert viewer where some alerts have been grouped due to topological correlation.
In summary
Topological correlation, and the resulting creation and maintenance of alert groups is now more configurable from AIOps 4.9.1. This allows administrators to carefully tailor the correlation to the nature of their data and the systems they are monitoring, thus avoiding the creation of overly large alert groups, or the creation of too many smaller alert groups. This can help users with the management of their alerts, and should improve the value that they get from alert correlation.