Viewing alert sequence clusters
The Alert Sequence Clusters window provides details of the alert sequences detected from the existing alert data and sequences related to an inference. The detected alert sequences are unmodified sequences fetched from the existing alert data.
Similar alert sequences are grouped together. The grouping provides a count that explains how many number of times alerts are triggered in a certain sequence.
The alert sequence clusters window serves as a verification of ML correlation. For example, if ML (machine learning) correlates alerts cpu.utilization and system.ping together, use the Alert Sequence Clusters window to find the sequences that have cpu.utilization and system.ping together.
Viewing alert sequences detected from the existing alert data
To view the alert sequences detected from existing alert data:
- From All Clients, select a client.
- Go to Setup > Alert Management > Alert Correlation.
- Click on an ML-based alert correlation policy.
Note: To easily identify a ML based policy, check for the status. The status would be one of these; Training Started, Ready, and so on. - From the Policy Definition field, click Detected alert sequence patterns in alert data.
The alert sequences displayed on the Alert Sequence Clusters window are the top alert sequences.
Expand an alert sequence to view the sub-sequence clusters.
Alert Sequence Cluster Metrics
Enter the required alert metric in the search box to fetch results of a particular alert sequence. The alerts sequences that match the entered alert metric are highlighted in blue.
Alert Sequence Cluster Window
Viewing alert sequences related to inferences
To view alert sequences related to an inference:
- From All Clients, select Alerts and click on the required inference name.
- Click Correlated Alerts tab.
- From list of correlated alerts, click Show detected alert sequence patterns.
Detected Sequences of an Inference
Viewing ML status
Machine Learning (ML) status describes the various stages of machine learning implementation in a policy from analyzing a sequence to correlating alerts.
| ML Status | Description |
|---|---|
 | Insufficient data. The policy is temporarily disabled. Due to insufficient data, the machine learning model cannot detect the alert sequences, and correlation does not happen. As a result, the policy is temporarily disabled. The policy becomes active when the machine learning model finds sufficient data. |  | Training ML model is queued. To use, please wait for completion. When a policy is created or a CSV file is uploaded to a policy, the training can be queued. If already a policy is in training, the new policy is queued. Once the training on the existing policy is complete, the status of the new policy moves to Training Initiated. | | Training ML model is initiated. To use, please wait for completion. Training on the machine learning model is initiated. The status then moves to Training Started. |
 | Training ML model is started. To use, please wait for completion. Training on the machine learning model is started. The progress of the training is visible on the progress bar. |
 | Training ML model is in progress. To use, please wait for completion. Training on the ML model is in progress. The percentage of progress is shown in the progress bar. |
 | ML model training is complete and is ready to detect and correlate alerts. |
 | ML training encountered an error. Please contact OpsRamp Support. |
Viewing processed inferences
To view the number of inferences associated with a policy:
- From All Clients, select a client.
- Go to Setup > Alert Management > Alert Correlation and select the required policy.
- Click on the number in the Processed Inferences column to view the details of the inferences.
Number of Processed Inferences
The list of processed inferences appears on the Alerts Browser page.
List of processed inferences
Alert correlation timing
The timegap between each adjacent alert is 5 minutes. Only those alerts taking place within a 5 minute interval are correlated.
If alerts are continuously generated for every 5 minutes, the overall time of a correlation can be much longer than 5 minutes. Take these example alert correlations:
- A1: 10:00
- A2: 10:04
- A3: 10:07
- A4: 10:14
A1, A2, A3 will be correlated, since the gap between adjacent alerts is less than 5 minutes. A4 is excluded since the gap between A4 and A3 is more than 5 minutes. In this example, the overall correlation time is 7 minutes.