A simplified view of the data flow through Incident.MOOG is depicted in the figure below. Within the CLEAN phase, Incident. MOOG applies sophisticated machine learning to solve the growing problem of event noise reduction.
Incident.MOOG’s algorithms are optimized to capture events as close to the event source as possible. The data ingestion system looks for three things: a source, a timestamp and a message. Incident.MOOG’s machine learning capabilities can pull out the important artifacts from those three fields without present rules or filters. Severity levels assigned by equipment manufacturers are ignored by default to make sure nothing important is missed; an event is processed if the system deems it is statistically significant.
Next, Incident.MOOG de-duplicates the event stream, computes significance rankings, and rolls-up alerts on to high-performance, multi-path, real-time message bus.
The relationship between events and alerts is held in the Incident.MOOG datastore.
Incident.MOOG creates clusters of related alerts during the CONTEXTUALIZE phase. This is performed by Sigalisers, detailed below. Once a cluster becomes statistically significant, a Situation is created. There is a near one-to-one relationship between Situations and trouble tickets normally raised by an operator. In contrast, in a typical operations center, many alerts are manually cleared before they are escalated to the help desk.
The number of Situations on the Situation bus is greatly reduced compared to the number of alerts on the Alerts bus. Situations themselves are persisted in the Incident.MOOG datastore – they are significant to the fundamental purpose of the product, so they warrant long-term storage.
When Incident.MOOG creates a Situation, it has the ability to add more alerts into the Situation over time, giving operations a dynamic, real-time view into how an incident is unfolding across the IT ecosystem.
During the COLLABORATE phase, stakeholders are engaged to take action on Situations. Situation Rooms are the primary UI for appropriate stakeholders to work together to resolve the Situation, as detailed below.
Incident.MOOG allows you to view all of the events underpinning an alert, as every event stores a reference to the alert it is associated with. Incident.MOOG never deletes alerts because they may have been grouped into Situations.