The promise of correlation in monitoring tools is numerous. But efficiency and relevance are not always the order of the day! The Canopsis correlation, the result of discussions with our customers and prospects, takes on a new dimension and helps us to see things more clearly.
Available on Canopsis Pro Edition in April 2020
The promise (kept): because (too many) alarms kill alarms!
Drastically reduce the number of alarms in the operator list by grouping them together.
But it’s not that simple…
How does correlation work in Canopsis?
To begin with, Canopsis offers a configurable Alarm list that centralizes and normalizes all events generated by the Information system: this is the “basic” collection function of any hypervision solution.
Previously, the Alarm list displayed all alarms individually.
From now on, new rules engines will group alarms together: these will become meta-alarms.
These management rules may relate to :
- The component/resource relationship
- The notion of time
- Reference criteria
Three elements help to establish the rules:
- Existing links between components and resources in the repository (if available)
- Administrator-defined rules
- User suggestions via a form
A little more about the beast
What makes life easier for IS administrators is the possibility of implementing several correlation solutions, depending on requirements… And that’s clever!
The native parent-child bond (component-resource)
If a resource is in alarm at the same time as the component on which it depends,a meta-alarm is createdfor the component.
Groupings
Time grouping:
If alarms appear within a predefined period of time, a meta-alarm will group them together. It will then concern a new entity.
Grouping by attribute:
If alarms with common attributes appear, a meta-alarm will group them together.
Mix of groupings:
It is possible to apply both temporal and attribute rules.
Example 1 – Create a global alarm if 80% of the monitored elements of the logistics perimeter trigger an alarm over a period of 1 hour:
Example n°2 – Create a global alarm if 5 elements of the pay domain are in alarm during the last 5 minutes:
A good alarm is an identified alarm
To identify and filter alarms in the bin, all meta alarms and alarms with consequences (parent-child) have an attribute.
All is alarm
Canopsis identifies both meta alarms and consequential alarms as classic alarms. This makes standard actions possible, as well as mass actions (e.g. acknowledging a meta-alarm causes all alarms dependent on it to be acknowledged, and a single ticket created). In this case, it is possible to identify that an action has been carried out due to a meta alarm.
Correlation in Canopsis
Alarm groupings appear in an alarm tray, with a specially designed iconographic representation.
Meta-alarm located in the tray and its associated symbol:
On hovering, a tooltip presents the rule used for grouping and the number of resulting alarms.
Tooltip overview:
By default, with no filter enabled, only meta alarms and regular alarms are displayed. Consequence alarms are “hidden” behind their specific grouping. Only the essentials are shown, so fewer alarms are presented: CQFD!
Correlation information and ergonomics in Canopsis
A specific button, available on meta-alarms and consequence alarms, gives quick access to grouping.
Clicking on the tab will display the consequence alarms in one case, and the cause alarms in the other.
In this way, Canopsis remains (and always will be) in the spirit of a control tower and“everything under control“.
We have also paginated the content of the grouping (the consequences) for greater visual ergonomics.
Operating assistance from Canopsis
After selecting a list of alarms, a “Suggest a grouping” button appears.
A “grouping” justification request form is then proposed. When the form is validated by the operator, the administrator is informed of the action and may decide to create an associated rule (1). The operator’s suggestion is automatically forwarded to the administrator (2).
Group alarms” modal window
Conclusion on correlation in Canopsis
| Highlights | Weak points |
|---|---|
| – Several possible correlations | – Correlations require a repository that is often non-operational on the customer’s premises (essential prerequisite) |
| – Quick access to information | – All the rules are not yet written, but will be in future versions. |
| – Reduced number of visible alarms | |
| – User actions on groupings | |
| – Excellent interface Excellent |
Correlation in Canopsis is certainly the best correlation tool for incident management. Intuitive implementation, popular features and the ability for users to modify the rules as they go along: operator-assisted learning of the system is a rich, pragmatic idea. The Canopsian correlation gives the solution a clear edge over other market offerings.
