The promise of correlation in monitoring tools is numerous. But efficiency and relevance are not always the order of the day! The Canopsis correlation, the result of discussions with our customers and prospects, takes on a new dimension and helps us to see things more clearly.
Available on Canopsis Pro Edition in April 2020
The promise (kept): because (too many) alarms kill alarms!
Drastically reduce the number of alarms in operators’ bins by grouping them together.
But it’s not that simple…
How does correlation work in Canopsis?
Canopsis offers a configurable alarm tray that centralizes and standardizes all events generated by the information system: this is the “basic” collection function of any hypervision solution.
All alarms are displayed individually in an alarm tray.
New rules engines will group alarms. These become meta-alarms.
These management rules may relate to :
- The component/resource relationship
- The notion of time
- Reference criteria
The rules are based on :
- Existing links between components and resources in the repository (if available)
- Administrator-defined rules
- User suggestions via a form
A little more about the beast
What makes life easier for IS administrators is the possibility of implementing several correlation solutions, depending on the need… And that’s clever!
The native parent-child bond (component-resource)
If a resource is in alarm at the same time as the component on which it depends, then a meta-alarm concerning the component is created.
Groupings
Time grouping:
If alarms appear within a predefined period of time, they will be grouped together in a meta-alarm, which will then concern a new entity.
Grouping by attribute:
If alarms with common attributes appear, they will be grouped together in a meta-alarm.
Mix of groupings:
It is possible to apply both temporal and attribute rules.
Example 1 – Create a global alarm if 80% of the monitored elements within the logistics perimeter trigger an alarm over a period of 1 hour.
Example n°2 – Create a global alarm if 5 elements of the pay domain are in alarm during the last 5 minutes.
A good alarm is an identified alarm!
All meta-alarms and consequence alarms (parent-child) carry an attribute to identify them and filter them in an alarm tray.
All alarms!
A meta-alarm or a consequence alarm are identified as classic Canopsis alarms. Both standard and mass standard apply to them (e.g. if a meta-alarm is acknowledged, all alarms dependent on it are also acknowledged, and a single ticket is created). In this case, it is possible to identify that an action has been carried out due to a meta alarm.
Correlation in Canopsis
Alarm groupings appear in an alarm tray, with a specially designed iconographic representation.
Figure 1 – A meta-alarm in the bin and its associated symbol
On hovering, a tooltip presents the rule used for grouping and the number of resulting alarms.
Figure 2 – Tooltip
By default, with no filter enabled, only meta alarms and regular alarms are displayed. Consequence alarms are “hidden” behind their specific grouping. Only the essentials are shown, so fewer alarms are presented: CQFD!
Correlation information and ergonomics in Canopsis
A specific button, available on meta-alarms and consequence alarms, gives quick access to grouping.
Clicking on the tab will display the consequence alarms in one case, and the cause alarms in the other.
The Canopsis philosophy of a control tower and“everything under control” is thus respected.
The contents of the grouping are paginated.
Figure 3 – Consequences
Operating assistance from Canopsis
After selecting a list of alarms, a “Suggest a grouping” button appears.
Figure 4 – Suggest a grouping
A “grouping” justification request form is then proposed. When the form is validated by the operator, the administrator is informed of the action and may decide to create an associated rule (1). The operator’s suggestion is automatically forwarded to the administrator (2).
Figure 5 – “Group alarms” modal window
Conclusion on correlation in Canopsis
| Highlights | Weak points |
|---|---|
| – Several possible correlations | – Correlations require a repository that is often non-operational on the customer’s premises (essential prerequisite) |
| – Quick access to information | – All the rules are not yet written, but will be in future versions. |
| – Reduced number of visible alarms | |
| – User actions on groupings | |
| – Excellent interface |
Correlation in Canopsis is certainly the best correlation tool for incident management. Intuitive implementation, popular functionality and the ability for users to upgrade the rules as they go along: operator-assisted system learning is a rich, pragmatic idea. The Canopsian correlation gives the solution a clear edge over other market offerings.
