The correlation promises of monitoring tools are numerous. Effectiveness and relevance, however, do not always meet the expectations! The correlation in Canopsis, resulting from discussions with our customers and prospects, takes on new dimensions, and allows us to see more clearly. Available in Canopsis (Pro Edition) since April 2020 !
The (kept) promise: because (way) too many alarms harm the alarm!
Drastically reduce the number of alarms in the operator’s tray by grouping them together. But, it is not that easy…
The Correlation in Canopsis, how does it work?
The Correlation in Canopsis offers a configurable alarm tray that centralizes and standardizes all the events produced by the information system: this is the « basic » collection function of any hypervision solution.
All alarms are displayed individually in an alarm tray.
New rules engines will group the alarms, thus becoming meta-alarms.
These management rules may relate to:
The component/resource relationship
The notion of time
Benchmarks
The rules are established from:
Existing links between components and resources in the repository (if it is available)
Rules pre-defined by the administrator
Users suggestions through a form
A bit more details about it
What makes life easier for IS administrators is the ability to set up several correlation solutions, as needed; and that’s smart!
The native parent-child link (component-resource):
If a resource is in an alarm state at the same time as the component on which it depends, then a meta-alarm concerning the component is created.
Groupings:
Time grouping:
If alarms appear within a predefined period of time, they will be grouped into a meta-alarm which will then concern a new entity.
Grouping by attributes:
If alarms with common attributes appear, they will be grouped into a meta-alarm.
Mix of grouping:
It is possible to apply both time and attribute rules.
| Example n°1 Creates a global alarm if 80% of the monitored elements of the logistics perimeter trigger an alarm over a period of 1 hour. | Exemple n°2 Creates a global alarm if 5 elements of the payroll domain are in alarm during the last 5 minutes. |
A good alarm is an identified alarm!
All meta-alarms and consequence alarms (parent-child) have an attribute to identify them and thus be filtered in an alarm tray.
Everything is an alarm!
A meta-alarm or a consequence alarm is identified as a« classic » Canopsis alarm.
Standard actions as well as mass actions apply to these (ex : if a meta-alarm is acknowledged, all the alarms which depend on it are also acknowledged, a single ticket is created).
In this case, it is possible to detect that an action has been taken due to a meta-alarm.
Correlation in the interface
The alarm groups appear in an alarm tray with an iconographic representation, specifically thought out and adapted!
When the mouse pointer is hovered, an information note (tooltip) presents the rule that allowed the grouping as well as the number of consequence alarms.
By default, without filter activated, only meta-alarms as well as regular alarms are displayed. Consequence alarms are “ hidden” behind their specific grouping.
One only presents the essentials and therefore fewer alarms are presented: Q.E.D!
Information and ergonomics of the Correlation in Canopsis
A specific button, available on meta-alarms and consequence alarms, gives quick access to grouping.
Clicking on the Tab presents in one case the consequence alarms and in the other, the cause alarms.
Canopsis’ philosophy of control tower and “ everything on hand ” is thus respected.
Grouping contents are paginated.
Operational assistance by Canopsis
After selecting a list of alarms, a “ Suggest grouping ” button is available.
A form “Request for justification of regrouping is then proposed”.
Once the form is being validated by the operator, the administrator is informed of the action and may decide to create an associated rule (1).
The operator’s suggestion is automatically sent to the administrator (2).
| Key points | Weak points |
| – Several possibilities for correlations | – Correlations require a repository that is often non-operational at the customer’s premises (essential prerequisite) |
| – Quick reading of information | – All rules are not yet writtent ; they will arrive in the next versions. |
| – Reduction in the number of visible alarms | |
| – User’s actions on grouping | |
| – Excellent integration dans l’interface |
Conclusion
The correlation in Canopsis is certainly the best correlation tool for incident management.
Intuitive implementation, popular functionalities, and the possibility of changing the rules as and when it is used directly by users: learning the system assisted by the operator is a rich, pragmatic idea.
Canopsis correlation allows the solution to stand out clearly from other offers on the market.
