Creating Correlation Models

LM Dexda generates insights by using machine learning to group collected alerts into clusters. Using a set of specialized algorithms, LM Dexda identifies hidden patterns within the text features of alert data and analyses both feature and temporal aspects of alerts to dynamically manage their clustering. The grouping into clusters is controlled by correlation models.

This article describes how to create and update a correlation model. For more information about the concept of correlation models, see About Correlation Models.

Viewing Models

The Models page displays available correlation models in your LM Dexda portal.

From here you can get an overview and search for models. The Status field shows if a model is in use or not. For information about model status, see About Correlation Models. Many models may be similar, so the Description field is important to understand the differences. Select a model in the list to see its configuration.

The prebuilt Correlate by CI model for correlation based on resource (configuration items) grouping is a good starting point. You can clone the model and modify it to target the insight generation to support your business workflow.

Editing a Model

You can change the name and description for a model, but configuration parameters for the model cannot be changed.

Creating a Model

In the Create Correlation Model page, select Create Model in the upper right, and enter values as described in the following. Alternatively, select Clone for an existing model and modify field values as needed.

1. Add a descriptive Name for the model.
2. Add a Description to provide information about what the model does, for example “Correlation by CI with stopwords”. This will be displayed in the model list.
3. Add a GroupBy, or grouping item combining similarity correlation value between 0 and 1 (0-100%) with a field, for example “0,8” and “CI”. This means that the resource (CI) has to be at least 80% similar for a correlation to occur. Select the desired field from the dropdown, available options come from the alerts data, see About Filters. Select Add item to add more items to the grouping if needed.
4. (Optional) Select Add expression to add a filter narrowing down the correlation, for example “Description-Contains-Kubernetes”. Note that the right-hand view updates to reflect the current settings to give you an idea of the resulting correlation.
5. Define the Timeout duration of the correlation time window, default is 15 minutes (900,000 msecs). After this time period, new incoming alerts will be grouped into a new alert cluster and insight.
6. Define the MinClusterDensity, which is how many incoming alerts are required to form a cluster within the timeout period. Default is two, meaning that at least two incoming alerts are required to form an alert cluster. The value here depends on the type of correlation, see About Correlation Models.
7. Select Add item to add a Stopword excluding parts of the message text string, preventing correlation overmatching. For example, adding stopwords for “company.com” will exclude this from the text to prevent matching bias. You can add multiple stopwords.
8. Select RemoveNumbers to remove numbers from a string to only match letters in a text string.
9. Select CaseSensitive to match upper and lower case of words in a text string.
10. Select Trim to remove white spaces at the end of a text string.
11. Set the Locale for the model.
12. Select Submit. Once submitted the model will display in the overview with status ready.

Running a Model

You have the following options when working with models:

• To start using a model, select the model in the list and select Activate from the More Options menu to the right.
• Deactivate—Use this option to stop the model from running. As mentioned, models cannot be deleted.
• Archive—Use this option if you no longer want the model to be available for use.
• Unarchive—Use this option to make the model available for use again.