Creating Models

The generation of insights in Dexda is based on the use of machine learning to group collected alerts into clusters. Using a set of specialized algorithms, Dexda identifies hidden patterns within the text features of alert data. Dexda analyses both feature and temporal aspects of alerts to dynamically manage their clustering. The grouping into clusters is controlled by correlation models.

The following describes how to create a correlation model. For more information about the concept of correlation models, see About Correlation Models.

Viewing Models

The Models page displays available models in your Dexda portal.

From here you can get an overview and search for models. The Status field shows if a model is in use or not. For information about model status, see About Correlation Models. Many models may be similar, so the Description field is important to understand the differences. Select a model in the list to see its configuration.

The pre-built Correlate by CI model for correlation based on resource (configuration items) grouping is a good starting point. You can clone the model and modify it, making the insight generation targeted to support your business workflow.

Editing a Model

Possible to change the name and description for a model, but not configuration parameters ??

Creating a Model

In the Create Correlation Model page, select Create Model in the upper right, and enter values as described in the following. Alternatively, select Clone for an existing model and modify field values as needed.

1. Name: Add a descriptive name for the model.
2. Description: Add information about what the model does, for exampel “Correlation by CI with stopwords”. This will be displayed in the model list.
3. GroupBy: Add a grouping item combining similarity correlation value between 0 and 1 (0-100%) with a field, for example “0,8” and “CI”. This means that the resource (CI) has to be at least 80% similar for a correlation to occur. Select the desired field from the dropdown, available options come from the alerts data, see About Filters. Select Add item to add more items to the grouping if needed.
4. Filter: Optionally, select Add expression to add a filter narrowing down the correlation, for example “Description-Contains-Kubernetes”. Note that the right-hand view updates to reflect the current settings to give you an idea of the resulting correlation.
5. Timeout: Define the duration of the correlation time window, default is 15 minutes (900,000 msecs). After this time period, new incoming alerts will be grouped into a new alert cluster and insight.
6. MinClusterDensity: Define how many incoming alerts are required to form a cluster within the timeout period. Default is two, meaning that at least two incoming alerts are required to form an alert cluster. The value here depends on the type of correlation, see About Correlation Models.
7. Stopwords: Select Add item to add a stopword excluding parts of the message text string, preventing correlation overmatching. For example, adding stopwords for “company.com” will exclude this from the text to prevent matching bias. You can add multiple stopwords.
8. RemoveNumbers: Select this to remove numbers from a string to only match letters in a text string.
9. CaseSensitive: Select this to match upper/lower case of words in a text string.
10. Trim: Select this to remove white spaces at the end of a text string.
11. Locale: What does this do??
12. Select Submit. Once submitted the model will display in the overview with status ready.

Running a Model

Select the model in the list and select Activate from the More Options menu to the right to start using a model. Select Deactivate to stop the model from running. As mentioned, models cannot be deleted. Select Archive if you no longer want the model to be available for use. Select Unarchive to make it available again.