Migrating Netcool correlations to Cloud Pak for AIOps

Many deployments of Cloud Pak for AIOps are done where an existing Netcool environment already exists. Part of the migration over to Cloud Pak for AIOps is the deactivation of event correlation in the Netcool layer, and its reimplementation in Cloud Pak for AIOps. This is necessary because how groupings are created is different between Netcool and Cloud Pak for AIOps and the representation and linkages are not compatible:

Netcool uses either real or synthetic parent events whose children are linked via a key linkage field - often @ParentIdentifier.
Cloud Pak for AIOps stores grouping information as metadata within each correlated event - parent events are only virtual and are rendered in the Alert Viewer.

The major advantage of Cloud Pak for AIOps over Netcool is that events can be a member of any number of groups, either of the same or different kinds of groups. Whereas Netcool requires a linkage between a parent event and a child event via a static field, Cloud Pak for AIOps stores this metadata within the alert payload. There is no programmatic limit on how much metadata can be stored in an Cloud Pak for AIOps alert, which results in a much more flexible grouping model.

There are three main grouping capabilities that are provided in both Netcool Operations Insight and Cloud Pak for AIOps. The following paragraphs outline how these groupings can be migrated from the Netcool layer to the Cloud Pak for AIOps layer:

Temporal

Temporal groupings that are found in either the Netcool/Impact based Event Analytics or the newer Cloud Native Event Analytics (CNEA) engine are not transferable to Cloud Pak for AIOps. Cloud Pak for AIOps must ingest event data from Netcool (and other sources) and retrain on the data internally. Any temporal grouping in Netcool Operations Insight should be deactivated before enabling temporal grouping in Cloud Pak for AIOps.
Topology-based

Netcool Operations Insight includes the same topology capability as Cloud Pak for AIOps and also supports topology-based event correlation. It works the same in both environments and must be set up in Cloud Pak for AIOps to match the configuration in Netcool Operations Insight. Any topology-based grouping in Netcool Operations Insight should be deactivated before enabling topology-based grouping in Cloud Pak for AIOps.
Scope-based

Netcool Operations Insight includes a similar scope-based grouping capability as Cloud Pak for AIOps. By default, the Netcool Connector maps @ScopeID in Netcool Operations Insight to resource.scopeId in Cloud Pak for AIOps. The default Cloud Pak for AIOps policy called Default Netcool scope-based grouping - with a rolling window of 15 minutes will automatically detect any inbound events with the resource.scopeId attribute set and perform scope-based grouping on it. As the name suggests, this is done with a rolling 15-minute window. This policy provides a convenient like-for-like function and makes migration from Netcool to Cloud Pak for AIOps relatively easy in this respect. You can also disable this default policy and create your own, if you have more specific or complex requirements - for example, you require various time windows for different correlation scenarios.

Note: Netcool/OMNIbus in the absence of Netcool Operations Insight only has scope-based event correlation, if enabled. For more information, see https://www.ibm.com/docs/en/netcoolomnibus/8.1?topic=netcoolomnibus-enabling-scope-based-event-grouping.

Custom correlations in Netcool

Many implementations of Netcool include custom correlations where one or more child events are linked to a parent event. While the grouping engine itself is eventually deactivated at the Netcool layer, in a combined Netcool and Cloud Pak for AIOps deployment, the correlation logic can remain in-place. With the grouping instead done at the Cloud Pak for AIOps layer. A method for achieving this is outlined here.

Procedure

Create a custom correlation field.

Create a custom field to hold the key data value that will tie each event set together. Use the nco_sql utility to create the field:
```
1> ALTER TABLE alerts.status ADD COLUMN CustomCorrelation1 VARCHAR(64);
2> go     
```
Modify the correlation logic.

The next step is to modify the automation that is correlating the events together, whether it's a Netcool/OMNIbus ObjectServer trigger or a Netcool/Impact policy. The logic of the automation remains the same as before, the only change being how the events are tied together. In the new correlation design, the automation must compute a key data value that is set in the newly created custom correlation field - in this case @CustomCorrelation1. The value must be set to the same value across all members of the correlation set, and be sufficiently unique so that incorrect items are not inadvertently correlated together.
Map the custom correlation field.

Map the custom correlation field to Cloud Pak for AIOps. This is done in Cloud Pak for AIOps by editing the mapping of your Netcool integration instance and adding in a details attribute. The following extract from a Netcool integration mapping shows the insertion of the details section into the mapping, immediately under the expirySeconds attribute:
```
"eventCount": alert.@Tally,
"signature": alert.@Identifier,
"firstOccurrenceTime": alert.@FirstOccurrence,
"lastOccurrenceTime": alert.@LastOccurrence,
"severity": alert.@Severity < 0 ? 1 : alert.@Severity = 0 ? 2 : alert.@Severity < 6 ? alert.@Severity + 1 : alert.@Severity >= 6 ? 6,
"state": alert.@Severity = 0 ? "clear" : "open",
"acknowledged": alert.@Acknowledged = 1 ? true : false,
"expirySeconds": alert.@ExpireTime = 0 ? undefined : alert.@ExpireTime,
"details": {
    "customCorrelation1": alert.@CustomCorrelation1 = "" ? undefined : alert.@CustomCorrelation1
},     
```
Click Save to save your new integration mapping. Note, this results in the Netcool Connector pod restarting. The new mapping will only take effect on events that are newly inserted into the Netcool/OMNIbus ObjectServer. You can add as many custom correlation fields (comma separated) as required to this details section.
Create a Cloud Pak for AIOps correlation policy.

The final step is to create a scope-based grouping automation policy in Cloud Pak for AIOps to group the incoming event stream by your newly created attribute.
1. Give your policy a meaningful name.
2. Set the priority.
3. For the policy trigger, select Before an alert is created.
4. Add a condition that the policy fires when your custom attribute is "not empty".
5. Under Create a scope-based grouping, enter your custom attribute.
6. Specify the required time window.
7. Specify whether the time window is rolling or fixed.
  
  Example scope-based policy
  
  Figure. Scope-based policy
8. Click Create Policy.

You should now start to see your custom correlation working in Cloud Pak for AIOps. Remember, this policy will only work for new events, not existing events.

One of the major advantages in Cloud Pak for AIOps over Netcool is that you can set up as many scope-based grouping automations as required. Therefore, you can use this process to migrate all of your custom correlations in Netcool over to Cloud Pak for AIOps.