Training with real event data

When training with real event data, policies are auto-deployed by default. The tooling has optional settings, including a default setting for auto-deploying policies, which temporarily overrides the system setting used in the automatic scheduled training run.

Before you begin

  • The ea-events-tooling container is installed by the operator. It is not started as a pod, and contains scripts to install data on the system, which can be run with the kubectl run command.
  • Find the values of image and image_tag for the ea-events-tooling container, from the output of the following command:
    kubectl get noi <release_name> -o yaml | grep ea-events-tooling
    Where <release_name> is the custom resource release name of your cloud deployment. For example, in the following output, image is ea-events-tooling, and image_tag is 2.0.14-20200120143838GMT.
    kubectl get noi <release_name> -o yaml | grep ea-events-tooling
        --env=CONTAINER_IMAGE=image-registry.openshift-image-registry.svc:5000/default/ea-events-tooling:2.0.14-20200120143838GMT \
        --image=image-registry.openshift-image-registry.svc:5000/default/ea-events-tooling:2.0.14-20200120143838GMT \
    Hybrid deployment: For a hybrid deployment, run the following command:
    kubectl get noihybrid <release_name> -o yaml | grep ea-events-tooling
    Where <release_name> is the custom resource release name of your hybrid deployment.
    IBM® Netcool® for AIOps deployment: For an online or offline deployment (airgap) of Netcool Operations Insight® with IBM Cloud Pak for AIOps, find the values of image and image_tag from the noi-operator CSV file. Run the following command:
    oc get csv <noi-operator> -o yaml | grep olm.relatedImage.NOI_ea-events-tooling: | awk -F ': ' '{print $2}'
    Where <noi-operator> is the noi-operator CSV file name.
  • If you created your own docker registry secret, then patch your service account.
    kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "noi-registry-secret"}]}'
    Where noi-registry-secret is the name of the secret for accessing the Docker repository.
    Note: As an alternative to patching the default service account with image pull secrets, you can add the following option to each kubectl run command that you issue:
    --overrides='{ "apiVersion": "v1", "spec": { "imagePullSecrets":
          [{"name": "noi-registry-secret"}] } }'

About this task

Once you have finished working with the sample data, local data, or migrated data scenarios, run this procedure to start processing live event data.
Note: Policies and groups that were created for the sample data, local data, and migrated data scenarios are removed.

The runTraining.sh script overrides most options that are in place for the regular training. The deployment setting for manually run training is auto-deploy (policies do not appear in the suggested policies panel). This setting can be changed with the -d command line option. If manual training is run with the -d false option (review first mode), then the policies created from manual training are not auto-deployed and appear in the suggested policies panel.

Procedure

Run the runTraining.sh script.
kubectl run trainer -it --command=true --restart=Never --env=LICENSE=accept --image=image:image_tag runTraining.sh -- -r release_name [-t tenantid] [-a algorithm] [-s start-time] [-e end-time] [-d auto-deploy]
Where:
  • release_name is the custom resource release name of your deployment.
  • image is the location of the ea-events-tooling container.
  • image_tag is the image version tag.
  • algorithm is either related-events or seasonal-events. If not specified, defaults to related-events.
  • Optional: tenantid is the tenant ID associated with the data that is processed, as specified by the global.common.eventanalytics.tenantId parameter in the values.yaml file that is associated with the operator.
  • Optional: start-time and end-time are the start and end times to train against. You can specify the start or end time, neither, or both. If neither are specified, the current time is used as the end time and the start time is 93 days before the end time. You can either specify the start and end times with an integer Epoch time format in milliseconds, or with the default date string formatting for the system. Run ./runTraining.sh -h to determine the default date formatting.
  • Optional: auto-deploy Set to true to deploy policies immediately. Set to false to review policies before deployment. Running sample data or local data scenarios turns on the auto-deployment of policies, even if you have installed with temporalGroupingDeployFirst set to false.