Sophie's Correlation Engine correlates between different sources based on Correlation Identifiers, which are terms found in the metadata of your log files or the text of your log files, for example, username, interface-ID or request-ID.
In addition to these Correlation Identifiers, there are two additional types of correlators:
- Entities: These are correlators that are derived from the fields extracted from the schema
- Free-text correlators: These are attributes that you expect to find in the message portion of the log itself
Please define which fields, properties or keywords will help Sophie understand the connection between the different applications/sources in your stack.
You can add correlators globally for all the sources streamed into Loom, or correlators can be added only to specific sources.
In order to add correlators globally:
Under the Settings Icon go to "Anomaly Detection" >> "Correlation Engine"
Choose either of the following two tabs and add the field, property, or keyword text:
- Correlation Identifiers
- Free Text Correlators
In order to add correlators for a specific application:
Under the Settings Icon go to "Add and Manage Data" >> "Sources"
Select the relevant application and service and select the “Correlations” option under the right hand menu.
Use the “Entities” tab to add relevant metadata fields that were extracted from your logs (i.e. set specific fields as correlators)
Use the “Free Text” table to add relevant terms you expect to appear within the log message, but are not structured nor extracted in a separate field or property.