This documentation supports the 22.1 version of BMC Helix ITSM Insights.To view an earlier version, select the version from the Product version menu.

Configuring incident correlation to detect similar incident clusters

After BMC Helix ITSM Insights is activated, Service Desk managers can use the Real-time incident correlation workspace to detect similar incident clusters and view emerging hotspots.

The system uses a set of default fields and settings for the Real-time incident correlation workspace. As a tenant administrator, you can change the incident correlation configuration based on your requirements. 

If you have set up custom priority values, you must update the Real-time incident correlation configuration settings (except Similarity threshold) to view the updated custom priority details in the Real-time incident correlation dashboard. The algorithm takes at least six hours to display the newly added custom priority values in the Real-time incident correlation workspace.

Warning

Updating the similarity threshold value triggers the deletion of existing clusters.


Before you begin

Best practice
When you change the incident correlation configuration, all existing clusters are removed from the dashboard and the system performs the analysis again. This action might impact the analysis being carried out by any Service Desk managers or agents who are using the Real-time incident correlation dashboard for analysis.

We recommend that any configuration changes for incident correlation are done in off-hours so that the impact is minimal.

Out-of-the-box configuration for incident correlation

BMC Helix ITSM Insights uses a set of default fields and settings to display the clusters in the Real-time incident correlation dashboard. 

The following table describes this out-of-the-box configuration for incident correlation:

Fields

Default value

Default fields used by the system for incident correlation

  • Assignee
  • Assignee - Company (Assigned Support Company)
  • Assignee Support group (Assigned Group)
  • CI (HPD_CI)
  • Calculated priority (Priority)
  • City
  • Closed Date
  • Communication coordinator - Company (SV_ComCoord_SupportCompany)
  • Communication coordinator - Support group (SV_ComCoordSGP)
  • Company
  • Customer site (Site)
  • HPD_CI_ReconID
  • Impact
  • Incident Number
  • Incident type (Service Type)
  • InstanceId
  • Last Resolved Date
  • Major incident manager - Company (SV_MIM_Company)
  • Major incident manager - Support group (SV_MIM_SGP)
  • Operational category 1 (Categorization Tier 1)
  • Operational category 2 (Categorization Tier 2)
  • Operational category 3 (Categorization Tier 3)
  • Product Name
  • Product category 1 (Product Categorization Tier 1)
  • Product category 2 (Product Categorization Tier 2)
  • Product category 3 (Product Categorization Tier 3)
  • Region
  • Reported Date
  • Service (Service CI)
  • ServiceCI_ReconID
  • Site group (Site Group)
  • Status
  • Status_Reason_Hidden (Status_Reason)
  • Submit Date
  • Submitter
  • Summary (Description)
  • Total Time Spent
  • Urgency

The maximum number of days a cluster can stay open

7 days

Similarity threshold

7

Minimum number of incidents that a cluster should have
to be visible in the dashboard

5


Warning

High volume of data in the Description (Detailed Description) field may result in performance issues while generating clusters in ITSM Insights. 

Starting with version 22.1.07, the Description (Detailed Description) field is no longer a mandatory field. If you are already using this field to generate clusters, you can exclude it from the dataset manually.

Best practice
We recommend excluding the Description (Detailed Description) field from the configuration to improve the performance and turnaround time of generating clusters.


To update the configuration

  1. In BMC Helix ITSM Insights, click the Settings icon.PNG icon.
    The Settings page is displayed.

  2. Select Real-time incident correlation > Configure.
    The Real-time incident correlation configuration page is displayed.
    In the Data Set section, you can view the data fields being used by the system for the configuration. The fields that you select here appear as filter criteria in the Real-time incident correlation dashboard filter.

    Tip

    The fields that appear in BMC Helix ITSM display their field labels, system names (in brackets), and often display their additional description (in English only) in the data set. Therefore, when you choose amongst similar fields in the data set for creating clusters, we recommend you select the field that displays its label, system name and description. For example, while choosing between CI and CI(HPD_CI), we recommend you select CI(HPD_CI) because it displays the CI label, HPD_CI system name and its description as
    image-2024-4-23_11-38-40.png.

  3. In the Create clusters section, specify the following parameters by which the data is to be grouped:
    • For the first level of grouping, select up to two fields to group the incidents at the top level for clustering. Only categorization fields are available for selection such as service, CI, and company. 
    • Select up to five additional field names for matching incidents to be grouped into a cluster. Only text fields are available for selection.IC Config 2.PNG
  4. In the Advanced section, specify the following details: 
    • The maximum period that a cluster would stay open from the time an incident is last updated. This window can range from hours to days.
      The default value is 7, which means, clusters that are more than seven days old are automatically deleted.  However, you can set this value up to a maximum of 30 days. 

    • Similarity threshold determines how similar the incident descriptions are in relation to the description of the original incident, which is the first incident of a cluster. The similarity threshold can be a value between 1 and 10, the default value being 7.  The higher the value you select, the more stringent is the test to match the similarity of the incident, and therefore, the clusters formed are more cohesive and smaller. 

      View example of similarity threshold

      Similarity threshold value

      Observation

      image2022-12-19_12-55-55.png

      A lesser similarity threshold value performs a lenient test to match the similarity of incidents for clustering. 
      image2022-12-19_12-58-39.png

      image2022-12-19_12-56-56.png

      A higher similarity threshold value performs a stringent test to match the similarity of incidents for clustering.
      image2022-12-19_12-59-54.png

      In most cases, it is observed that the number of incidents in the cluster decreases as you select a higher value of similarity threshold.

      Best practice
      We suggest to set the threshold similarity to its default value of 7 to generate optimal results.

    • The minimum number of incidents that a cluster should have, to be shown in the dashboard.IC Config 3.PNG
  5. Click Save.

The job configuration is updated and the system restarts building new clusters based on the new configuration. The clusters with prior configuration are removed from the dashboard.

To configure trend and major incident settings

Enter the following details to configure the trend and major incidents in clusters:

Configuration setting 

Description

Measure trend over last hour(s)

Specify the number of hours for which the trend must be calculated. By default, the trend is calculated for the last two hours.

Flag clusters for possible major incidents when 

  • # of incidents in cluster reaches 
  • # of incidents in trend window increases by

The application flags clusters as possible major incident candidate clusters in the following cases:

  • the number of incoming incidents in the cluster exceeds the specified value. By default, when the number of incoming incidents exceeds 50, the cluster is marked as a possible major incident cluster
    OR
  • the number of new incidents in the last trend window exceeds the specified value. By default, the application flags a cluster as a possible major incident cluster when the number of incidents in the trend window increases by 25.

Trend config.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*