Workflow action reference
The Workflow Engine lets you process your monitoring data with configurable actions which operate in sequence. You can parse hostnames and other fields to normalize your data, enrich your data with configuration information, filter and drop events, and change service and severity information, among other possibilities.
The Workflow Engine allows you to conditionally run actions against events, alerts, or incidents. Most event workflows involve transforming the data in some way (for example, conditionally setting a severity, or parsing fields to normalize data), alert workflows focus on managing alerts or manipulating them for correlation, and incident workflows are primarily used to route data (for example, assigning an incident to a team and sending the incident update to an outbound integration).
Configure workflows by navigating to Correlate & Automate > Workflow Engine. Click the Event Workflows tab, the Alert Workflows tab, or the Incident Workflows tab to create workflows which process events, alerts, or incidents, respectively.
This topic contains lists of all the workflow actions that can be used in Moogsoft Cloud. Note that actions may be available for more than one data type. For example, the Drop action is available in both event and alert workflows. In this reference, the actions appear in the lists for all the data types that they are valid for.
Additional information
For more information on Workflow Engine and workflows, see also:
Refer to the links under In this section for topics on individual workflow actions.
The following actions are available in event workflows:
Action | Description |
|---|---|
Sets the | |
Prevents any additional processing of the event or alert by other features in the system. Dropped events are not deduplicated and do not become alerts, and dropped alerts are not correlated into incidents. You can continue to view dropped alerts on the Alerts page, however. | |
Extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array. | |
Filters events or incidents that pass through a previous action. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow. | |
Formats an epoch timestamp as a human-readable date and time. An epoch timestamp logs the number of seconds elapsed since January 1st, 1970. For information on converting dates and times to epoch format, see this external resource. | |
Updates a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field. | |
Parses an FQDN field and copies the host and domain names to the specified fields | |
Queries a data catalog and maps the matching data to the specified event, alert, or incident fields. | |
Removes tags from events, alerts, or incidents by matching the tag names against a regular expression. | |
Replaces a string or a regular expression in an event or incident field with a new specified string. | |
Adds to or replaces the service list of an event, alert, or incident with user-specified services. | |
Sets the severity of an event or alert to a user-specified severity level. | |
Causes all workflow processing of an alert to stop immediately. Processing by the current workflow stops, and all subsequent workflows in the list are skipped. | |
Splits one field into substrings and copies them to other fields in the same object. | |
Splits a value from a | |
Enables you to construct a string, based on one or more fields or tags, and then copy the string to an output field. | |
Filters events or incidents according to the time or day of the week. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow. |
The following actions are available in alert workflows:
Action | Description |
|---|---|
Checks if an alert is included in an incident. | |
Assigns an alert or incident to a user, a user group, or both. | |
Delays the processing of an alert or incident through a workflow for a configurable amount of time. | |
Prevents any additional processing of the event or alert by other features in the system. Dropped events are not deduplicated and do not become alerts, and dropped alerts are not correlated into incidents. You can continue to view dropped alerts on the Alerts page, however. | |
Extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array. | |
Filters events or incidents that pass through a previous action. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow. | |
Formats an epoch timestamp as a human-readable date and time. An epoch timestamp logs the number of seconds elapsed since January 1st, 1970. For information on converting dates and times to epoch format, see this external resource. | |
Updates a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field. | |
Parses an FQDN field and copies the host and domain names to the specified fields | |
Queries a data catalog and maps the matching data to the specified event, alert, or incident fields. | |
Removes tags from events, alerts, or incidents by matching the tag names against a regular expression. | |
Replaces a string or a regular expression in an event or incident field with a new specified string. | |
Sets the description field of an alert or incident based on a specified template. | |
Lets you configure the external information fields for alerts and incidents using substitution and regular expressions. | |
Adds to or replaces the service list of an event, alert, or incident with user-specified services. | |
Sets the severity of an event or alert to a user-specified severity level. | |
Sets the status of alerts or incidents automatically. | |
Constructs new tag values based upon templates. The specified output tag is then replaced by the new tag values. To instead add tag values to a specified output tag, use Add Item to List. | |
Causes all workflow processing of an alert to stop immediately. Processing by the current workflow stops, and all subsequent workflows in the list are skipped. | |
Splits one field into substrings and copies them to other fields in the same object. | |
Enables you to construct a string, based on one or more fields or tags, and then copy the string to an output field. | |
Filters events or incidents according to the time or day of the week. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow. |
The following actions are available in incident workflows:
Action | Description |
|---|---|
Adds a comment to an incident. | |
Adds an item to an existing list within an incident tag. If the tag doesn't exist or is empty, then a new tag or list is created. | |
Adds validated Moogsoft users or groups to the list of watchers for incidents. You can control the incidents affected by this action by configuring workflow triggers, or by adding a filter within your incident workflow. | |
Assigns an alert or incident to a user, a user group, or both. | |
Delays the processing of an alert or incident through a workflow for a configurable amount of time. | |
Extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array. | |
Filters events or incidents that pass through a previous action. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow. | |
Formats an epoch timestamp as a human-readable date and time. An epoch timestamp logs the number of seconds elapsed since January 1st, 1970. For information on converting dates and times to epoch format, see this external resource. | |
Updates a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field. | |
Queries a data catalog and maps the matching data to the specified event, alert, or incident fields. | |
Removes tags from events, alerts, or incidents by matching the tag names against a regular expression. | |
Replaces a string or a regular expression in an event or incident field with a new specified string. | |
Sends an automated email with custom content to any configured watchers for incidents. It also posts an announcement, viewable in the Comments panel on the Incidents page or in the Situation Room. For details on using Announcements, refer to Use comments with incidents. | |
Sends an incident to an existing outbound webhook endpoint. It also optionally populates the Outbound tab of the Incident with a link to the endpoint. | |
Sets the description field of an alert or incident based on a specified template. | |
Automatically changes the priority of an incident for a custom value between 1 (highest priority) and 5 (lowest priority). | |
Adds to or replaces the service list of an event, alert, or incident with user-specified services. | |
Sets the status of alerts or incidents automatically. | |
Constructs new tag values based upon templates. The specified output tag is then replaced by the new tag values. To instead add tag values to a specified output tag, use Add Item to List. | |
Causes all workflow processing of an alert to stop immediately. Processing by the current workflow stops, and all subsequent workflows in the list are skipped. | |
Splits one field into substrings and copies them to other fields in the same object. | |
Enables you to construct a string, based on one or more fields or tags, and then copy the string to an output field. | |
Filters events or incidents according to the time or day of the week. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow. |