estimateSeverity

A Workflow Engine function that uses a predefined classification algorithm to estimate event or alert severity.

This function is available as a feature of the Add-ons v1.3 download and later.

This function is available for event, alert, and enrichment workflows.

The workflow sweep up filter applies to this function.

Back to Workflow Engine Functions Reference.Workflow Engine Functions Reference

Arguments

Workflow Engine function estimateSeverity takes the following arguments:

Name

Required

Type

Description

eventFields

No

Object

Array of fields to use in the classification algorithm. Defaults to the description field.

severityField

No

String

Destination field for the classification algorithm's calculated severity. Defaults to the severity field.

If you do not configure these arguments, the function parses the event description field to calculate a severity value, which it assigns to the severity field.

Example

The following example demonstrates typical use of Workflow Engine function estimateSeverity.

The optional eventFields argument allows you to customize the event fields the function uses for severity classification. You define these as an array of event fields. For example, if you set the following:

  • eventfields: ["agent", "description", "custom_info.clustering", "custom_info.enrichment.BusinessApps"]

The UI translates your settings to the following JSON:

{ “eventFields”: ["agent", "description", "custom_info.clustering", "custom_info.enrichment.BusinessApps" ]}

The optional severityField argument allows you to assign the estimated severity to a target field instead of using the default, severity. For example, to assign the result to custom_info.catasaurus.severity, set the following:

  • severityField: custom_info.catasaurus.severity

The UI translates your settings to the following JSON:

{"severityField":"custom_info.catasaurus.severity"}

If the classification algorithm fails to estimate the severity and target is the event severity field, the function returns false and the event does not update. If the target is a custom_info field, the value defaults to Indeterminate.