Workflow Engine Functions Reference

This is a reference for Workflow Engine functions in Moogsoft Enterprise.

Functions may be available for more than one object. For example, addItemToList is available in event, alert, enrichment, and Situation workflows. In this reference, the functions appear in the lists for all the objects they are valid for.

Event functions

The following functions are available in event workflows:

  • addDefaultValues: Adds a set of default values to custom_info based on a payload map. Sweep up filter applies.

  • addItemToList: Adds an item or items to an array. Sweep up filter applies.

  • addTags: Adds or updates a custom info field called "tags" with an array of string values.

  • appendFields: Appends a concatenated set of fields to an existing field, using a separator character.

  • appendString: Appends a static string to an existing field separated by a space character.

  • ceventFilter: Returns true if the object matches a SQL-like filter. Sweep up filter applies.

  • checkSeverity: Checks the severity level of the object.

  • classifyEvent: Sets the class, type, and severity fields of an event based upon its contents using a predefined classification algorithm.

  • concatFields: Sets the value of a field to a string representing a set of concatenated fields.

  • contextFilter: Filters a workflowContext object for a specified name field. Sweep up filter applies.

  • convertToJSON: Converts the object to JSON and adds it to the workflowContext for use in subsequent actions.

  • copyFieldFromAlertToEvent: Copies a single field from an existing alert to a deduplicating event for the same alert.

  • copyFromAlertToEvent: Copies multiple fields from an existing alert to a deduplicating event for the alert.

  • copyFromContext: Copies a field from the workflowContext to a destination object field. Sweep up filter applies.

  • copyToContext: Copies an object field to the workflowContext.

  • copyToPayload: Copies a value to the payload in workflowContext for the current object.

  • createPayload: Creates a workflowContext payload from the triggering object using a predefined payload map.

  • deleteEnrichment:Removes data from the enrichment datastore.

  • deltaEvent: Returns true: if the specified event fields differ from corresponding fields in an existing alert, or when an error occurs in the delta check, or when no alert exists. Returns false when it detects no changes.

  • dropEvent: Allows you to prevent further processing of an event.

  • estimateSeverity: Uses a predefined classification algorithm to estimate event or alert severity. Sweep up filter applies.

  • existingAlertFilter: Returns true if the existing alert for a deduplicating event matches a SQL-like filter.

  • getIntegrationConfig: Retrieves an integration configuration and stores it in the workflowContext for subsequent actions to use.

  • getPayload: Creates a workflowContext payload from the triggering object from a predefined payload map. Sweep up filter applies.

  • isClear: Returns true if the object's severity level is Clear (0).

  • isInSubnet: Returns true when an IP address is present within a specified subnet. Sweep up filter applies.

  • isNewerThan: Returns true when the object age in seconds is less than a specified age in seconds. Sweep up filter applies.

  • isNotClear: Returns true if the object's severity level is not "Clear". Sweep up filter applies.

  • isNotNull: Returns true if the value for an object's cEvent field is not null, is not an empty object, or is not an empty array.

  • isNull: Returns true if the value for an object's cEvent field is null, is not set, is an empty object, or is an empty array.

  • isOlderThan: Returns true when the object age in seconds is older than a specified age in seconds. Sweep up filter applies.

  • listContains: Returns true when the array field you query contains some of your specified values. Sweep up filter applies.

  • listContainsAll: Returns true when the array field you query contains all of your specified values. Sweep up filter applies.

  • listDoesNotContain: Returns true when the array field you query contains none of your specified values. Sweep up filter applies.

  • logMessage: Logs a message to the Moogfarmd log.

  • logWorkflowContext: Logs the contents of workflowContext to the current Moogfarmd log file at a warning level.

  • logWorkflowDuration: Logs debug messages for the workflow execution duration.

  • lowerCase: Changes the value of a field to lower case. Sweep up filter applies.

  • prependFields: Prepends a concatenated set of fields to an existing field, using a separator character.

  • prependString: Prepends a string to an existing field, using a separator character.

  • restAsyncPost: Makes a HTTP POST request with a JSON payload to a named REST endpoint.

  • searchAndReplace: Matches a regular expression to an object field and maps the contents of subgroups to other fields. Sweep up filter applies.

  • searchAndReplaceOrdered: Matches a regular expression to an object field and maps the contents of subgroups to other fields. Allows you to provide the map as an array to preserve mapping order. Sweep up filter applies.

  • setAgent: Sets the agent of the event or alert.

  • setAgentLocation: Sets the agent location of the event or alert.

  • setAgentTime: Sets the agent_time of the event to current time if the field does not exist in the event, or is more than the offset seconds in the past/future.

  • setEnrichment: Updates a single record in the enrichment datastore with data from an alert.

  • setEnrichmentBulk: Updates multiple records in the enrichment datastore with an array of data from an alert.

  • setExternalId: Sets the external ID of the event or alert.

  • setManager Sets the manager of the event or alerts.

  • setSource Sets the source of the event or alert.

  • setSourceId Sets the source ID of the event or alert.

  • setCoreEventField: Sets a single core event field to a value.

  • simpleLookup: Defines the lookup as two arrays of equal length. Sweep up filter applies.

  • skip: Forwards an in-scope event, alert or Situation to the next chained moolet using the standard forwarding mechanism, and skips the rest of the workflows in the current engine.

  • staticLookup: Searches for a key in a static lookup table, retrieves the corresponding value, and applies that value to a field in the object.

  • stop: Stops the workflow.

  • stripFQDN: Splits a fully qualified domain name (FQDN) into a hostname/short name and a domain name and updates fields with the values.

  • upperCase: Changes the value of a field to uppercase. Sweep up filter applies.

  • willCreateNewAlert: Returns true if the event will create a new alert.

  • willDeduplicateAlert: Returns true if the event will deduplicate into an existing alert.

Alert and enrichment functions

The following functions are available in alert and enrichment workflows:

  • addDefaultValues: Adds a set of default values to custom_info based on a payload map. Sweep up filter applies.

  • addItemToList: Adds an item or items to an array. Sweep up filter applies.

  • addTags: Adds or updates a custom info field called "tags" with an array of string values.

  • alertDelta: Returns true when attributes have changed.

  • alertInSituation: Returns true when the alert is a member of an active Situation. Sweep up filter applies.

  • alertNotInSituation: Returns true when the alert is not a member of an active Situation. Sweep up filter applies.

  • appendFields: Appends a concatenated set of fields to an existing field, using a separator character.

  • appendString: Appends a static string to an existing field separated by a space character.

  • assignAlert: Assigns an owner of in-scope alerts. Sweep up filter applies.

  • between: Returns true if the object creation date falls between two times.

  • ceventFilter: Returns true if the object matches a SQL-like filter. Sweep up filter applies.

  • checkSeverity: Checks the severity level of the object.

  • closeAlert: Closes alerts.

  • concatFields: Sets the value of a field to a string representing a set of concatenated fields.

  • contextFilter: Filters a workflowContext object for a specified name field. Sweep up filter applies.

  • convertToJSON: Converts the object to JSON and adds it to the workflowContext for use in subsequent actions.

  • copyFromContext: Copies a field from the workflowContext to a destination object field. Sweep up filter applies.

  • copyToContext: Copies an object field to the workflowContext.

  • copyToPayload: Copies a value to the payload in workflowContext for the current object.

  • createPayload: Creates a workflowContext payload from the triggering object using a predefined payload map.

  • deassignAlert: Removes the current owner of in-scope alerts. Sweep up filter applies.

  • deleteEnrichment:Removes data from the enrichment datastore.

  • doesNotHaveStatus: Returns true when the in-cope alert or Situation is not in any of the specified states.

  • estimateSeverity: Uses a predefined classification algorithm to estimate event or alert severity. Sweep up filter applies.

  • exportViaKafka: Exports the payload from a createPayload to an external Kafka endpoint. Sweep up filter applies.

  • exportViaRest: Exports the payload from a createPayload to an external REST endpoint. Sweep up filter applies.

  • forward: Forwards the object to the named Moolet.

  • getEnrichment: Retrieves data from the enrichment datastore through the Moogsoft Enterprise Enrichment API. Sweep up filter applies.

  • getPayload: Creates a workflowContext payload from the triggering object from a predefined payload map. Sweep up filter applies.

  • getIntegrationConfig: Retrieves an integration configuration and stores it in the workflowContext for subsequent actions to use.

  • hasStatus: Returns true when the in-scope alert or Situation is in any of the specified states.

  • isAssigned: Returns true if the object has an owner or moderator. Sweep up filter applies.

  • isClear: Returns true if the object's severity level is Clear (0).

  • isInSubnet: Returns true when an IP address is present within a specified subnet. Sweep up filter applies.

  • isNewerThan: Returns true when the object age in seconds is less than a specified age in seconds. Sweep up filter applies.

  • isNotAssigned: Returns true if the object does not have an owner or moderator. Sweep up filter applies.

  • isNotClear: Returns true if the object's severity level is not "Clear". Sweep up filter applies.

  • isNotNull: Returns true if the value for an object's cEvent field is not null, is not an empty object, or is not an empty array.

  • isNull: Returns true if the value for an object's cEvent field is null, is not set, is an empty object, or is an empty array.

  • isOlderThan: Returns true when the object age in seconds is older than a specified age in seconds. Sweep up filter applies.

  • listContains: Returns true when the array field you query contains some of your specified values. Sweep up filter applies.

  • listContainsAll: Returns true when the array field you query contains all of your specified values. Sweep up filter applies.

  • listDoesNotContain: Returns true when the array field you query contains none of your specified values. Sweep up filter applies.

  • logMessage: Logs a message to the Moogfarmd log.

  • logWorkflowContext: Logs the contents of workflowContext to the current Moogfarmd log file at a warning level.

  • logWorkflowDuration: Logs debug messages for the workflow execution duration.

  • lookupAndReplace: Sets the alertField to a value when one of the fields in the inFields list matches a word or regular expression. Sweep up filter applies.

  • lowerCase: Changes the value of a field to lower case. Sweep up filter applies.

  • prependFields: Prepends a concatenated set of fields to an existing field, using a separator character.

  • prependString: Prepends a string to an existing field, using a separator character.

  • replaceString: Replaces a string or regular expression in a field with a specified string or regular expression.

  • restAsyncPost: Makes a HTTP POST request with a JSON payload to a named REST endpoint.

  • searchAndReplace: Matches a regular expression to an object field and maps the contents of subgroups to other fields. Sweep up filter applies.

  • searchAndReplaceOrdered: Matches a regular expression to an object field and maps the contents of subgroups to other fields. Allows you to provide the map as an array to preserve mapping order. Sweep up filter applies.

  • sendMooletInform: Sends a Moolet inform with a subject and details.

  • sendViaRest: Sends the payload from a createPayload to an external REST endpoint. Sweep up filter applies.

  • setAgent: Sets the agent of the event or alert.

  • setAgentLocation: Sets the agent location of the event or alert.

  • setClass: Sets the class of the alert.

  • setCustomInfoJSONValue: Adds or updates a custom info key to the specified JSON value. Sweep up filter applies.

  • setCustomInfoValue: Adds or updates a custom info key to a specified string value. Sweep up filter applies.

  • setDescription: Sets the description of the object.

  • setEnrichment: Updates a single record in the enrichment datastore with data from an alert.

  • setEnrichmentBulk: Updates multiple records in the enrichment datastore with an array of data from an alert.

  • setExternalId: Sets the external ID of the event or alert.

  • setManager Sets the manager of the event or alerts.

  • setSource Sets the source of the event or alert.

  • setSourceId Sets the source ID of the event or alert.

  • setSeverity: Sets the severity of the alert. Sweep up filter applies.

  • setType: Sets the type of the alert.

  • simpleLookup: Defines the lookup as two arrays of equal length. Sweep up filter applies.

  • skip: Forwards an in-scope event, alert or Situation to the next chained moolet using the standard forwarding mechanism, and skips the rest of the workflows in the current engine.

  • staticLookup: Searches for a key in a static lookup table, retrieves the corresponding value, and applies that value to a field in the object.

  • stop: Stops the workflow.

  • stripFQDN: Splits a fully qualified domain name (FQDN) into a hostname/short name and a domain name and updates fields with the values.

  • upperCase: Changes the value of a field to uppercase. Sweep up filter applies.

Situation functions

The following functions are available in Situation workflows:

  • addDefaultValues: Adds a set of default values to custom_info based on a payload map. Sweep up filter applies.

  • addItemToList: Adds an item or items to an array. Sweep up filter applies.

  • addTags: Adds or updates a custom info field called "tags" with an array of string values.

  • appendFields: Appends a concatenated set of fields to an existing field, using a separator character.

  • appendString: Appends a static string to an existing field separated by a space character.

  • between: Returns true if the object creation date falls between two times.

  • ceventFilter: Returns true if the object matches a SQL-like filter. Sweep up filter applies.

  • checkSeverity: Checks the severity level of the object.

  • checkSituationFlag: Checks if a specific flag is set for a Situation.

  • checkSituationState: Returns true if the specified state exists for a Situation. Sweep up filter applies.

  • concatFields: Sets the value of a field to a string representing a set of concatenated fields.

  • containsAlertDetails: Returns true if all or any of the alerts in the Situation matches the filter condition. Sweep up filter applies.

  • contextFilter: Filters a workflowContext object for a specified name field. Sweep up filter applies.

  • convertToJSON: Converts the object to JSON and adds it to the workflowContext for use in subsequent actions.

  • copyFromContext: Copies a field from the workflowContext to a destination object field. Sweep up filter applies.

  • copyToContext: Copies an object field to the workflowContext.

  • copyToPayload: Copies a value to the payload in workflowContext for the current object.

  • createPayload: Creates a workflowContext payload from the triggering object using a predefined payload map.

  • exportViaKafka: Exports the payload from a createPayload to an external Kafka endpoint. Sweep up filter applies.

  • exportViaRest: Exports the payload from a createPayload to an external REST endpoint. Sweep up filter applies.

  • createServiceTicket: Creates a ticket for the specified service.

  • doesNotHaveStatus: Returns true when the in-cope alert or Situation is not in any of the specified states.

  • filterByCookbook: Returns true if the Visualize data for the Situation matches the cookbook name.

  • filterByCookbookAndRecipe: Returns true if the Visualize data for the Situation matches the cookbook name and recipe name.

  • filterByRecipe: Returns true if the Visualize data for the Situation matches the recipe name.

  • forward: Forwards the object to the named Moolet.

  • getIntegrationConfig: Retrieves an integration configuration and stores it in the workflowContext for subsequent actions to use.

  • getPayload: Creates a workflowContext payload from the triggering object from a predefined payload map. Sweep up filter applies.

  • getSituationFlags: Retrieves the Situation flags and stores them in the workflowContext for subsequent actions to use.

  • getVisualizationData: Retrieves the Visualize data and stores them in the workflowContext for subsequent actions to use.

  • hasCausalPRC: Returns true if one or more alerts in the Situation has a causal PRC flag set. Sweep up filter applies.

  • hasMerged: Returns true if the Situation has been merged or superseded.

  • hasNotMerged: Returns true if the Situation has not been merged or superseded.

  • hasSimilarSituations: Returns true when the Situation has a similar Situation above the specified threshold.

  • hasStatus: Returns true when the in-scope alert or Situation is in any of the specified states.

  • isAlertAcknowledged: Returns true when the in-scope alert state is Acknowledged.

  • isAlertNotAcknowledged: Returns true when the in-scope alert state is not Acknowledged.

  • isAssigned: Returns true if the object has an owner or moderator. Sweep up filter applies.

  • isClear: Returns true if the object's severity level is Clear (0).

  • isNotAssigned: Returns true if the object does not have an owner or moderator. Sweep up filter applies.

  • isNewerThan: Returns true when the object age in seconds is less than a specified age in seconds. Sweep up filter applies.

  • isNotClear: Returns true if the object's severity level is not "Clear". Sweep up filter applies.

  • isNotNull: Returns true if the value for an object's cEvent field is not null, is not an empty object, or is not an empty array.

  • isNull: Returns true if the value for an object's cEvent field is null, is not set, is an empty object, or is an empty array.

  • isOlderThan: Returns true when the object age in seconds is older than a specified age in seconds. Sweep up filter applies.

  • labelSituation: Labels the Situation using the Situation Manager Labeler macro language. Sweep up filter applies.

  • listContains: Returns true when the array field you query contains some of your specified values. Sweep up filter applies.

  • listContainsAll: Returns true when the array field you query contains all of your specified values. Sweep up filter applies.

  • listDoesNotContain: Returns true when the array field you query contains none of your specified values. Sweep up filter applies.

  • logMessage: Logs a message to the Moogfarmd log.

  • logWorkflowContext: Logs the contents of workflowContext to the current Moogfarmd log file at a warning level.

  • logWorkflowDuration: Logs debug messages for the workflow execution duration.

  • lowerCase: Changes the value of a field to lower case. Sweep up filter applies.

  • prependFields: Prepends a concatenated set of fields to an existing field, using a separator character.

  • prependString: Prepends a string to an existing field, using a separator character.

  • removeSituationFlag: Removes a specific flag from a Situation.

  • replaceString: Replaces a string or regular expression in a field with a specified string or regular expression.

  • resolveSituation: Marks in-scope Situations as Resolved if they match the workflow's entry filter and sweep up filter.

  • reviveSituation: Revives (sets to Open) a Situation that is currently set to Resolved.

  • restAsyncPost: Makes a HTTP POST request with a JSON payload to a named REST endpoint.

  • searchAndReplace: Matches a regular expression to an object field and maps the contents of subgroups to other fields. Sweep up filter applies.

  • searchAndReplaceOrdered: Matches a regular expression to an object field and maps the contents of subgroups to other fields. Allows you to provide the map as an array to preserve mapping order. Sweep up filter applies.

  • sendMooletInform: Sends a Moolet inform with a subject and details.

  • sendViaRest: Sends the payload from a createPayload to an external REST endpoint. Sweep up filter applies.

  • setCustomInfoJSONValue: Adds or updates a custom info key to the specified JSON value. Sweep up filter applies.

  • setCustomInfoValue: Adds or updates a custom info key to a specified string value. Sweep up filter applies.

  • setDescription: Sets the description of the object.

  • setSituationFlag: Sets a flag for a Situation.

  • sigActionFilter: Returns true if the Situation action is of the specified type.

  • sigActionToolFilter: Returns true if the specified tool has been run against a Situation.

  • simpleLookup: Defines the lookup as two arrays of equal length. Sweep up filter applies.

  • skip: Forwards an in-scope event, alert or Situation to the next chained moolet using the standard forwarding mechanism, and skips the rest of the workflows in the current engine.

  • staticLookup: Searches for a key in a static lookup table, retrieves the corresponding value, and applies that value to a field in the object.

  • stop: Stops the workflow.

  • upperCase: Changes the value of a field to uppercase. Sweep up filter applies.

Infrastructure and Automation functions

The following functions are available in specific infrastructure and automation workflows:

  • getJDBCEnrichment: Adds data to alerts from a JDBC database. Available in JDBC Enrichment workflows.

  • getServiceNowEnrichment: Adds data to alerts from a ServiceNow database.

  • sendToAnsible: Sends an automation request to Ansible. Available in Ansible Alert and Ansible Situation workflows.

  • sendToAutomation: Sends an automation request. Available in EyeShare Alert, EyeShare Situation, Ignio Alert, and Ignio Situation workflows.

  • sendToPuppet: Sends an automation request to Puppet. Available in Puppet Alert and Puppet Situation workflows.

  • setAnsibleJob: Sets the instance and job template rule to use for Ansible automation requests. Available in Ansible Alert and Ansible Situation workflows.

  • setAutomationPayload: Sets the automation solution, instance and Workflow Payload rule set to use for automation requests. Available in EyeShare Alert, EyeShare Situation, Ignio Alert, and Ignio Situation workflows.

  • setPuppetAutomation: Sets the instance and job template rule to use for Puppet automation requests. Available in Puppet Alert and Puppet Situation workflows.