Workflow Engine Functions Reference

This is a reference for Workflow Engine functions in Moogsoft Enterprise.

Functions may be available for more than one object. For example, addItemToList is available in event, alert, enrichment, and Situation workflows. In this reference, the functions appear in the lists for all the objects they are valid for.

Note

The following topology-based workflow actions are not designed as a replacement or substitute for bulk loading topology data using the Topology API:

addTopologyLink
addTopologyNode
createTopology
deleteTopology
deleteTopologyNode
deleteTopologyLink

Bulk loading topology data using these actions can result in poorly maintained, inaccurate topologies, leading to inaccurate Situations and impacting system performance. Instead, you should maintain 1-to-many (1:many) relationships using the appropriate Topology API endpoints and loading workflow.

For example, the following would not be a supported use case: Enriching an alert with a list of its neighbors and attempting to maintain a topology using the topology workflow actions.

Supported use cases:

Topology-based workflow actions are designed to allow a dynamic topology to be created and maintained by events as they pass through the system. They should only be used to create or maintain single neighbor relationships (atomic changes). Supported use cases include those in which event data details both the "A" and "Z" end of a link.

For example:

A vMotion event that details the movement of a guest VM from one host to another
A BGP event indicating that a relationship exists or has ceased to exist between peers.

If you have any questions about these actions and their supported use cases, please contact your Moogsoft Enterprise account team.

Event functions

The following functions are available in event workflows:

Function	Description
addDefaultCustomInfoValues	Supersedes the existing `addDefaultValues` which used the now deprecated Payload Maps integration for the values.
addDefaultValues	Adds a set of default values to `custom_info` based on a payload map. Sweep up filter applies.
addItemToList	Adds an item or items to an array. Sweep up filter applies.
addLocationData	Populates the standard address fields in the standard `custom_info.location` object.
addTags	Adds or updates a custom info field called "tags" with an array of string values.
addToContext	Updates the workflow context with a key: value pair.
appendFields	Appends a concatenated set of fields to an existing field, using a separator character.
appendString	Appends a static string to an existing field separated by a space character.
basicMaths	Allows basic maths ( +, -, * , / , % ) to be performed on two fields that write the result to a destination field in either `custom_info` or the workflow context.
calculateSubnet	Generates subnet data from an IP address and a suitable network mask (either a bitmask or CIDR bit count).
ceventFilter	Returns `true` if the object matches a SQL-like filter. Sweep up filter applies.
checkFloodEvent	Performs a rudimentary flood check against an alert triggered by an incoming event.
checkSeverity	Checks the severity level of the object.
classifyEvent	Sets the class, type, and severity fields of an event based upon its contents using a predefined classification algorithm.
compareFields	Returns `true` or `false` based on the comparison of two string or number values.
concatFields	Sets the value of a field to a string representing a set of concatenated fields.
contextFilter	Filters a `workflowContext` object for a specified name field. Sweep up filter applies.
convertCustomInfoToTags	Works specifically with an alert export to Moogsoft Cloud, and “flattens” a Moogsoft Enterprise `custom_info` object into a single-depth `key:value` tags object suitable for ingestion by Moogsoft Cloud Events or the Create Your Own Integration (CYOI) API.
convertField	Converts a field using mappings defined in the Conversion Maps integration tile.
convertHexToAscii	Converts a set of hex pairs to the equivalent ASCII representation.
convertMsToSeconds	Converts a millisecond timestamp to seconds.
convertObjectList	Extracts key and value pairs from a list of anonymous objects, and creates a new flatter `key:value` object.
convertPayloadToXML	Converts a JSON payload to an XML string using the Moobot utility `jsonToXML`.
convertStringToList	Converts a string of words separated by a separator character into a Javascript array (list).
convertToBoolean	Converts a string value to a Boolean (`true` or `false`) value which is similar to the `$TO_BOOLEAN()` payload macro.
convertToEpoch	Converts a date string to epoch seconds using an optional date mask. Sweep up filter applies.
convertToJSON	Converts the object to JSON and adds it to the `workflowContext` for use in subsequent actions.
copyCEventToPayload	Copies the entire CEvent object (event, alert, or Situation) as a JSON object into the appropriate `workflowContext` payload key for that object.
copyFieldFromAlertToEvent	Copies a single field from an existing alert to a deduplicating event for the same alert.
copyFromAlertToEvent:	Copies multiple fields from an existing alert to a deduplicating event for the alert.
copyFromContext	Copies a field from the `workflowContext` to a destination object field. Sweep up filter applies.
copyFromEventToAlert	Allows you to copy `custom_info` fields from an incoming event to the existing alert that the event would de-duplicate to.
copyToContext	Copies an object field to the `workflowContext`.
copyToInformPayload	An eventless clone of the `copyToPayload` function, copying data into the Inform payload rather than a CEvent-specific payload.
copyToPayload	Copies a value to the payload in `workflowContext` for the current object.
createMaintenanceWindow	Calls the MoogDb `createMaintenanceWindow` API call, using the same parameters.
createPayload	Creates a `workflowContext` payload from the triggering object using a predefined payload map.
dejaVu	Allows you to determine if a piece of data has been seen previously.
deleteEnrichment	Removes data from the enrichment datastore.
deleteObjectKeys	Removes data from the enrichment datastore.
deltaEvent	Returns `true`: if the specified event fields differ from corresponding fields in an existing alert, or when an error occurs in the delta check, or when no alert exists. Returns `false` when it detects no changes.
dnsLookup	Performs a lookup of an IP address or name to return a JSON object containing the IP address, FQDN, and name for the address.
dropEvent	Allows you to prevent further processing of an event.
estimateSeverity	Uses a predefined classification algorithm to estimate event or alert severity. Sweep up filter applies.
existingAlertFilter	Returns `true` if the existing alert for a deduplicating event matches a SQL-like filter.
exportViaRestWithRetry	Has the same functionality as the `exportViaRest` (and `sendViaRest`) actions, but adds the ability to retry the export on failure. Sweep up filter applies.
extractAll	Extracts all matches for the specified regular expression found in the specified field value (a string), copying the results to a new field.
flattenObject	Converts a nested JSON object (consisting of more than one level) into a flat JSON object with only a single level of depth (a key:value pairing).
formatDate	Allows an epoch date (number of seconds since 1/1/1970 00:00:00) to be formatted using a set of predefined macros. Sweep up filter applies.
getExistingAlertId	Retrieves the existing alert id for a triggering event (the alert the event would deduplicate with), and copies the id to the workflow context key `workflowContext.alert_id`.
getHashValue	Creates a hash value (32-bit integer) from a CEvent or WorkflowContext field value and copies it to a destination field or the source field (if no destination was specified).
getIntegrationConfiggetIntegrationConfig	Retrieves an integration configuration and stores it in the `workflowContext` for subsequent actions to use.
getObjectValuesFromList	Allows keys to be extracted from a list of anonymous objects based on a “trigger” key and value.
getPayload	Creates a `workflowContext` payload from the triggering object from a predefined payload map. Sweep up filter applies.
getPayloadFromInform	Has the same functionality as the `getPayload` function, but instead of creating a payload from an in-scope CEvent object (event, alert or situation), the payload is created from the `workflowContext` object.
isClear	Returns `true` if the object's severity level is Clear (0).
isInSubnet	Returns `true` when an IP address is present within a specified subnet. Sweep up filter applies.
isNewerThan	Returns `true` when the object age in seconds is less than a specified age in seconds. Sweep up filter applies.
isNotClear	Returns `true` if the object's severity level is not "Clear". Sweep up filter applies.
isNotNull	Returns `true` if the value for an object's cEvent field is not null, is not an empty object, or is not an empty array.
isNull	Returns `true` if the value for an object's cEvent field is null, is not set, is an empty object, or is an empty array.
isOlderThan	Returns `true` when the object age in seconds is older than a specified age in seconds. Sweep up filter applies.
listContains	Returns `true` when the array field you query contains some of your specified values. Sweep up filter applies.
listContainsAll	Returns `true` when the array field you query contains all of your specified values. Sweep up filter applies.
listDoesNotContain	Returns `true` when the array field you query contains none of your specified values. Sweep up filter applies.
logCEvent	Prints a warning level message containing the current in-scope object in a readable JSON format to the Moogfarmd log file. Sweep up filter applies.
logWorkflowDuration	Logs debug messages for the workflow execution duration.
lowerCase	Changes the value of a field to lower case. Sweep up filter applies.
mapEvent	Allows you to map an event in the Event Workflow engine using a configured Payload map.
mergeList	Merges two or more array fields. Sweep up filter applies.
notBetween	The “negative” of the `between` function, returning `true` if the object creation date is outside the specified range.
parseOverflow	Parses the `event.overflow` field into a JSON object and copies the resulting object into the `workflowContext.overflow` object.
populateNamedTopology	Populates the named topology field `custom_info.moog_topology` with a value. It can be a string value or the value of an alert attribute. Sweep up filter applies.
prependFields	Prepends a concatenated set of fields to an existing field, using a separator character.
prependString	Prepends a string to an existing field, using a separator character.
reduceObjectsList	Reduces a list of objects into single object of merged key value pairs.
removeEmptyPayloadValues	Removes empty values from a JSON object, specifically designed to remove empty values from payloads (in the `workflowContext`) created by the `getPayload`, or `getPayloadFromInform` functions. Sweep up filter applies.
removeEmptyValues	Removes empty values from a JSON object. Sweep up filter applies.
removeItemsFromList	Removes a set of specified items from an existing list and write the resulting list back to the source field, or optionally to a different destination field.
restAsyncPost	Makes a HTTP POST request with a JSON payload to a named REST endpoint.
searchAndReplace	Matches a regular expression to an object field and maps the contents of subgroups to other fields. Sweep up filter applies.
searchAndReplaceOrdered	Matches a regular expression to an object field and maps the contents of subgroups to other fields. Allows you to provide the map as an array to preserve mapping order. Sweep up filter applies.
sendToCloud	Builds a payload from a CEvent object and exports it (via REST) to a configured Moogsoft Cloud endpoint.
sendToWorkflow	Sends the in-scope object to a named workflow in an Inform based workflow engine.
setAgent	Sets the agent of the event or alert.
setAgentLocation	Sets the agent location of the event or alert.
setAgentTime	Sets the agent_time of the event to current time if the field does not exist in the event, or is more than the offset seconds in the past/future.
setEnrichment	Updates a single record in the enrichment datastore with data from an alert.
setEnrichmentBulk	Updates multiple records in the enrichment datastore with an array of data from an alert.
setExternalId	Sets the external ID of the event or alert.
setManager	Sets the manager of the event or alerts.
setSource	Sets the source of the event or alert.
setSourceId	Sets the source ID of the event or alert.
setCoreEventField	Sets a single core event field to a value.
simpleLookup	Defines the lookup as two arrays of equal length. Sweep up filter applies.
skip	Forwards an in-scope event, alert or Situation to the next chained Moolet using the standard forwarding mechanism, and skips the rest of the workflows in the current engine.
sortList	Sorts a JavaScript array (a list) using the standard `Array.sort()` function.
staticLookup	Searches for a `key` in a static lookup table, retrieves the corresponding value, and applies that value to a `field` in the object.
stop	Stops the workflow.
stripFQDN	Splits a fully qualified domain name (FQDN) into a hostname/short name and a domain name and updates fields with the values.
substringValue	Substrings a value to the specified limit (or the closest preceding whitespace), then copies the result to either the optional destination field, or overwrites the source field.
upperCase	Changes the value of a field to uppercase. Sweep up filter applies.
validateEvent	Validates an event prior to deduplication to ensure that the event can be processed.
willCreateNewAlert	Returns `true` if the event will create a new alert.
willDeduplicateAlert	Returns `true` if the event will deduplicate into an existing alert.
workflowContextSearchAndReplace	Works only on fields within the workflowContext. The extracted fields are copied into a fixed workflowContext location: `workflowContext.extract`.
xinyState	Returns `true` if it detects that an alert is “flapping” (repeatedly changing state from “down” to “up” or "up" to "down"), and returns `false` if flapping is not detected, or if an alert that was previously flapping is no longer flapping.

Alert and enrichment functions

The following functions are available in alert and enrichment workflows:

Function	Description
ackNotification	Automatically acknowledges a notification for a service.
activateTopology	Updates a named topology from an inactive to an active state.
addDefaultCustomInfoValues	Supersedes the existing `addDefaultValues` which used the now deprecated Payload Maps integration for the values.
addDefaultValues	Adds a set of default values to `custom_info` based on a payload map. Sweep up filter applies.
addItemToList	Adds an item or items to an array. Sweep up filter applies.
addLocationData	Populates the standard address fields in the standard `custom_info.location` object.
addRestHeader	Adds additional headers to an outbound request in a exportViaRest or sendViaRest workflow.
addTags	Adds or updates a custom info field called "tags" with an array of string values.
addToContext	Updates the workflow context with a key: value pair.
addTopologyLink	Creates a link between two endpoints, A (source node) and Z (sink node), in a named topology.
addTopologyNode	Creates a node in a named topology.
alertDelta	Returns `true` when attributes have changed.
alertInSituation	Returns `true` when the alert is a member of an active Situation. Sweep up filter applies.
alertNotInSituation	Returns `true` when the alert is not a member of an active Situation. Sweep up filter applies.
appendFields	Appends a concatenated set of fields to an existing field, using a separator character.
appendString	Appends a static string to an existing field separated by a space character.
assignAlert	Assigns an owner of in-scope alerts. Sweep up filter applies.
assignAndAcknowledge	Assigns and acknowledges the specified user as the owner of the alerts or Situations in scope.
basicMaths	Allows basic maths ( +, -, * , / , % ) to be performed on two fields that write the result to a destination field in either `custom_info` or the workflow context.
between	Returns `true` if the object creation date falls between two times.
calculateSubnet	Generates subnet data from an IP address and a suitable network mask (either a bitmask or CIDR bit count).
ceventFilter	Returns `true` if the object matches a SQL-like filter. Sweep up filter applies.
checkSeverity	Checks the severity level of the object.
checkTopology	Checks for the existence of a named topology.
checkTopologyLink	Checks for a link between two endpoints, A (source node) and Z (sink node), in a named topology.
cloneTopology	Copies an existing topology to a new inactive named topology if the name is not already in use.
closeAlert	Closes alerts.
closeServiceNowIncident	Sends an incident close request to ServiceNow.
closeWebexIncident	Notifies Webex when a Situation or alert is closed or resolved.
compareFields	Returns `true` or `false` based on the comparison of two string or number values.
concatFields	Sets the value of a field to a string representing a set of concatenated fields.
contextFilter	Filters a `workflowContext` object for a specified name field. Sweep up filter applies.
convertCustomInfoToTags	Works specifically with an alert export to Moogsoft Cloud, and “flattens” a Moogsoft Enterprise `custom_info` object into a single-depth `key:value` tags object suitable for ingestion by Moogsoft Cloud Events or the Create Your Own Integration (CYOI) API.
convertField	Converts a field using mappings defined in the Conversion Maps integration tile.
convertHexToAscii	Converts a set of hex pairs to the equivalent ASCII representation.
convertMsToSeconds	Converts a millisecond timestamp to seconds.
convertObjectList	Extracts key and value pairs from a list of anonymous objects, and creates a new flatter `key:value` object.
convertPayloadToXML	Converts a JSON payload to an XML string using the Moobot utility `jsonToXML`.
convertStringToList	Converts a string of words separated by a separator character into a Javascript array (list).
convertToBoolean	Converts a string value to a Boolean (`true` or `false`) value which is similar to the `$TO_BOOLEAN()` payload macro.
convertToEpoch	Converts a date string to epoch seconds using an optional date mask. Sweep up filter applies.
convertToJSON	Converts the object to JSON and adds it to the `workflowContext` for use in subsequent actions.
copyCEventToPayload	Copies the entire CEvent object (event, alert, or Situation) as a JSON object into the appropriate `workflowContext` payload key for that object.
copyFromContext	Copies a field from the `workflowContext` to a destination object field. Sweep up filter applies.
copyToContext	Copies an object field to the `workflowContext`.
copyToInformPayload	An eventless clone of the `copyToPayload` function, copying data into the Inform payload rather than a CEvent-specific payload.
copyToPayload	Copies a value to the payload in `workflowContext` for the current object.
createMaintenanceWindow	Calls the MoogDb `createMaintenanceWindow` API call, using the same parameters.
createNotification	Automatically creates a notification for a service.
createPayload	Creates a `workflowContext` payload from the triggering object using a predefined payload map.
createServiceNowIncident	Sends an incident to create request to ServiceNow.
createTopology	Creates a named topology if it does not already exist. Takes no action if the topology exists.
createWebexIncident	Creates a new Webex Incident notification.
deactivateTopology	Updates a named topology from an active to an inactive state.
deassignAlert	Removes the current owner of in-scope alerts. Sweep up filter applies.
dejaVu	Allows you to determine if a piece of data has been seen previously.
deleteEnrichment	Removes data from the enrichment datastore.
deleteObjectKeys	Allows deletion of keys from an object.
deleteTopology	Delete a named topology.
deleteTopologyLink	Removes a direct link between two endpoints, A (source node) and Z (sink node), in a named topology.
deleteTopologyNode	Deletes a node in a named topology.
dnsLookup	Performs a lookup of an IP address or name to return a JSON object containing the IP address, FQDN, and name for the address.
doesNotHaveStatus	Returns `true` when the in-cope alert or Situation is not in any of the specified states.
enteringMaintenanceWindow	Returns `true` if it detects that an alert has entered a maintenance window.
estimateSeverity	Uses a predefined classification algorithm to estimate event or alert severity. Sweep up filter applies.
exportViaJDBC	Exports alert and Situation data to an external JDBC endpoint.
exportViaKafka	Exports the payload from a createPayload to an external Kafka endpoint. Sweep up filter applies.
exportViaRest	Exports the payload from a createPayload to an external REST endpoint. Sweep up filter applies.
exportViaRestWithRetry	Has the same functionality as the `exportViaRest` (and `sendViaRest`) actions, but adds the ability to retry the export on failure. Sweep up filter applies.
extractAll	Extracts all matches for the specified regular expression found in the specified field value (a string), copying the results to a new field.
flattenObject	Converts a nested JSON object (consisting of more than one level) into a flat JSON object with only a single level of depth (a key:value pairing).
formatDate	Allows an epoch date (number of seconds since 1/1/1970 00:00:00) to be formatted using a set of predefined macros. Sweep up filter applies.
forward	Forwards the object to the named Moolet.
getEnrichment	Retrieves data from the enrichment datastore through the Moogsoft Enterprise Enrichment API. Sweep up filter applies.
getHashValue	Creates a hash value (32-bit integer) from a CEvent or WorkflowContext field value and copies it to a destination field or the source field (if no destination was specified).
getIntegrationConfiggetIntegrationConfig	Retrieves an integration configuration and stores it in the `workflowContext` for subsequent actions to use.
getObjectValuesFromList	Allows keys to be extracted from a list of anonymous objects based on a “trigger” key and value.
getPayload	Creates a `workflowContext` payload from the triggering object from a predefined payload map. Sweep up filter applies.
getPayloadFromInform	Has the same functionality as the `getPayload` function, but instead of creating a payload from an in-scope CEvent object (event, alert or situation), the payload is created from the `workflowContext` object.
getSituationDetailsForAlert	Retrieves the specified Situation attributes for the Situation that the triggering alert belongs to, and writes these details into the `workflowContext` for use in subsequent actions.
getUserDetails	Retrieves the full Moogsoft user record from a supplied uid and copies the retrieved data to the `workflowContext.userDetails` key for use in subsequent actions within the workflow.
getViaRest	Receives a JSON payload or results from a REST endpoint and sets the results under `workflowContext.values.<endpointname>`.
hasNotSweptUp	Returns `true` if the workflow entry filter did not sweep up any alerts or Situations.
hasStatus	Returns `true` when the in-scope alert or Situation is in any of the specified states.
hasSweptUp	Returns `true` if the workflow entry filter swept up any alerts or Situations.
isAssigned	Returns `true` if the object has an owner or moderator. Sweep up filter applies.
isClear	Returns `true` if the object's severity level is Clear (0).
isInSubnet	Returns `true` when an IP address is present within a specified subnet. Sweep up filter applies.
isNewerThan	Returns `true` when the object age in seconds is less than a specified age in seconds. Sweep up filter applies.
isNotAssigned	Returns `true` if the object does not have an owner or moderator. Sweep up filter applies.
hasSweptUp	Returns `true` if the workflow entry filter swept up any alerts or Situations.
isNotClear	Returns `true` if the object's severity level is not "Clear". Sweep up filter applies.
isNotNull	Returns `true` if the value for an object's cEvent field is not null, is not an empty object, or is not an empty array.
isNull	Returns `true` if the value for an object's cEvent field is null, is not set, is an empty object, or is an empty array.
isOlderThan	Returns `true` when the object age in seconds is older than a specified age in seconds. Sweep up filter applies.
leavingMaintenanceWindow	Returns `true` if it detects that an alert has left a maintenance window.
listContains	Returns `true` when the array field you query contains some of your specified values. Sweep up filter applies.
listContainsAll	Returns `true` when the array field you query contains all of your specified values. Sweep up filter applies.
listDoesNotContain	Returns `true` when the array field you query contains none of your specified values. Sweep up filter applies.
logCEvent	Prints a warning level message containing the current in-scope object in a readable JSON format to the Moogfarmd log file. Sweep up filter applies.
logMessage	Logs a message to the Moogfarmd log.
logWorkflowContext	Logs the contents of `workflowContext` to the current Moogfarmd log file at a warning level.
logWorkflowDuration	Logs debug messages for the workflow execution duration.
lookupAndReplace	Sets the `alertField` to a value when one of the fields in the `inFields` list matches a word or regular expression. Sweep up filter applies.
lowerCase	Changes the value of a field to lower case. Sweep up filter applies.
mergeList	Merges two or more array fields. Sweep up filter applies.
mergeSituations	Merges two or more Situations, creating a new Situation, and optionally keeps the original (source) Situations open. Sweep up filter applies.
notBetween	The “negative” of the `between` function, returning `true` if the object creation date is outside the specified range.
notifySlack	Sends a request to Slack channel(s).
populateNamedTopology	Populates the named topology field `custom_info.moog_topology` with a value. It can be a string value or the value of an alert attribute. Sweep up filter applies.
prependFields	Prepends a concatenated set of fields to an existing field, using a separator character.
prependString	Prepends a string to an existing field, using a separator character.
processAyehuAutomationResponse	Processes the automation results response sent by Ayehu using a workflow inform.
reduceObjectsList	Reduces a list of objects into single object of merged key value pairs.
removeEmptyPayloadValues	Removes empty values from a JSON object, specifically designed to remove empty values from payloads (in the `workflowContext`) created by the `getPayload`, or `getPayloadFromInform` functions. Sweep up filter applies.
removeEmptyValues	Removes empty values from a JSON object. Sweep up filter applies.
removeItemsFromList	Removes a set of specified items from an existing list and write the resulting list back to the source field, or optionally to a different destination field.
replaceString	Replaces a string or regular expression in a field with a specified string or regular expression.
resolveNotification	Automatically resolves a notification for a service.
resolveServiceNowIncident	Sends an incident resolve request to ServiceNow.
restAsyncPost	Makes a HTTP POST request with a JSON payload to a named REST endpoint.
searchAndReplace	Matches a regular expression to an object field and maps the contents of subgroups to other fields. Sweep up filter applies.
searchAndReplaceOrdered	Matches a regular expression to an object field and maps the contents of subgroups to other fields. Allows you to provide the map as an array to preserve mapping order. Sweep up filter applies.
sendAlertToWorkflow	Allows a triggering CEvent (alert or Situation) to send an alternative alert to a target workflow.
sendAssignedToServiceNowIncident	Sends an assignment request to related ServiceNow incidents.
sendAssignedToWebexIncident	Notifies Webex when a situation or alert is assigned.
sendAyehuAutomationRequest	Sends an automation request to Ayehu.
sendEmail	Specifies the email server instance defined in the integrations UI, the email address(s), email subject, and email message that will be used for the email request.
sendEmailFromInform	Sends an action-specific email using a predefined email server.
sendEmailUsingTemplate	Specifies the email server instance and message template defined in the integrations UI, and the email address(s) that will be used for an email request.
sendEmailUsingTemplateFromInform	Sends an email using a predefined message template.
sendMooletInform	Sends a Moolet inform with a subject and details.
sendSituationsToWorkflow	Sends the member alert of active Situations to a named workflow within a named Inform based workflow engine using the moogdb sendToWorkflow API call.
sendSituationToWorkflow	Allows a triggering CEvent (alert or Situation) to send an alternative Situation to a target workflow.
sendToCloud	Builds a payload from a CEvent object and exports it (via REST) to a configured Moogsoft Cloud endpoint.
sendToWorkflow	Sends the in-scope object to a named workflow in an Inform based workflow engine.
sendViaRest	Sends the payload from a createPayload to an external REST endpoint. Sweep up filter applies.
sendViaRestWithRetry	Has the same functionality as the `sendViaRest` function (a clone of `exportViaRest`), but adds the ability to retry the export on failure.
setAgent	Sets the agent of the event or alert.
setAgentLocation	Sets the agent location of the event or alert.
setClass	Sets the class of the alert.
setCustomInfoJSONValue	Adds or updates a custom info key to the specified JSON value. Sweep up filter applies.
setCustomInfoValue	Adds or updates a custom info key to a specified string value. Sweep up filter applies.
setDescription	Sets the description of the object.
setEnrichment	Updates a single record in the enrichment datastore with data from an alert.
setEnrichmentBulk	Updates multiple records in the enrichment datastore with an array of data from an alert.
setExternalId	Sets the external ID of the event or alert.
setManager	Sets the manager of the event or alerts.
setServiceNowPayload	Sets the payload used in the subsequent create, resolve, close, or update request to ServiceNow.
setSlackTarget	Sets the target Slack channel and title for a message payload.
setSource	Sets the source of the event or alert.
setSourceId	Sets the source ID of the event or alert.
setSeverity	Sets the severity of the alert. Sweep up filter applies.
setType	Sets the type of the alert.
simpleLookup	Defines the lookup as two arrays of equal length. Sweep up filter applies.
skip	Forwards an in-scope event, alert or Situation to the next chained moolet using the standard forwarding mechanism, and skips the rest of the workflows in the current engine.
sortList	Sorts a JavaScript array (a list) using the standard `Array.sort()` function.
staticLookup	Searches for a `key` in a static lookup table, retrieves the corresponding value, and applies that value to a `field` in the object.
stop	Stops the workflow.
stripFQDN	Splits a fully qualified domain name (FQDN) into a hostname/short name and a domain name and updates fields with the values.
substringValue	Substrings a value to the specified limit (or the closest preceding whitespace), then copies the result to either the optional destination field, or overwrites the source field.
testSendEmail	Specifies an email server instance as defined in the integrations UI.
updateServiceNowConfig	Sends an update request to ServiceNow for the Moogsoft Properties (part of the Moogsoft update set for ServiceNow Management integration).
updateServiceNowIncident	Sends an incident update request to ServiceNow.
upperCase	Changes the value of a field to uppercase. Sweep up filter applies.
workflowContextSearchAndReplace	Works only on fields within the workflowContext. The extracted fields are copied into a fixed workflowContext location: `workflowContext.extract`.
xinyClose	Clears out any cached `xiny` data for the in-scope alert.

Situation functions

The following functions are available in Situation workflows:

Function	Description
ackNotification	Automatically acknowledges a notification for a service.
addCorrelationInfo	Adds an External ID to a Situation.
addDefaultCustomInfoValues	Supersedes the existing `addDefaultValues` which used the now deprecated Payload Maps integration for the values.
addDefaultValues	Adds a set of default values to `custom_info` based on a payload map. Sweep up filter applies.
addItemToList	Adds an item or items to an array. Sweep up filter applies.
addLocationData	Populates the standard address fields in the standard `custom_info.location` object.
addRestHeader	Adds additional headers to an outbound request in a exportViaRest or sendViaRest workflow.
addTags	Adds or updates a custom info field called "tags" with an array of string values.
addThreadEntry	Adds a post to the named thread in the Collaboration tab of the Situation Room.
addToContext	Updates the workflow context with a key: value pair.
appendFields	Appends a concatenated set of fields to an existing field, using a separator character.
appendString	Appends a static string to an existing field separated by a space character.
assignAndAcknowledge	Assigns and acknowledges the specified user as the owner of the alerts or Situations in scope.
assignModerator	Assigns a user as the moderator of the Situations in scope.
basicMaths	Allows basic maths ( +, -, * , / , % ) to be performed on two fields that write the result to a destination field in either `custom_info` or the workflow context.
between	Returns `true` if the object creation date falls between two times.
calculateSubnet	Generates subnet data from an IP address and a suitable network mask (either a bitmask or CIDR bit count).
ceventFilter	Returns `true` if the object matches a SQL-like filter. Sweep up filter applies.
checkSeverity	Checks the severity level of the object.
checkSituationFlag	Checks if a specific flag is set for a Situation.
checkSituationState	Returns `true` if the specified state exists for a Situation. Sweep up filter applies.
closeServiceNowIncident	Sends an incident close request to ServiceNow.
closeWebexIncident	Notifies Webex when a Situation or alert is closed or resolved.
compareFields	Returns `true` or `false` based on the comparison of two string or number values.
concatFields	Sets the value of a field to a string representing a set of concatenated fields.
containsAlertDetails	Returns `true` if all or any of the alerts in the Situation matches the filter condition. Sweep up filter applies.
contextFilter	Filters a `workflowContext` object for a specified name field. Sweep up filter applies.
convertCustomInfoToTags	Works specifically with an alert export to Moogsoft Cloud, and “flattens” a Moogsoft Enterprise `custom_info` object into a single-depth `key:value` tags object suitable for ingestion by Moogsoft Cloud Events or the Create Your Own Integration (CYOI) API.
convertField	Converts a field using mappings defined in the Conversion Maps integration tile.
convertHexToAscii	Converts a set of hex pairs to the equivalent ASCII representation.
convertMsToSeconds	Converts a millisecond timestamp to seconds.
convertObjectList	Extracts key and value pairs from a list of anonymous objects, and creates a new flatter `key:value` object.
convertPayloadToXML	Converts a JSON payload to an XML string using the Moobot utility `jsonToXML`.
convertStringToList	Converts a string of words separated by a separator character into a Javascript array (list).
convertToBoolean	Converts a string value to a Boolean (`true` or `false`) value which is similar to the `$TO_BOOLEAN()` payload macro.
convertToEpoch	Converts a date string to epoch seconds using an optional date mask. Sweep up filter applies.
convertToJSON	Converts the object to JSON and adds it to the `workflowContext` for use in subsequent actions.
copyCEventToPayload	Copies the entire CEvent object (event, alert, or Situation) as a JSON object into the appropriate `workflowContext` payload key for that object.
copyFromContext	Copies a field from the `workflowContext` to a destination object field. Sweep up filter applies.
copyOnMerge	Copies data from child Situations to the parent Situation when a manual merge is performed.
copyToContext	Copies an object field to the `workflowContext`.
copyToInformPayload	An eventless clone of the `copyToPayload` function, copying data into the Inform payload rather than a CEvent-specific payload.
copyToPayload	Copies a value to the payload in `workflowContext` for the current object.
createMaintenanceWindow	Calls the MoogDb `createMaintenanceWindow` API call, using the same parameters.
createNotification	Automatically creates a notification for a service.
createPayload	Creates a `workflowContext` payload from the triggering object using a predefined payload map.
createServiceNowIncident	Sends an incident to create request to ServiceNow.
createServiceTicket	Creates a ticket for the specified service.
createWebexIncident	Creates a new Webex Incident notification.
dejaVu	Allows you to determine if a piece of data has been seen previously.
deleteObjectKeys	Allows deletion of keys from an object.
dnsLookup	Performs a lookup of an IP address or name to return a JSON object containing the IP address, FQDN, and name for the address.
doesNotHaveCorrelationInfo	Returns `true` if a Situation does not have a specific item set.
doesNotHaveStatus	Returns `true` when the in-cope alert or Situation is not in any of the specified states.
exportViaJDBC	Exports alert and Situation data to an external JDBC endpoint.
exportViaKafka	Exports the payload from a createPayload to an external Kafka endpoint. Sweep up filter applies.
exportViaRest	Exports the payload from a createPayload to an external REST endpoint. Sweep up filter applies.
exportViaRestWithRetry	Has the same functionality as the `exportViaRest` (and `sendViaRest`) actions, but adds the ability to retry the export on failure. Sweep up filter applies.
extractAll	Extracts all matches for the specified regular expression found in the specified field value (a string), copying the results to a new field.
filterByCookbook	Returns `true` if the Visualize data for the Situation matches the cookbook name.
filterByCookbookAndRecipe	Returns `true` if the Visualize data for the Situation matches the cookbook name and recipe name.
filterByRecipe	Returns `true` if the Visualize data for the Situation matches the recipe name.
flattenObject	Converts a nested JSON object (consisting of more than one level) into a flat JSON object with only a single level of depth (a key:value pairing).
formatDate	Allows an epoch date (number of seconds since 1/1/1970 00:00:00) to be formatted using a set of predefined macros. Sweep up filter applies.
forward	Forwards the object to the named Moolet.
getCorrelationInfo	Checks whether correlation info exists for a Situation.
getEnrichment	Retrieves data from the enrichment data store through the Enrichment API.
getHashValue	Creates a hash value (32-bit integer) from a CEvent or WorkflowContext field value and copies it to a destination field or the source field (if no destination was specified).
getIntegrationConfiggetIntegrationConfig	Retrieves an integration configuration and stores it in the `workflowContext` for subsequent actions to use.
getObjectValuesFromList	Allows keys to be extracted from a list of anonymous objects based on a “trigger” key and value.
getPayload	Creates a `workflowContext` payload from the triggering object from a predefined payload map. Sweep up filter applies.
getPayloadFromInform	Has the same functionality as the `getPayload` function, but instead of creating a payload from an in-scope CEvent object (event, alert or situation), the payload is created from the `workflowContext` object.
getSituationFlags	Retrieves the Situation flags and stores them in the workflowContext for subsequent actions to use.
getThreadEntry	Returns a thread entry for a thread in a Situation.
getUserDetails	Retrieves the full Moogsoft user record from a supplied uid and copies the retrieved data to the `workflowContext.userDetails` key for use in subsequent actions within the workflow.
getViaRest	Receives a JSON payload or results from a REST endpoint and sets the results under `workflowContext.values.<endpointname>`.
getVisualizationData	Retrieves the Visualize data and stores them in the workflowContext for subsequent actions to use.
hasCausalPRC	Returns `true` if one or more alerts in the Situation has a causal PRC flag set. Sweep up filter applies.
hasCorrelationInfo	Returns `true` if a Situation has a specific item set.
hasMerged	Returns `true` if the Situation has been merged or superseded.
hasNotMerged	Returns `true` if the Situation has not been merged or superseded.
hasNotSweptUp	Returns `true` if the workflow entry filter did not sweep up any alerts or Situations.
hasPRCAlert	Returns `true` if a situation has at least one alert with a PRC value set (an `rc_probability`).
hasSimilarSituations	Returns `true` when the Situation has a similar Situation above the specified threshold.
hasStatus	Returns `true` when the in-scope alert or Situation is in any of the specified states.
hasSymptomPRC	Returns `true` if a Situation has at least one Symptom PRC label set for its alerts.
haveServicesChanged	Detects whether the Services for a Situation have changed (added to or removed from).
haveSituationClsChanged	Detects whether the CIs within a Situation changed when an alert is added to the Situation (manually, from a Sigaliser, or via APIs).
haveTeamsChanged	Detects any changes to a Situation’s Teams.
isAlertAcknowledged	Returns `true` when the in-scope alert state is Acknowledged.
isAlertNotAcknowledged	Returns `true` when the in-scope alert state is not Acknowledged.
isAssigned	Returns `true` if the object has an owner or moderator. Sweep up filter applies.
isClear	Returns `true` if the object's severity level is Clear (0).
isNewerThan	Returns `true` when the object age in seconds is less than a specified age in seconds. Sweep up filter applies.
isNotAssigned	Returns `true` if the object does not have an owner or moderator. Sweep up filter applies.
isNotClear	Returns `true` if the object's severity level is not "Clear". Sweep up filter applies.
isNotNull	Returns `true` if the value for an object's cEvent field is not null, is not an empty object, or is not an empty array.
isNull	Returns `true` if the value for an object's cEvent field is null, is not set, is an empty object, or is an empty array.
isOlderThan	Returns `true` when the object age in seconds is older than a specified age in seconds. Sweep up filter applies.
isPrimaryTeamSet	Returns `true` if the primary team for a Situation is set.
labelSituation	Labels the Situation using the Situation Manager Labeler macro language. Sweep up filter applies.
listContains	Returns `true` when the array field you query contains some of your specified values. Sweep up filter applies.
listContainsAll	Returns `true` when the array field you query contains all of your specified values. Sweep up filter applies.
listDoesNotContain	Returns `true` when the array field you query contains none of your specified values. Sweep up filter applies.
listSituationAlertIds	Adds the current alert Ids in the Situation into the workflow context under `situationAlertIds`.
listSituationHosts	Adds the current host names in the Situation into the workflow context under `situationHosts`.
logCEvent	Prints a warning level message containing the current in-scope object in a readable JSON format to the Moogfarmd log file. Sweep up filter applies.
logMessage	Logs a message to the Moogfarmd log.
logWorkflowContext	Logs the contents of `workflowContext` to the current Moogfarmd log file at a warning level.
logWorkflowDuration	Logs debug messages for the workflow execution duration.
lowerCase	Changes the value of a field to lower case. Sweep up filter applies.
mergeList	Merges two or more array fields. Sweep up filter applies.
mergeSituations	Merges two or more Situations, creating a new Situation, and optionally keeps the original (source) Situations open. Sweep up filter applies.
moveSituationToCategory	Moves a Situation to the specified category (Created, Detected, Superseded, Closed). Sweep up filter applies.
notBetween	The “negative” of the `between` function, returning `true` if the object creation date is outside the specified range.
notifySlack	Sends a request to Slack channel(s).
prependFields	Prepends a concatenated set of fields to an existing field, using a separator character.
prependString	Prepends a string to an existing field, using a separator character.
processAyehuAutomationResponse	Processes the automation results response sent by Ayehu using a workflow inform.
receiveUpdateFromWebexIncident	Handles incoming notifications from Webex.
reduceObjectsList	Reduces a list of objects into single object of merged key value pairs.
removeCorrelationInfo	Removes Situation Correlation Info (`sigCorrelationInfo`) for the specified service, and optionally for a specified `external_id` within that service.
removeEmptyPayloadValues	Removes empty values from a JSON object, specifically designed to remove empty values from payloads (in the `workflowContext`) created by the `getPayload`, or `getPayloadFromInform` functions. Sweep up filter applies.
removeEmptyValues	Removes empty values from a JSON object. Sweep up filter applies.
removeItemsFromList	Removes a set of specified items from an existing list and write the resulting list back to the source field, or optionally to a different destination field.
removeMatchingSituationFlags	Allows a set of Situation flags to be removed simultaneously based on a regular expression match.
removeSituationFlag	Removes a specific flag from a Situation.
replaceString	Replaces a string or regular expression in a field with a specified string or regular expression.
resolveNotification	Automatically resolves a notification for a service.
resolveServiceNowIncident	Sends an incident resolve request to ServiceNow.
resolveSituation	Marks in-scope Situations as Resolved if they match the workflow's entry filter and sweep up filter.
restAsyncPost	Makes a HTTP POST request with a JSON payload to a named REST endpoint.
reviveSituation	Revives (sets to Open) a Situation that is currently set to Resolved.
searchAndReplace	Matches a regular expression to an object field and maps the contents of subgroups to other fields. Sweep up filter applies.
searchAndReplaceOrdered	Matches a regular expression to an object field and maps the contents of subgroups to other fields. Allows you to provide the map as an array to preserve mapping order. Sweep up filter applies.
sendAddedAlertsToWorkflow	Allows alerts to be sent to a named workflow (using the `sendToWorkflow` function) when they are added to a Situation.
sendAlertsToWorkflow	Sends Situation alerts to a named workflow within a named Inform based workflow engine using the moogdb sendToWorkflow API call.
sendAlertToWorkflow	Allows a triggering CEvent (alert or Situation) to send an alternative alert to a target workflow.
sendAssignedToServiceNowIncident	Sends an assignment request to related ServiceNow incidents.
sendAssignedToWebexIncident	Notifies Webex when a situation or alert is assigned.
sendAyehuAutomationRequest	Sends an automation request to Ayehu.
sendEmail	Specifies the email server instance defined in the integrations UI, the email address(s), email subject, and email message that will be used for the email request.
sendEmailFromInform	Sends an action-specific email using a predefined email server.
sendEmailUsingTemplate	Specifies the email server instance and message template defined in the integrations UI, and the email address(s) that will be used for an email request.
sendEmailUsingTemplateFromInform	Sends an email using a predefined message template.
sendMooletInform	Sends a Moolet inform with a subject and details.
sendSituationToWorkflow	Allows a triggering CEvent (alert or Situation) to send an alternative Situation to a target workflow.
sendTeamsAddedToWebexIncident	Notifies Webex when Teams are added to a Situation.
sendThreadEntries	Sends all thread entries from the specified threads for the in-scope Situation to a named workflow in an inform-based workflow engine.
sendThreadEntryToServiceNowIncident	Sends an incident work note to ServiceNow when a collaboration entry is posted in a Moogsoft Situation with related incidents.
sendThreadEntryToWebexIncident	Sends a reply to the corresponding Webex incident message. Sweep up filter applies.
sendToCloud	Builds a payload from a CEvent object and exports it (via REST) to a configured Moogsoft Cloud endpoint.
sendToWorkflow	Sends the in-scope object to a named workflow in an Inform based workflow engine.
sendViaRest	Sends the payload from a createPayload to an external REST endpoint. Sweep up filter applies.
sendViaRestWithRetry	Has the same functionality as the `sendViaRest` function (a clone of `exportViaRest`), but adds the ability to retry the export on failure.
setCustomInfoJSONValue	Adds or updates a custom info key to the specified JSON value. Sweep up filter applies.
setCustomInfoValue	Adds or updates a custom info key to a specified string value. Sweep up filter applies.
setDescription	Sets the description of the object.
setServiceNowPayload	Sets the payload used in the subsequent create, resolve, close, or update request to ServiceNow.
setSituationFlag	Sets a flag for a Situation.
setSituationServices	Sets the impacted services for a Situation.
setSituationState	Sets the state of the Situation. Not to be confused with Situation status. Sweep up filter applies.
setSlackTarget	Sets the target Slack channel and title for a message payload.
sigActionFilter	Returns `true` if the Situation action is of the specified type.
sigActionToolFilter	Returns `true` if the specified tool has been run against a Situation.
simpleLookup	Defines the lookup as two arrays of equal length. Sweep up filter applies.
situationDelta	Returns `true` when attributes have changed.
skip	Forwards an in-scope event, alert or Situation to the next chained moolet using the standard forwarding mechanism, and skips the rest of the workflows in the current engine.
sortList	Sorts a JavaScript array (a list) using the standard `Array.sort()` function.
staticLookup	Searches for a `key` in a static lookup table, retrieves the corresponding value, and applies that value to a `field` in the object.
stop	Stops the workflow.
substringValue	Substrings a value to the specified limit (or the closest preceding whitespace), then copies the result to either the optional destination field, or overwrites the source field.
testSendEmail	Specifies an email server instance as defined in the integrations UI.
updateServiceNowIncident	Sends an incident update request to ServiceNow.
upperCase	Changes the value of a field to uppercase. Sweep up filter applies.
workflowContextSearchAndReplace	Works only on fields within the workflowContext. The extracted fields are copied into a fixed workflowContext location: `workflowContext.extract`.

Infrastructure and Automation functions

The following functions are available in specific infrastructure and automation workflows:

Function	Description
getJDBCEnrichment	Adds data to alerts from a JDBC database. Available in JDBC Enrichment workflows.
getServiceNowEnrichment	Adds data to alerts from a ServiceNow database.
processMicroFocusOOAutomationResponse	Processes the response from Micro Focus Operations Orchestration automation.
sendMicroFocusOOAutomationRequest	Sends a request to Micro Focus Operations Orchestration to launch a flow.
sendRequestToAutomation	Sends a request to the corresponding outbound automation workflow to invoke specified action for the named service.
sendToAnsible	Sends an automation request to Ansible. Available in Ansible Alert and Ansible Situation workflows.
sendToAutomation	Sends an automation request. Available in EyeShare Alert, EyeShare Situation, Ignio Alert, and Ignio Situation workflows.
sendToPuppet	Sends an automation request to Puppet. Available in Puppet Alert and Puppet Situation workflows.
setAnsibleJob	Sets the instance and job template rule to use for Ansible automation requests. Available in Ansible Alert and Ansible Situation workflows.
setAutomationPayload	Sets the automation solution, instance and Workflow Payload rule set to use for automation requests. Available in EyeShare Alert, EyeShare Situation, Ignio Alert, and Ignio Situation workflows.
setPuppetAutomation	Sets the instance and job template rule to use for Puppet automation requests. Available in Puppet Alert and Puppet Situation workflows.

Ticketing integration functions

The following functions are available in specific ticketing workflows:

Function	Description
closeAlertOpsIncident	Resolves the corresponding AlertOps alert.
closeIncident	Sends a request to the corresponding outbound integration workflow to close an incident for the named service.
createAlertOpsIncident	Creates a new AlertOps alert for a Situation.
createIncident	Sends a request to the corresponding outbound integration workflow to create a new incident for the named service.
receiveUpdateFromAlertOpsIncident	Updates Situations with responses from AlertOps.
resolveIncident	Sends a request to the corresponding outbound integration workflow to resolve an incident for the named service.
sendAcknowledgedToIncident	Sends a request to the corresponding outbound integration workflow to acknowledge an incident for the named service.
sendAssignedToAlertOpsIncident	Assigns the corresponding AlertOps alert to a user corresponding to the Situation moderator.
sendAssignedToIncident	Sends a request to the corresponding outbound integration workflow to assign the incident for the named service.
sendCIsAddedToIncident	Sends a request to the corresponding outbound integration workflow to add a list of CIs to the incident for the named service.
sendNoteToIncident	Sends a request to the corresponding outbound integration workflow to post a message to the incident for the named service.
sendTeamsAddedToAlertOpsIncident	Adds "recipients" to the corresponding AlertOps alert for teams added to a Situation.
sendTeamsAddedToIncident	Sends a request to the corresponding outbound integration workflow to add a list of teams to the incident for the named service.
sendTeamsRemovedToIncident	Sends a request to the corresponding outbound integration workflow to remove a list of teams from the incident for the named service.
sendThreadEntryToAlertOpsIncident	Sends a reply to the corresponding AlertOps alert.
sendThreadEntryToIncident	Sends a request to the corresponding outbound integration workflow to update the incident for the named service using thread entry retrieved by a preceding `getThreadEntry` action.
updateAlertOpsIncident	Sends generic updates to the AlertOps alert.
updateIncident	Sends a request to the corresponding outbound integration workflow to perform a generic update to an incident for the named service.

In this section: