Add external data to events ►

Watch how to Add External Data to Events in Moogsoft.

In this quick video, we’ll go over how to configure enrichment in Moogsoft.

Here’s our scenario. We want to cluster our alerts by the service impacted,

But the incoming events do not always have the service information.

We do have a spreadsheet that stores the source to service connections,

So we want to query by the source in the data catalog, retrieve the service information, and add it to the events.

It takes 3 steps to make this happen.

First we need to upload the service data to Moogsoft.

Next set up a process to look up the catalog for the matching source information, to grab the service Next set up a process to look up the catalog for the matching source information,  and add to events.

Lastly, cluster alerts by the service field value using the correlation engine.

Let’s step through the process from beginning to end.

Here’s our data catalog. It’s a csv file that has the Source and Service information.

Let’s go to data catalog, and upload this….

Give a name and description other administrators would recognize.

Here’s the file we just looked at.

Good.  Looks like our data made it in.

Now we need to tell Express which field to query by.  

For that, we need to setup a workflow.

This workflow is for events…..

We’ll process all incoming events, so we don’t need to set up a trigger.  But let’s say you know only the events from a certain data source are missing the service information, then you can set up a trigger so only the applicable events will trigger this workflow. once an event enters this workflow, we want to query a catalog.

Pick the catalog you want to reference.. here’s the csv we just uploaded. (select from the catalog name dropdown)Now we are going to map the fields.

Pick the catalog you want to reference.. here’s the csv we just uploaded. Now we are going to map the fields.

First, we need to tell Express to query by the source value. All default fields in Moogsoft are available under the base field category, and the source field is one of them.

And, source information is also stored in the data catalog, under the source field.

Next, specify what field value needs to go where.

So in our case, we want to retrieve the service information from the data catalog, and feed that value into the Service field which is one of the base fields in Express.

Also, IF the data catalog has no value for the particular source, we’ll fill in “unknown”

Once you name the workflow, you can test it.

Testing a workflow is easy.Just simulate an input here.  

So let’s send in an event with one of the existing sources in the data catalog…

OK, it didn’t error out.

And now, although the event we sent in only had a source info, now it has the service information.

Also note that you can configure enrichment programmatically using our APIs.  Consult the Catalog API and Workflow Service API sections in our documentation.

Finally, set up a correlation engine to cluster by service.  We have a separate tutorial that explains how to add a new correlation setting, so consult that for a step by step instruction.  Basically this correlation will process alerts that match the scope filter, and cluster them if they have identical service information into incidents.

We’ve done the entire setup, so now the final test.  we are going to send in 15 events with varying attributes but with the same source information.  If our setup is correct, all events should be enriched with the same service information, and end up being in 1 incident.  Here we go.

Here’s an incident.  It has 12 events in it.  And you can verify each event was properly enriched to have the service information.  Thanks for watching!