Creating Event Workflows

This topic describes how to create an automated workflow that enriches your events with external data from your environment. You can also split, combine, extract, and update event data automatically using workflow actions. See also Workflow Service API.

Before you begin

What information do you want in your alerts that isn't already there?

Before you set up an event workflow, you need to evaluate your current alerts and identify the data that you want to add. Go to the Alerts table and examine the data fields in your alerts. What contextual information do you want to add? (Events form the raw data of alerts; by enriching your events, you ensure that the new information is included in the resulting alerts.)

A key enrichment consideration is to ensure that your alerts include the necessary information to correlate your alerts into the incidents that you want. See Good practices for defining correlations.

You can enrich your events with any information you and your users find useful. The Events schema includes a tags field that you can use to add custom information.

In some cases, you might also want to update some event fields based on other data in the same event. Example use cases include:

  • You want to use the hostname for the source but the raw events have the hostname embedded in a tag.

  • You want to update the event description, using information in other data fields, so that all event descriptions are formatted consistently.

  • You want to classify the event service or check based on information in other fields or tags.

Create the data catalog

To add external information to your events, you first need to create one or more catalogs. See Creating Data Catalogs.

Workflow Editor

Workflow_Example.png

The workflow editor (Data Config > Workflow Engine) provides a simple drag-and-click interface for creating workflows.

Each workflow consists of a trigger and one or more actions. The trigger is an event filter; if a new event matches the trigger, the workflow processes the event.

Each action updates the event and passes it to the next action.

When a workflow finishes processing an event, it passes the event to the next workflow. The workflow engine processes each workflow in the order in which they are listed in the Workflows table.

When all workflows are finished processing an event, the event gets deduplicated into an alert. The alert then gets passed to the correlation engine.

Available actions include:

Testing workflows

Before you can enable a workflow, you need to test it to verify that it works correctly. For this reason, the Enable button is unavailable until you test the workflow. Moogsoft recommends that you test each action as you add it to the workflow:

  1. Add a new action to the workflow and define the fields and operations for that action.

  2. Save the workflow.

  3. Open the Workflow Tester at the bottom of the Event Workflow window.

  4. Define a test for the action.

    For the test to succeed, you must define one or more input fields that result in valid output. The input fields and values to test depend on the specific action. Here are some examples:

    • For a Query Catalog action, the input field should match the lookup field and the value should match an entry in the catalog.

    • For a Split action, the input value should include at least one example of the delimiter string you defined.

    • For a Template Field Action, the test should include all input fields required by the template.

    If the workflow trigger includes a filter, use input values that are not excluded by the filter.

  5. Click Run Test. If the test succeeds, proceed to the next action in the workflow.

    Note

    Each test processes all actions in sequence. For this reason, you should keep the input fields you have already tested successfully. You only need to update these fields if the new action requires them for the test to succeed.