Change workflow order
The Event and Incident workflow tabs on the Correlate & Automate > Workflow Engine page list the workflows defined in the instance. Running workflows process every event or incident matching the trigger condition, then pass the data to the next running workflow. Processing occurs in the order in which the workflows are listed in the table. Change the order of workflow execution in the UI by clicking the three-dot menu and selecting Edit Workflows Order.
 |
You can then drag the individual workflows in the list into the order you prefer.
Carefully consider how each workflow processes the data in an event or incident and forwards it to the next workflow. Moogsoft recommends the following practices:
For event workflows, ensure that any discard filtering (dropping events) happens first.
Next, run any transforms (data manipulation) that are needed prior to enrichment (for example, extracting relevant data catalog keys), and then run any enrichment as needed.
Finally, enrich your events with data catalogs and Query Catalog actions. This ensures that all events have all the relevant data you want to include in your alerts and incidents.
Use workflow filters to ensure that each workflow only processes relevant data. There are two types of filters:
Workflow trigger — Event workflows start with a filter that defines the relevant events applicable for that workflow. The filter is optional for incident workflows. If an event or incident does not match the trigger filter, it proceeds to the next workflow.
Filter action and Time Filter Action —You can include filters after the initial trigger. You can use these filters to send non-matching events or incidents to the next workflow, or to skip all remaining workflows.
Consider any dependencies in your workflows. If you have a workflow that creates a new field or moves data between fields, make sure that this workflow runs prior to any subsequent workflows that act on the created or modified information.