Remove Tags action
Available for event, alert, and incident workflows |
This action removes tags from events, alerts, or incidents by matching the tag names against a regular expression.
This action takes the following inputs:
Include
Whether to include or exclude the tags matching the list of regular expressions. Select one of the following:
Include: Remove tags that do not match any regex patterns.
Exclude: Remove tags that match at least one regex pattern.
Regex Patterns
A list of regular expressions that are matched against tag names from incoming events, alerts, or incidents. Click Add Another to add a new regex pattern to the list.
Event example
Remove Tags works the same way for both incidents and events. In both cases, it compares tag names to a list of regex patterns and either includes or excludes tags that match.
Suppose you want to remove a tag delineating the device identifier of the reporting source from all new incoming events. However, the tag name itself varies depending on the event - "deviceName", "devicename", "deviceID", "device_id". You can remove all the variations of these tags by using a single Remove Tags action in an event workflow.
After setting up the trigger, you can configure the Remove Tags action as follows:
Include: Exclude
Regex Patterns:
[dD]evice(?:[Nn]ame|_[iI][dD])
Here is an example event that was processed by this workflow:
Event fields before | Event fields after |
|---|---|
{
"description": "CPU spike to 80%",
"severity": 5,
"source": "ussf-sw99",
"check": "cpu",
"service": [
"retail",
"support"
],
"tags": {
"serverID": "1022",
"devicename": "sw99"
}
}
| {
"description": "CPU spike to 80%",
"severity": 5,
"source": "ussf-sw99",
"check": "cpu",
"service": [
"retail",
"support"
],
"tags": {
"serverID": "1022"
}
}
|
Alert example
In this example, you receive data from multiple monitoring systems, and each source provides different tags to specify the location of the reported issue. However, the tag names for location vary across sources, such as "location," "site," "region," and "facility." You want to remove all such tags except those named "location." Set up the Remove Tags action as follows:
Include: Exclude
Regex Patterns:
siteregionfacility
Here is an example alert that was processed by this workflow:
Alert fields before | Alert fields after |
|---|---|
{
...
"description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
...
"tags": {
"integration_type": [
"eventapi"
],
"site": "USWEST2"
},
...
}
| {
...
"description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
...
"tags": {
"integration_type": [
"eventapi"
],
},
...
}
|
Incident example
Suppose you have incidents with some tags that are not operationally useful. You only want to keep two tags, tags.integration_type and tags.supportlevel, from incidents with "ping" in the description, while discarding all other tags. You can accomplish this by creating an incident workflow with a Remove Tags action.
After setting up the trigger to only activate the workflow on incidents with "ping" in the description, you can configure the Remove Tags action as follows:
Include: Include
Regex Patterns:
integration_typesupportlevel
Here is an example incident that was processed by this workflow:
Incident fields before | Incident fields after |
|---|---|
{
"status": "open",
"severity": "major",
"description": "CPU above 70%",
"classes": [
"Compute"
],
"services": [
"support",
"retail"
],
"tags": {
"integration_type": [
"webhook"
],
"node_id": [
"F0391"
],
"device": [
"sw99"
],
"supportlevel": [
"Gold"
]
},
...
}
| {
"status": "open",
"severity": "major",
"description": "CPU above 70%",
"classes": [
"Compute"
],
"services": [
"support",
"retail"
],
"tags": {
"integration_type": [
"webhook"
],
"supportlevel": [
"Gold"
]
},
...
}
|