Skip to main content

Use workflows to enrich event data

Event workflows allow you to automate processing for data to enrich your events with external data from your environment. You can also split, combine, extract, and update event data automatically using workflow actions.

What information do you want in your alerts that isn't already there?

Before you set up an event workflow, you need to evaluate your current alerts and identify the data that you want to add. Go to the Alerts table and examine the data fields in your alerts. What contextual information do you want to add? (Events form the raw data of alerts; by enriching your events, you ensure that the new information is included in the resulting alerts.)

A key enrichment consideration is to ensure that your alerts include the necessary information to correlate your alerts into the incidents that you want. See Good practices for defining correlations.

You can enrich your events with any information you and your users find useful. The Events Integration API includes a tags field that you can use to add custom information.

In some cases, you might also want to update some event fields based on other data in the same event. Example use cases include:

  • You want to use the hostname for the source but the raw events have the hostname embedded in a tag.

  • You want to update the event description, using information in other data fields, so that all event descriptions are formatted consistently.

  • You want to classify the event service or check based on information in other fields or tags.

Create a data catalog

To add external information to your events, you first need to create one or more catalogs. See Create data catalogs.

Workflow editor

For information on using the editor to build event workflows, see Workflow Engine overview and Event workflow configuration example.

For individual workflow actions, consult Workflow reference.

See also Workflow Actions API.

In this section: