Skip to main content

Enrich events with additional data

Watch a use case walkthrough: Add External Data to Events ►

You can enrich your ingested data with additional information from your environment. Enrichment can provide more flexibility for clustering your alerts the way you want. It can also make the resulting incidents easier to analyze and troubleshoot.

datapipelineenrichdedup.png

 

  1. Events, alerts, and incidents

  2. Enrich events with real-world data

  3. Deduplicate events to reduce noise

  4. Correlate alerts into incidents

Event workflows provide enrichment for events. An event workflow is a user-defined, fully-automated sequence of actions applied to each new event:

  1. A new event arrives at the workflow engine, which triggers the workflow.

  2. Each workflow has an initial trigger, which is an event filter that specifies the events that the workflow will process.

  3. The event passes through a series of actions that enhance and update the data in the event.

    A workflow can enrich events with data from external catalogs. You can also create workflows that update fields in an event based on other fields in the same event.

  4. Once the event passes through all actions in all relevant workflows, the data pipeline does the following:

    1. Deduplicates the event into an alert.

    2. Sends the alert to the correlation engine.

Benefits of enrichment

Benefits include:

  • You can fine-tune how Moogsoft Cloud clusters your alerts into incidents.

    By enriching sources with information about their associated clusters, apps, services, teams, locations, and other elements, you can leverage data from a CMDB or other central repository to define the relationships between different nodes. After you define these relationships in your enrichment data, you can define a simple, smart correlation pattern to cluster your alerts.

  • You can make your alerts more informative and readable.

    In some cases, your raw events and metrics might not include all the information necessary for a user to investigate and troubleshoot an Incident.

  • You can normalize events that come from different sources and have different formats.

    For example, one event stream uses IPs as the source while another stream uses domain names. You can use enrichment to ensure that all events are formatted consistently. This can make deduplication and correlation much simpler.

The Workflow Engine UI (Correlate & Automate > Workflow Engine > Event Workflows) provides a simple drag-and-drop interface for creating event workflows. You can upload an enrichment data catalog in the UI at Correlate & Automate > Workflow Engine > Enrichment Data Catalogs.

Discover more

In this section: