Filter action
Available for event, alert, and incident workflows |
This action filters events, alerts, or incidents that pass through a previous action. Based on whether the events, alerts, incidents match the given filter, you can then decide whether to proceed to the next action, skip to the next workflow, or stop processing.
If this action is placed before a Send to Endpoint action associated with an outbound webhook, you can use it to set the conditions that trigger the webhook. For more information, read the following topic: Workflow trigger.
The Filter section of this action takes the following inputs:
IF the event/alert/incident matches this filter
Click in the filter field and select the fields, values, and operators from the pull-down menus. If an event, alert, or incident matches this filter, then the workflow will proceed to the next action.
ELSE
Select whether to skip to the next workflow or to drop the event, alert, or incident, if the filter does not match.
Event example
In this example, an event workflow uses a Filter action to check if the event belongs to the "Compute" class field. If the event does not belong to the "Compute" class, then the workflow drops the event:
IF the event matches this filter:
class = "Compute"ELSE: Drop the event
Alert example
In this example, an alert workflow uses a Filter action to check if the alert has greater than ten events associated with it. If the alert does not have at least ten events, then the workflow stops processing the alert:
IF the alert matches this filter:
event_count >= 10ELSE: Stop processing
Incident example
In this example, an incident workflow uses a Filter action to check if the incident is in maintenance. If the incident is in maintenance, then the workflow skips to the next workflow:
IF the incident matches this filter:
"in maintenance" != trueELSE: Skip to the next workflow