Filter action
Available for event, alert, and incident workflows |
This action filters events, alerts, or incidents that pass through a previous action. Based on whether the events, alerts, incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow.
If this action is placed before a Send to Endpoint action associated with an outbound webhook, you can use it to set the conditions that trigger the webhook. For more information, read the following topic: Workflow trigger.
This action takes the following inputs:
Filter
Click in the Filter field and select the fields, values, and operators from the pull-down menus.
Exit Option
If the event, alert, or incident does not match the filter, either skip to the next workflow or stop all workflows.
For an event, stopping all workflows will drop the event. For an incident, stopping all workflows prevents further workflows from processing the incident during the current cycle. However, the incident can still be processed again at a later time if it is re-triggered.
Event example
In this example, an event workflow uses a Filter action to check if the event belongs to the "Compute" class field. If the event does not belong to the "Compute" class, then the workflow drops the event:
Filter:
class = "Compute"Exit Option: Drop the event
Alert example
In this example, an alert workflow uses a Filter action to check if the alert has greater than ten events associated with it. If the alert does not have at least ten events, then the workflow stops processing the alert:
Filter:
event_count >= 10Exit Option: Stop processing
Incident example
In this example, an incident workflow uses a Filter action to check if the incident is in maintenance. If the incident is in maintenance, then the workflow skips to the next workflow:
Filter:
"in maintenance" != trueExit Option: Skip to the next workflow