Skip to main content

Map the service field

The APEX AIOps Incident Management data schema includes an optional service list field that relates to the impact or scope of an alert or incident. For example, you can define services based on affected business processes, applications, support teams, or geographies. Once defined, you can use services in Incident Management to monitor performance in the Dashboard, cluster alerts into actionable incidents using the Correlation Engine, route outbound notifications, and more.

Plan your service categories

To take advantage of these capabilities, you will need to first decide how to define services and then map your data ingestion payloads to the service categories you define.

  • Choose meaningful service categories. For example, you might use geographic locations, department names, data center names, application groupings, priority applications, and so forth.

  • Provide easy to understand names for the services.

  • Provide consistent naming so the service categories make sense to the user.


    Service names example

    Let’s say you have a Content Delivery Network (CDN) for streaming video content. Your network and server performance has a key impact on your business. In this case, you may wish to set up categories according to the geographic location of your data centers. So your service names might be nyc-usa-dc1, cupertiono-usa-dc2, grenoble-fr-dc1, london-uk-dc3, and so on. Here the pattern is city-country-data center. It is easy to follow and easy to add more locations.

Map payloads to services

You have three options to map your incoming data payloads to services. You can do the mapping during:

  • Data ingestion, using inbound integrations or data ingestion APIs.

  • Event processing, using the Workflow Engine.

  • Data enrichment, using the Workflow Engine and a data catalog.

The following sections briefly describe how to define and map the service field.

Map service during data ingestion

When you set up a data ingestion, you can define which field from your payload gets mapped to the Incident Management service field. If an appropriate field does not exist in the payload, you can also enter a hard-coded value for the service.


When you enter a service name, it is placed in an array. This is because multiple services can be assigned to a single alert or incident. For example, if you specify your service name as "Data Center 1" it is placed in an array on the backend so that it is actually ["Data Center 1"]. The field mapping function expects an array. This is important to note as you may want to use the equals operator in a trigger or scope filter. However, this will not work. Instead you will need to use the in operator and either parentheses or square brackets, as shown in the following figure.


Configuring services during data ingestion is supported with the following integration methods:

To set up your inbound integration, in your Incident Management UI, navigate to Integrations > Ingestion Services.

Map service using an event workflow

For some integrations that don’t automatically supply a service field in the payload, you can define the service field with the Workflow Engine. To do this mapping:

  1. Log into your Incident Management instance.

  2. Click the Correlate & Automate icon and click Workflow Engine.

  3. Create a workflow with a Trigger filter that matches the integration.

  4. Add a Set Service action that supplies the service name from an existing field in the payload, or from a hard-coded text value.


Map service using an event workflow with a data catalog

You can also define a workflow that extracts service names from a data enrichment catalog.


For detailed information about defining and using data catalogs, see Create data catalogs.