Match and Update action
Available for event, alert, and incident workflows |
This action updates a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field.
This action provides a simple way to normalize events, alerts, or incidents that have inconsistent formats. Suppose you have multiple event sources that indicate the event class - application, network, database, etc. - using different strings in different fields. You can use this action to find a matching string and then update the event class consistently based on the results.
This action takes the following inputs:
Input field(s)
The set of input fields to search.
Regex Tags
Each input field has a corresponding regex tag and output string. On the first match, copy the corresponding output string to the output field.
Output Field
Apply the output string to this field.
Event example
You have two event sources. For one source, "ping" in the description field indicates a network event. For another source, "stored procedure" in the check field indicates a database event. You want to update the class field to either network or database.
Events Before: | |
|---|---|
{
"description":"ping to cntnr04 > 200ms",
"severity":4,
"source":"cntnr04",
"check":"rtt",
"service":[ "infraTestService"]
}
| {
"description":"proc get-all-addresses failed -- access denied",
"severity": 5,
"source": "pd4058",
"check": "stored procedure get-all-addresses",
"service":[ "custService"]
}
|
You set up your action as follows:
Input field(s):
description,checkRegex Tags:
Contains =>
.*\bping\b.*=>networkContains =>
.*\bstored procedure\b.*=>database
Output Field:
class
Events After: | |
|---|---|
{
"description":"ping to cntnr04 > 200ms",
"severity":4,
"source":"cntnr04",
"check":"rtt",
"service":[ "infraTestService"],
"class" : "network"
}
| {
"description":"proc get-all-addresses failed -- access denied",
"severity": 5,
"source": "pd4058",
"check": "stored procedure get-all-addresses",
"service":[ "custService"],
"class" : "database"
}
|
Alert example
Suppose you want every alert with a URL in its description to have a class field value of "network." You can accomplish this by creating an alert workflow with a Match and Update action.
After setting up the trigger, you can configure the match and update action as follows:
Input field(s):
descriptionRegex Tags:
Contains =>
([a-z0-9-]+\:\/+)([^\/\s]+)([a-z0-9\-@\^=%&;\/~\+]*)[\?]?([^ \#\r\n]*)#?([^ \#\r\n]*)=>network
Output Field:
class
Here is an example alert that was processed by this workflow:
Alert fields before | Alert fields after |
|---|---|
{
...
"description": "Server Health Alert: Connection Issue detected from http://central-vc07.corp-server.net",
...
"class": "database"
...
} | {
...
"description": "Server Health Alert: Connection Issue detected from http://central-vc07.corp-server.net",
...
"class": "network"
...
} |
Incident example
Suppose that you want any incident with the term "router" in its description to also have a tags.device value of "Router". You can accomplish this by creating an incident workflow with a Match and Update action.
After setting up the trigger, you can configure the Match and Update action as follows:
Input field(s):
descriptionRegex Tags:
Contains =>
.*\b[Rr]outer\b.*=>Router
Output Field:
tags.device
Here is an example incident that was processed by this workflow:
Incident fields before | Incident fields after |
|---|---|
{
"status": "open",
"severity": "major",
"description": "ping failed, router ID=10039",
"classes": [
"Database"
],
"services": [
"support",
"retail"
],
"tags": {
}
...
}
| {
"status": "open",
"severity": "major",
"description": "ping failed, router ID=10039",
"classes": [
"Database"
],
"services": [
"support",
"retail"
],
"tags": {
"device": [
"Router"
]
}
...
}
|