Query Catalog action
Available for: | |
• Data pipeline workflows • Standalone workflows | • Event workflows • Alert workflows • Incident workflows |
This action queries a data catalog and maps the matching data to the specified event, alert, or incident fields.
Catalog Name
The catalog to query.
Lookup Mapping
Look up the matching catalog entry for an object. Note that when multiple catalog lookups are defined, they must ALL successfully match in order for the mapping to be applied. You can define up to eight lookup mappings.
Click Add Another to add an additional mapping. Click the trash can icon to delete a mapping.
To define a new mapping, fill out the following fields:
Field or Tag - The field or tag from the event, alert, or incident to look up.
Match Type - The type of match to perform:
String - Compare strings. If the catalog field = the event, alert, or incident field, the entry matches.
Regex Pattern - Assumes that the catalog field contains regex patterns and matches the input field or tag against these patterns. Matching is always case-insensitive. If there are multiple matches, the first match always wins. See Regex matching below for more information on how to define regex in your CSV.
Range - Assumes that the catalog field contains min/max range values and matches the input field or tag against these ranges. If there are multiple matches, the first match always wins. See Range matching below for more information on how to define proper ranges in your CSV.
Catalog Field - The catalog field to match against.
Apply Mapping
If the action finds a matching entry, copy data from the catalog field to the event, alert, or incident field. You can specify a default value if a catalog field is undefined.
Click Add Another to add an additional mapping. Click the trash can icon to delete a mapping.
Regex matching
The following example illustrates how to define regex in a CSV. For more detailed guidance on defining proper regex, refer to this external cheatsheet:
Here is a sample of a CSV file that uses regex:
hostname, location , cpu .*\-ny\.ex, abc , 20 .*\-lin\-.*, NYC, 40 .*\-(?:lin|mac)\-.*, Bangalore, 20
In the above example, where the hostname field is represented as a series of regular expressions, an input hostname value of host111-lin-dc1 would match the second row of data (excluding the CSV header).
Range matching
Ranges defined in the CSV file should follow the following format, where min and max are numbers that define the minimum and maximum limits of the range, respectively:
Format | Definition |
|---|---|
| This range includes both |
| This range excludes |
| This range includes |
| This range excludes both |
You may also omit exactly one of either min or max to indicate the lack of a lower or upper limit.
For example, [30;] would match all values greater than or equal to 30, and [;53] would match all values less than or equal to 53. However, [;] is not a valid range, as neither min nor max are present.
Here is a sample of a CSV file that uses ranges:
hostname, location , cpu rtr1-type1-ny.rt, abc, [20;90] host111-lin-dc1, NYC, ]40;55] lin-mac, Bangalore, [20;]
In the above example, where the CPU field is represented as range of values, an input cpu value of 30 would match the first and third row of data (excluding the CSV header).
Event example
Your monitoring service sends metrics to APEX AIOps Incident Management. These metrics have all the data required by the Metrics API, but they do not specify the service running on each source. You create a catalog called mySources, which specifies each source and its associated service, region, and instance type:
instance-id, service, region, instance-type i-0z267fg498xc23750, custLogin, us-east-1f, t2.large i-0w690ji481vb38749, dbQuery, us-west-1b, t3a.xlarge ...
To map the catalog data to your monitored sources, you add a Query Catalog action into your workflow and configure it as follows:
Catalog Name:
mySourcesLookup Mapping:
Field or Tag:
instance-idMatch Type: String
Catalog Field:
Source
Apply Mapping:
Create the following mappings.
Catalog Field:
serviceField or Tag:
serviceCatalog Field:
regionField or Tag:
location.regionCatalog Field:
instance-typeField or Tag:
tags.instance-type
When this action processes an event from one of these sources, it adds the catalog data to the event.
Here is an example event that was processed by this workflow:
Event before | Event after |
|---|---|
{
"description":"CPU spike to 75%",
"severity":4,
"source":"i-0z267fg498xc23750",
"time":1592322348182,
"check":"cpu",
"service":[""],
} | {
"description":"CPU spike to 75%",
"severity":4,
"source":"i-0z267fg498xc23750",
"time":1592322348182,
"check":"cpu",
"service":["custLogin"],
"location": { "region":"us-east-1f"},
"tags": { "instance-type":"t2.large"}
} |
Alert example
Suppose that you want to assign a tags.team value for all new alerts based on their services field value. You already have a catalog called servicesToTeams, which maps each service to a corresponding team assignment:
Service, team support, Team A retail, Team B payment, Team C ...
You can accomplish this by creating a data pipeline alert workflow with a Query Catalog action.
After setting up the trigger, you can configure the Query Catalog action as follows:
Catalog Name:
servicesToTeamsLookup Mapping:
Field or Tag:
serviceMatch Type: String
Catalog Field:
Service
Apply Mapping:
Create the following mappings.
Catalog Field:
teamField or Tag:
tags.team
When this action processes an alert from with a relevant service, it adds the related catalog data to the alert.
Here is an example alert that was processed by this workflow:
Alert fields before | Alert fields after |
|---|---|
{
...
"description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
"service": [
"support"
],
...
"tags": {
"integration_type": [
"eventapi"
]
},
...
} | {
...
"description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
"service": [
"support"
],
...
"tags": {
"integration_type": [
"eventapi"
],
"team": "Team A"
},
...
} |