Skip to main content

Replace String action

Available for event, alert, and incident workflows

This action replaces a string or a regular expression in an event or incident field with a new specified string.

This action takes the following inputs:

  • Input Field

    The event or incident field containing the string you want to replace.

  • Replace

    A regular expression that defines the string you want to replace. Do not include leading or trailing delimiters.

  • With

    The new string to use instead. Enter the string without including any quotation marks. If you leave this field blank, the action replaces the original string with a blank space.

Event example

Replace String works the same way for both incidents and events. In both cases, it substitutes a matching string inside of a target field with a new string.

Suppose that you want to replace instances of "d.b." or "DB" in new event descriptions with the string "database" instead. You can accomplish this by creating an event workflow with a Replace String action.

After setting up the trigger, you can configure the Replace String action as follows:

  • Input Field: description

  • Replace: [dD]\.?[bB]\.?

  • With: database

Here is an example event that was processed by this workflow:

Event fields before

Event fields after

{
    "description": "DB error",
    "severity": 5,
    "source": "ussf-sw99",
    "check": "cpu",
    "service": [
        "retail",
        "support"
    ],
    "tags": {
        "devicename": "sw99"
    }
}

{
    "description": "database error",
    "severity": 5,
    "source": "ussf-sw99",
    "check": "cpu",
    "service": [
        "retail",
        "support"
    ],
    "tags": {
        "devicename": "sw99"
    }
}

Alert example

Suppose that you have alerts from incoming sources that use "serv." or "SRV" in their descriptions. You want to replace these abbreviations with the string "server" instead. You can accomplish this by creating an alert workflow with a Replace String action.

After setting up the trigger, you can configure the Replace String action as follows:

  • Input Field: description

  • Replace: ([sS][eE][rR][vV]|[sS][rR][vV])(\.)?

  • With: server

Here is an example alert that was processed by this workflow:

Alert fields before

Alert fields after

{
 ...
     "description": "Serv. health alert: Connection Issue Detected from IP 192.168.2.20",
 ...
}
{
 ...
     "description": "server health alert: Connection Issue Detected from IP 192.168.2.20",
 ...
}

Incident example

Suppose that for certain new incidents associated with a particular class, you want to update the value of the incident classes field with a new class name. You can accomplish this by creating an incident workflow with a Replace String action.

After setting up the trigger, you can configure the Replace String action as follows:

  • Input Field: classes

  • Replace: Compute

  • With: Database

Here is an example incident that was processed by this workflow:

Incident fields before

Incident fields after

{
    "status": "open",
    "severity": "major",
    "description": "CPU above 70%",
    "classes": [
      "Compute"
    ],
    ...
}

{
    "status": "open",
    "severity": "major",
    "description": "CPU above 70%",
    "classes": [
      "Database"
    ],
    ...
}
In this section: