Skip to main content

Split action

Available for event, alert, and incident workflows

This action splits one field into substrings and copies them to other fields in the same object. This action is useful for fields that delineate their values using a consistent character string, such as : or ::. For fields with substrings that can be extracted using a regex, use the Extract Substring action.

This action takes the following inputs:

  • Input Field

    The object field to split.

    Caution

    List type input fields are invalid for this action and will not work. For example, tags.exampleTag (at the incident level) and services are both list type inputs and will not be split. If you want to split tags, use the Split action in an event or alert workflow instead.

    For detailed examples, see the following sections: Limitations using tags and Limitations using the service field.

  • Split String

    The string pattern to split on, such as / or :: or ,

  • Output Fields

    The fields to copy the substrings to, in order.

Limitations using tags: incident workflow example

Note

tags are valid inputs for the Split action at the event and alert levels.

At the incident level, tags values are lists of strings, which means that they cannot be split.

If you configure the incident workflow like this:

split_action_fail_example.png

And you test:

split_action_test_fail.png

The output result is the same as the input array:

split_action_test_fail_2.png

Limitations using the service field: event workflow example

Note

The services field is also invalid input for this action for incident workflows.

Values for the service field do not work the same way with the Split action as in the first example. You cannot split up the list of services.

If you configure the workflow like this:

SplitActionWorkflowWithService.png

And you test:

TestSplitWorkflowActionWithService.png

The output result is the same as the input array:

SplitActionWorkflowServiceNotWorking.png

In use, the tags fields retain their original values and are not updated with the individual services.

Event example

Split works the same way for events, alerts, and incidents.

In this example, suppose your monitoring service generates events with a "database" tag like this:

{
    ...
    "tags": {
        "database": "myNamespace_myCluster_myDBname"
    }
}

You want to split the namespace, cluster, and database name into separate tags. You configure your Split action like this:

  • Input field = tags.database

  • Split string = _

  • Output fields = tags.namespace, tags.cluster, tags.database

Here is an example event that was processed by this workflow:

Event before

Event after

{
  ...
  "tags": {
    "database": "myNamespace_myCluster_myDBname"
  }
} 

{
  ...
  "tags": {
    "namespace": "myNamespace",
    "cluster": "myCluster",
    "database": "myDatabase"
  }
}

Alert example

In this example, suppose you have an environmental monitoring source which has location labels comprising datacenter, floor, aisle, and rack separated by hyphens: 

{
    ...
    "tags": {
        "location": "SJ-2-21-C4"
    }
}

You want to split the incoming location labels and assign the components to separate fields. You can then define alert clustering for environmental alerts based on proximity using the Correlation Engine. Configure your Split action like this:

  • Input field = tags.location

  • Split string = -

  • Output fields = location.data_center, location.floor, location.aisle, location.rack

Here is an example alert that was processed by this workflow:

Alert before

Alert after

{
  ...
  "tags": {
    "location": "SJ-2-21-C4"
  }
} 

{
  ...
  "location": {
    "data_center": "SJ",
    "floor": "2",
    "aisle": "21",
    "rack": "C4" 
  }
}
In this section: