Skip to main content

Template Field Action

Available for event, alert, and incident workflows

This action enables you to construct a string, based on one or more fields or tags, and then copy the string to an output field.

  • Template

    The template used to construct the output string. To reference a field or tag, use the following format: ${property_name}. This action supports macros using the following format: ${macro_name(property_name)}

    Additionally, you can include plain text in a template, for example: ${class} issue found in ${location}

  • Output Field

    The field where the action places the output string.

Event example

In one of your event streams, the source field contains the hostname and the domain name is in a tag:

{
    "source" : "myhost"
     ....
    "tags": {
        "domain": "mydomain.com"
    }
}

Your data catalogs use the FQDNs for their source fields. You want to update the source field in these events to include both the hostname and the domain name. You add a Template Field action to your workflow, before the Query Catalog action, and format it like this:

  • Template: ${source}.${tags.domain}

  • Output Field: source

Here is an example event that was processed by this workflow:

Event before

Event after

{
    "source" : "myhost"
     ....
    "tags": {
        "domain": "mydomain.com"
    }
}

{
    "source" : "myhost.mydomain.com"
     ....
    "tags": {
        "domain": "mydomain.com"
    }
}

Alert example

Suppose you want to cluster alerts into incidents using service, but some alerts don't have a value for impacted service. You want to highlight the missing values for your users so they can help improve your CMDB. You can accomplish this using the Template Field action.

Add a filter to the workflow trigger for alerts which are missing service information:

service = NULL

Add a Template Field action to your workflow which adds source and some advisory text to the service field. Alerts with missing service information are then clustered by source, and users are reminded to update the missing information.

  • Template: ${source}.

  • Output Field: service

Here is an example alert that was processed by this workflow:

Alert before

Alert after

{
    "source" : "Server A"
     ....
    "service": []
}

{
    "source" : "Server A"
     ....
    "service": ["Server A"]
}
In this section: