Workflow Engine overview
APEX AIOps Incident Management workflows provide automated data manipulation that can add or change data values in your event, alert, and incident fields. With workflows, you can customize the way Incident Management functions without having to write code or pay for additional features.
Workflow types
Incident Management offers three types of workflows: event, alert, and incident.
Event workflows
Use event workflows to enrich or normalize event data to create more useful or meaningful alerts.
Event workflow triggers use event field values at the time when the event is ingested. Because event workflows change event information before it is used to create alerts, they can change the way events deduplicate and form alerts. Event workflows behaviors focus on changing individual data fields, discarding irrelevant events, and generally ensuring the data is relevant for creating alerts.
For more information, see Event workflow configuration example.
Alert workflows
Alert workflows allow you to work with and modify alerts prior to correlation. Use alert workflows to manipulate the way incidents are formed, or simply to manage your alerts. For example, you can increase the severity of an alert based on the source or service, or drop alerts with certain properties so that they are never correlated into incidents. You can assign alerts to groups or individual users to ensure accountability. You can modify the alert description so that the correlated incident includes the information. Alert workflow gives you access to the properties of alerts to help automate alert management and additional ways to customize correlation. Alert workflows can be triggered by the creation of new alerts, or when an existing alert updates, or both. The alert workflow also gives you the option of choosing to trigger for Changes from anywhere, or only Changes from deduplication (when a new event is added to an existing alert via deduplication).
For more information, see Alert workflow configuration example.
Incident workflows
Incident workflows let you manipulate data at the incident level. They are triggered by either the creation of an incident or a change to an incident. Qualifying "changes" which can trigger incident workflows include:
Adding a new alert to the incident
Changing a value at the incident level, like the incident status, assignment, or other incident property
Changes occurring due to event deduplication (adding a new event to an alert, changing severity) are not incident changes, however, and will not trigger a workflow with either a New or changed incidents or a Changed incidents only trigger.
Incident workflows manipulate data fields (at the incident level), but also include incident-specific activities, like user and group assignments, sending the incident to external systems, and delayed incident processing. Incident workflows make it possible to:
Send incidents to external systems via webhook
Make automatic user and group assignments
Pause workflow incident processing using Delay actions
Use templates and a macro language to build incident descriptions and field values
Enrich, add, extract, replace, copy, and remove data
For configuration information, see Incident workflow configuration example. Refer to Workflow action reference for supported actions and examples. You can also watch a video showing how to set up an incident workflow.
Workflow processing
All Incident Management workflows consist of a trigger and at least one action. The trigger defines the conditions that must occur for the workflow to execute. The action determines the change the workflow performs on the data. A workflow can contain multiple actions that act upon the items triggering the workflow. Actions process data in the order in which they appear in the workflow configuration.
For a complete list of event, alert, and incident actions, see the Workflow action reference.
Events, alerts, and incidents processed by one workflow are then passed to the next workflow in the list for further processing (unless workflow actions which prevent this from happening are present). See Priority in the following section.
The Workflow Engine page
Access the Workflow Engine page by clicking Correlate & Automate > Workflow Engine.
These tabs display on the page:
Event Workflows
Alert Workflows
Incident Workflows
Enrichment Data Catalogs
Event, Alert and Incident Workflows tabs
Event, alert, and incident workflows have many common elements and are configured in a similar way. The tabs share the same layout and headings:
Priority
The Priority column indicates the order in which the individual workflows listed execute. The workflow with a priority of 1 is processed first, priority 2 is processed next, priority 3 after that, and so on.
It is important to keep in mind how ordering the workflows will impact your data. For example, if one workflow adds a data field, and another workflow manipulates the data in that field, then you must ensure the workflow creating the data field precedes the workflow that needs to use the field.
To change the order, click the three-dot menu and click Edit Workflows Order.
For more on workflow priority, see Change workflow order.
Workflow Name
The Name column provides a user-friendly identifier for individual workflows.
Status
The current workflow status. Possible statuses include Disabled (configured but not yet enabled), and Enabled (configured and enabled). A third status, Deleted, is available through the API endpoint, but does not display in the UI.
Created By
The ID of the user who created the workflow.
Last Modified
The date and time when the workflow was last changed by someone.
To add a new workflow, click Add Workflow at the top of the table. Refer to Event workflow configuration example, Alert workflow configuration example, and Incident workflow configuration example for specific instructions on creating workflows.
Enrichment Data Catalogs tab
Data catalogs include information you can add to events and incidents via workflow using the Query Catalog action.
Each row on the Data Catalog page represents a separate catalog. A catalog includes column headings, which identify the type of data stored in the column, and rows, which are individual records (documents) of data. This data can be referenced via workflow and transferred to event and incident data fields.
See Create data catalogs for further details.