Workflow Engine overview
APEX AIOps Incident Management workflows provide automated data manipulation that can add or change data values in your event, alert, and incident fields. With workflows, you can customize the way Incident Management functions without having to write code or pay for additional features.
Workflow types
Incident Management offers three types of workflows: event, alert, and incident.
Event workflows
Use event workflows to enrich or normalize event data to create more useful or meaningful alerts.
Event workflow triggers use event field values at the time when the event is ingested. Because event workflows change event information before it is used to create alerts, they can change the way events deduplicate and form alerts. Event workflows behaviors focus on changing individual data fields, discarding irrelevant events, and generally ensuring the data is relevant for creating alerts.
For more information, see Event workflow configuration example.
Alert workflows
Alert workflows allow you to work with and modify alerts prior to correlation. Use alert workflows to manipulate the way incidents are formed, or simply to manage your alerts. For example, you can increase the severity of an alert based on the source or service, or drop alerts with certain properties so that they are never correlated into incidents. You can assign alerts to groups or individual users to ensure accountability. You can modify the alert description so that the correlated incident includes the information. Alert workflow gives you access to the properties of alerts to help automate alert management and additional ways to customize correlation. Alert workflows can be triggered by the creation of new alerts, or when an existing alert updates, or both. The alert workflow also gives you the option of choosing to trigger for Changes from anywhere, or only Changes from deduplication (when a new event is added to an existing alert via deduplication).
For more information, see Alert workflow configuration example.
Incident workflows
Incident workflows let you manipulate data at the incident level. They are triggered by either the creation of an incident or a change to an incident. Qualifying "changes" which can trigger incident workflows include:
Adding a new alert to the incident
Changing a value at the incident level, like the incident status, assignment, or other incident property
Changes occurring due to event deduplication (adding a new event to an alert, changing severity) are not incident changes, however, and will not trigger a workflow with either a New or changed incidents or a Changed incidents only trigger.
Incident workflows manipulate data fields (at the incident level), but also include incident-specific activities, like user and group assignments, sending the incident to external systems, and delayed incident processing. Incident workflows make it possible to:
Send incidents to external systems via webhook
Make automatic user and group assignments
Pause workflow incident processing using Delay actions
Use templates and a macro language to build incident descriptions and field values
Enrich, add, extract, replace, copy, and remove data
For configuration information, see Incident workflow configuration example. Refer to Workflow action reference for supported actions and examples. You can also watch a video showing how to set up an incident workflow.
Workflow processing
All Incident Management workflows are processed in one of two ways:
As part of an ordered list of workflows executing sequentially. Workflows processed this way are called data pipeline workflows.
As an independent, standalone operation. Workflows processed this way are called standalone workflows.
Data pipeline workflows consist of a trigger and at least one action. The trigger sets the conditions for the workflow to execute, while the action defines the changes made to the data. Multiple actions can be included and are processed in the order they appear in the workflow editor. Data pipeline workflows can pass events, alerts, and incidents to subsequent workflows, unless prevented by specific actions.
Standalone workflows consist of a trigger and at least one action. However, the trigger only provides an optional filter without setting any conditions that cause the workflow to run. The action defines the changes made to the data. Multiple actions can be included and are processed in the order they appear in the workflow editor. Standalone workflows do not pass processed alerts or incidents to other workflows after execution. They operate asynchronously, meaning their outputs should not be relied upon by other workflows.
For a more detailed comparison between data pipeline and standalone workflows, see Data pipeline versus standalone workflows.
The Workflow Engine page
Access the Workflow Engine page by clicking Correlate & Automate > Workflow Engine.
These tabs display on the page:
Event Workflows
Alert Workflows
Data Pipeline Workflows
Standalone Workflows
Incident Workflows
Data Pipeline Workflows
Standalone Workflows
Enrichment Data Catalogs
Event, Alert and Incident Workflows tabs
Event, alert, and incident workflows have many common elements and are configured in a similar way. The alert and incident workflow tabs allow you to select between Data Pipeline Workflows and Standalone Workflows, while all event workflows are data pipeline workflows by default.
The headings for the Event Workflows and Data Pipeline Workflows tabs are as follows:
Priority
The Priority column indicates the order in which the individual workflows listed execute. The workflow with a priority of 1 is processed first, priority 2 is processed next, priority 3 after that, and so on.
It is important to keep in mind how ordering the workflows will impact your data. For example, if one workflow adds a data field, and another workflow manipulates the data in that field, then you must ensure the workflow creating the data field precedes the workflow that needs to use the field.
To change the order, click the three-dot menu and click Edit Workflows Order.
For more on workflow priority, see Change data pipeline workflow order.
Workflow Name
The Name column provides a user-friendly identifier for individual workflows.
Status
The current workflow status. Possible statuses include Disabled (configured but not yet enabled), and Enabled (configured and enabled). A third status, Deleted, is available through the API endpoint, but does not display in the UI.
Created By
The ID of the user who created the workflow.
Last Modified
The date and time when the workflow was last changed by someone.
The headings for the Standalone Workflows tab are as follows:
Workflow Name
The Name column provides a user-friendly identifier for individual workflows.
In Use
Whether or not the workflow is in use. A standalone workflow is deemed in use if it is referenced by another workflow through a Run Standalone Workflow action, or if it is utilized in an Actions Menu action.
Status
The current workflow status. Possible statuses include Disabled (configured but not yet enabled), and Enabled (configured and enabled). A third status, Deleted, is available through the API endpoint, but does not display in the UI.
Created By
The ID of the user who created the workflow.
Last Modified
The date and time when the workflow was last changed by someone.
To add a new workflow, click Add Workflow at the top of the table.
Refer to Event workflow configuration example, Alert workflow configuration example, and Incident workflow configuration example for specific instructions on creating data pipeline workflows.
Enrichment Data Catalogs tab
Data catalogs include information you can add to events and incidents via workflow using the Query Catalog action.
Each row on the Data Catalog page represents a separate catalog. A catalog includes column headings, which identify the type of data stored in the column, and rows, which are individual records (documents) of data. This data can be referenced via workflow and transferred to event and incident data fields.
See Create data catalogs for further details.