Skip to main content

Workflow action reference

The Workflow Engine lets you process your monitoring data with configurable actions which operate in sequence. You can parse hostnames and other fields to normalize your data, enrich your data with configuration information, filter and drop events, and change service and severity information, among other possibilities.

The Workflow Engine allows you to conditionally run actions against events, alerts, or incidents. Most event workflows involve transforming the data in some way (for example, conditionally setting a severity, or parsing fields to normalize data), alert workflows focus on managing alerts or manipulating them for correlation, and incident workflows are primarily used to route data (for example, assigning an incident to a team and sending the incident update to an outbound integration).

Configure workflows by navigating to Correlate & Automate > Workflow Engine. Click the Event Workflows tab, the Alert Workflows tab, or the Incident Workflows tab to create workflows which process events, alerts, or incidents, respectively.

This topic contains lists of all the workflow actions that can be used in APEX AIOps Incident Management. Note that actions may be available for more than one data type. For example, the Drop action is available in both event and alert workflows. In this reference, the actions appear in the lists for all the data types that they are valid for.

Additional information

For more information on Workflow Engine and workflows, see also:

Refer to the links under In this section for topics on individual workflow actions.

The following actions are available in event workflows:

Action

Description

Classify action

Sets the class and type fields. You can also use the Match and Update action to update the event class based on your own criteria.

Deduplication Filter action

Filters events on whether they will create a new alert or be deduplicated into an existing alert.

Drop action

Prevents any additional processing of the event or alert by other features in the system. Dropped events are not deduplicated and do not become alerts, and dropped alerts are not correlated into incidents. You can continue to view dropped alerts on the Alerts page, however.

Extract Substring action

Extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array.

Filter action

Filters events or incidents that pass through a previous action. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow.

Format Timestamp action

Formats an epoch timestamp as a human-readable date and time. An epoch timestamp logs the number of seconds elapsed since January 1st, 1970. For information on converting dates and times to epoch format, see this external resource.

Match and Update action

Updates a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field.

Parse FQDN action

Parses an FQDN field and copies the host and domain names to the specified fields

Query Catalog action

Queries a data catalog and maps the matching data to the specified event, alert, or incident fields.

Remove Tags action

Removes tags from events, alerts, or incidents by matching the tag names against a regular expression.

Replace String action

Replaces a string or a regular expression in an event or incident field with a new specified string.

Set Service action

Adds to or replaces the service list of an event, alert, or incident with user-specified services.

Set Severity action

Sets the severity of an event or alert to a user-specified severity level.

Skip action

Causes all workflow processing of an alert to stop immediately. Processing by the current workflow stops, and all subsequent workflows in the list are skipped.

Split action

Splits one field into substrings and copies them to other fields in the same object.

Split Tags action

Splits a value from a tag field into multiple tags in the same object.

Template Field Action

Enables you to construct a string, based on one or more fields or tags, and then copy the string to an output field.

Time Filter Action

Filters events or incidents according to the time or day of the week. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow.

To Lower Case action

Converts an input field string to lower case.

To Upper Case action

Converts an input field string to upper case.

The following actions are available in alert workflows:

Action

Description

Alert in Incident action

Checks if an alert is included in an incident.

Assign action

Assigns an alert or incident to a user, a user group, or both.

Delay action

Delays the processing of an alert or incident through a workflow for a configurable amount of time.

Drop action

Prevents any additional processing of the event or alert by other features in the system. Dropped events are not deduplicated and do not become alerts, and dropped alerts are not correlated into incidents. You can continue to view dropped alerts on the Alerts page, however.

Extract Substring action

Extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array.

Filter action

Filters events or incidents that pass through a previous action. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow.

Format Timestamp action

Formats an epoch timestamp as a human-readable date and time. An epoch timestamp logs the number of seconds elapsed since January 1st, 1970. For information on converting dates and times to epoch format, see this external resource.

Match and Update action

Updates a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field.

Parse FQDN action

Parses an FQDN field and copies the host and domain names to the specified fields

Query Catalog action

Queries a data catalog and maps the matching data to the specified event, alert, or incident fields.

Remove Tags action

Removes tags from events, alerts, or incidents by matching the tag names against a regular expression.

Replace String action

Replaces a string or a regular expression in an event or incident field with a new specified string.

Set Description action

Sets the description field of an alert or incident based on a specified template.

Set External Details action

Lets you configure the external information fields for alerts and incidents using substitution and regular expressions.

Set Service action

Adds to or replaces the service list of an event, alert, or incident with user-specified services.

Set Severity action

Sets the severity of an event or alert to a user-specified severity level.

Set Status action

Sets the status of alerts or incidents automatically.

Set Tags action

Constructs new tag values based upon templates. The specified output tag is then replaced by the new tag values. To instead add tag values to a specified output tag, use Add Item to List.

Skip action

Causes all workflow processing of an alert to stop immediately. Processing by the current workflow stops, and all subsequent workflows in the list are skipped.

Split action

Splits one field into substrings and copies them to other fields in the same object.

Template Field Action

Enables you to construct a string, based on one or more fields or tags, and then copy the string to an output field.

Time Filter Action

Filters events or incidents according to the time or day of the week. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow.

To Lower Case action

Converts an input field string to lower case.

To Upper Case action

Converts an input field string to upper case.

The following actions are available in incident workflows:

Action

Description

Add Comment action

Adds a comment to an incident.

Add Item to List action

Adds an item to an existing list within an incident tag. If the tag doesn't exist or is empty, then a new tag or list is created.

Add Watchers action

Adds validated Incident Management users or groups to the list of watchers for incidents. You can control the incidents affected by this action by configuring workflow triggers, or by adding a filter within your incident workflow.

Assign action

Assigns an alert or incident to a user, a user group, or both.

Delay action

Delays the processing of an alert or incident through a workflow for a configurable amount of time.

Extract Substring action

Extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array.

Filter action

Filters events or incidents that pass through a previous action. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow.

Format Timestamp action

Formats an epoch timestamp as a human-readable date and time. An epoch timestamp logs the number of seconds elapsed since January 1st, 1970. For information on converting dates and times to epoch format, see this external resource.

Match and Update action

Updates a field based on the contents of other fields. You specify a set of input fields to evaluate. Each input has a corresponding regex tag and an output value. On the first match, the action copies the output value to the output field.

Query Catalog action

Queries a data catalog and maps the matching data to the specified event, alert, or incident fields.

Remove Tags action

Removes tags from events, alerts, or incidents by matching the tag names against a regular expression.

Replace String action

Replaces a string or a regular expression in an event or incident field with a new specified string.

Send Announcement action

Sends an automated email with custom content to any configured watchers for incidents. It also posts an announcement, viewable in the Comments panel on the Incidents page or in the Situation Room. For details on using Announcements, refer to Use comments with incidents.

Send to Endpoint action

Sends an incident to an existing outbound webhook endpoint. It also optionally populates the Outbound tab of the Incident with a link to the endpoint.

Set Description action

Sets the description field of an alert or incident based on a specified template.

Set Priority action

Automatically changes the priority of an incident for a custom value between 1 (highest priority) and 5 (lowest priority).

Set Service action

Adds to or replaces the service list of an event, alert, or incident with user-specified services.

Set Status action

Sets the status of alerts or incidents automatically.

Set Tags action

Constructs new tag values based upon templates. The specified output tag is then replaced by the new tag values. To instead add tag values to a specified output tag, use Add Item to List.

Skip action

Causes all workflow processing of an alert to stop immediately. Processing by the current workflow stops, and all subsequent workflows in the list are skipped.

Split action

Splits one field into substrings and copies them to other fields in the same object.

Template Field Action

Enables you to construct a string, based on one or more fields or tags, and then copy the string to an output field.

Time Filter Action

Filters events or incidents according to the time or day of the week. Based on whether the events or incidents match the given filter, you can then decide whether to proceed to the next action or skip to the next workflow.

To Lower Case action

Converts an input field string to lower case.

To Upper Case action

Converts an input field string to upper case.