Skip to main content

Workflow trigger

The trigger portion of a workflow defines the condition which causes a workflow to run and process data.

In event workflows

For event workflows, the trigger also acts as a filter to determine the events processed. Click inside the Event Filter box and use the suggested fields and operators to build a filter which identifies the events the workflow will process. The workflow is triggered whenever incoming events match the filter.

In incident workflows

An incident workflow is triggered when a specified change in an incident occurs. This change can be the creation of the incident (Create only), a change to an existing incident (Update only), or when either an update or create occurs (Update and Change). The trigger additionally includes a filter which lets you choose a subset of the triggering incidents for the workflow to process. Click inside the Incident Filter box and use the suggested fields and operators to build a filter which identifies the incidents the workflow will process. The filter is optional for incident workflow.

The trigger filter

For event workflows, the trigger filter defines the events that the workflow will process. In incident workflows, it is optional, but when a filter is present, it determines which incidents are processed by the workflow.

Click in the filter field and select the fields, values, and operators from the menus.


For additional assistance building filters, refer to Build a scope filter query.

Using quotation marks

Quotation marks are only required in filter parameters when there are spaces in a string.

Example: A string with no spaces does not require quotation marks:

tag.key1 = 5

But a string with spaces will not be parsed correctly without quotation marks, as in the following two cases:

"correlation definition" = a551ab9f-c5ab-4dfe-a52d-b325393176af
tag.key1 = "Allegheny Airlines"

Filtering with correlation definitions in incident workflows

When filtering incidents based on the correlation definition responsible for forming the incident, be sure to use the ID of the definition instead of the name.


"correlation definition" = "a551ab9f-c5ab-4dfe-a52d-b325393176af"

You can retrieve the ID by using an API call, or by opening the definition for editing in the user interface and then copying the final series of characters from the URL: