Skip to main content

Create an Enrichment Workflow

To add enrichment data from the Enrichment API data store to alerts in Moogsoft Onprem, configure a workflow in the Enrichment Workflow Engine. This topic covers the final step in the Enrichment API example Enrich Alerts Using the Enrichment API.

The following diagram illustrates the process to enrich alert data with the Enrichment API:

create_enrichment_workflow.png

The Enrichment Workflow engine listens for alerts coming from the Alert Builder, so you can create an enrichment workflow with an action that uses the getEnrichment function to add enrichment data to your alerts. For more information, see getEnrichment.

The getEnrichment function matches the data from the active alert in the workflow engine. It takes the following arguments:

  • attribute: value of the attribute key in the enrichment data store. For example, "source" for an enrichment record with {"attribute":"source"}.

  • value: the alert field that holds the data to compare to the enrichment record. For example, "source".

  • target: an optional target key for the enrichment data in the alert. For example a value of "api_data" writes the custom info from the data store to custom_info.enrichment.api_data.

Step 3: Create an enrichment workflow

In the example scenario, you want to enrich all alerts with location and support information from the Enrichment API. Therefore, create a new workflow in the Enrichment Workflow Engine as follows:

  1. Create a workflow called "Get Enrichment" as follows:

    • Description: "Get Enrichment from the enrichment data store"

    • Entry filter: 'custom_info.enrichment.isEnriched' != true

      This way you don't attempt to enrich any alerts that have already been enriched.

    • Sweep up filter: <leave blank>

    • First match only: <leave unchecked>

  2. Add an action into the workflow called "Enrich from API" as follows:

    • Function: getEnrichment

    • Arguments:

      atttibute: source

      value: source

      target: api_data

    • Forwarding Behavior: Always Forward

When this workflow is active, it queries the Enrichment API data store for enrichment data. Given the following alert data:

{ ... "source":"sflinux101", ...}

The Workflow Engine updates the alert custom_info.enrichment key as follows:

"custom_info": {
     "enrichment":{ 
          "api_data": {
            "support_group": "SF NOC",
             "location": "1265 Battery St., San Francisco, CA"}
        }
    }

Learn more

To learn more about the getEnrichment function, see getEnrichment.

In this section: