Skip to main content


A Workflow Engine function that uses a predefined classification algorithm to estimate event or alert severity.

This function is available as a feature of the Add-ons v1.3 download and later.

This function is available for event, alert, and enrichment workflows.

The workflow sweep up filter applies to this function.

Back to Workflow Engine Functions Reference.


Workflow Engine function estimateSeverity takes the following arguments:








Array of fields to use in the classification algorithm. Defaults to the description field.




Destination field for the classification algorithm's calculated severity. Defaults to the severity field.

If you do not configure these arguments, the function parses the event description field to calculate a severity value, which it assigns to the severity field.


The following example demonstrates typical use of Workflow Engine function estimateSeverity.

The optional eventFields argument allows you to customize the event fields the function uses for severity classification. You define these as an array of event fields. For example, if you set the following:

  • eventfields: ["agent", "description", "custom_info.clustering", "custom_info.enrichment.BusinessApps"]

The UI translates your settings to the following JSON:

{ “eventFields”: ["agent", "description", "custom_info.clustering", "custom_info.enrichment.BusinessApps" ]}

The optional severityField argument allows you to assign the estimated severity to a target field instead of using the default, severity. For example, to assign the result to custom_info.catasaurus.severity, set the following:

  • severityField: custom_info.catasaurus.severity

The UI translates your settings to the following JSON:


If the classification algorithm fails to estimate the severity and target is the event severity field, the function returns false and the event does not update. If the target is a custom_info field, the value defaults to Indeterminate.