BigPanda Formula Language (BPFL)
BigPanda Formula Language enables the use of complex calculations when configuring automatic enrichment tags.
Automatic Incident Enrichment Tags are able to use formula calculations when adding Incident Tags to allow for deeper detail and context. The updated BigPanda Formula Language allows greater precision and detail in configuring your automatic enrichment formulas.
Functions and variables within the formula language are similar to those of Microsoft Excel, and are sophisticated enough to support tag enrichment rules that depend on the results of other alert or incident tags.
Create and Edit Formulas
Formulas can be added or edited through the new Incident Tag Automatic Enrichment editor.
In the Automatic Enrichment field, you’ll have the option to set a Condition and Value.
BigPanda Formula Editor
Universal Tags
Leave the Condition field blank if you would like the Value formula to run on every new incident. If an enrichment item has a blank condition, it will be the last item run for the tag. Make sure that any blank condition items are added after all other enrichment items.
Enter a formula in the Value field to have the system run a calculation based on the functions and attributes on each qualifying incident and then apply the correct tags based on that calculation.
BigPanda formulas are able to pull alert and incident data, and perform multi-factor functions in addition to standard mathematical operators.
Format Considerations
When building BPFL formulas, leverage simple strings or variables.
- With the exception of the Unique function, BigPanda Formula Language is case insensitive.
- In BPFL, you are able to use spaces between formula elements.
- BPFL does not support the use of wildcard (
*) values.
Links Syntax
Create a selectable link with a shortened URL syntax.
Syntax
[URLName|URLLink]
Incident Data
BigPanda Formula Language allows you to retrieve alerts and incident data as part of the formula. There are two key methods to pulling incident data into formulas: Alert Tags and Incident Metadata. Both methods require specific syntax and should be contained in braces.
Alert Tags
Use a specified alert tag type to pull an array of values from all alerts in the incident. The available tags you can enter here are determined by the alert tags configured in your system.
Syntax
{alert_tags.tagName}
For example, if you entered:
{alert_tags.host}
the system would add an array of the host tags for each alert into the formula.
Incident Metadata
Use incident metadata to pull a value or array from a specific field in the BigPanda incident data.
Available Metadata Tags:
id- returns a string containing the ID of the incidentsource_system- returns an array with all the integration IDs of the alertsstatus- returns the current status of the incident (“Critical”, “Warning“, ”Unknown“, ”Ok“)number_of_alerts- returns the number of alerts in an incidentis_flapping- returns true if the incident is in a flapping state, otherwise, returns false
Syntax
{incident.metadataField}
For example, if you entered:
{incident.status}
the system would enter the incident status value into the formula.
Functions
Most formulas use functions, or preset calculation types, with operators to modify the functions. The supported functions in BigPanda are CONCAT, COUNT, FILTER, IF, and UNIQUE. These functions can be combined together to create more complex formulas. Each function runs a calculation on information entered between following parenthesis.
CONCAT
The CONCAT (concatenate) function combines two or more strings together. These strings can contain other functions and dynamic content.
Syntax
CONCAT(string1, string2, ...., string_n)
For example if you entered
CONCAT({alert_tags.host}, {alert_tags.service})
the system will combine the values into a single string: hostvalueservicevalue.
Use CONCAT with a delimiter to leverage join functionality.
Syntax
CONCAT(delimiter, string1, string2, ...., string_n)
For example if you entered
CONCAT(“-”, {alert_tags.host}, {alert_tags.service})
the system will combine the values into a single string: hostvalue-servicevalue.
COUNT
The COUNT function adds up the total number of incoming values.
Syntax
COUNT(array)
For example, if you entered:
COUNT([1, 2, 3, 3])
the system would return 4.
FILTER
The FILTER function extracts an array of field values based on a conditional value for an alert or incident metadata field. The ExtractedField and ConditionField are both case sensitive. The ExtractedField is the field you want to pull the values from, and the ConditionField is the field that will be checked to see if it matches the filter condition.
Syntax
FILTER(ExtractedField, ConditionField, Operator, ConditionValue)
For example, if you entered:
FILTER(bp_priority, alert_status, !=, ok)
the system would return an array of bp_priority values for all alerts where the alert_status is not ok.
The Filter function is able to pull condition values from additional alert metadata fields. Available alert metadata fields:
alert_primary_propertyalert_secondary_propertyalert_statusalert_source_systemalert_maintenance_plansalert_activealert_flapping
Filter Operators
The Filter function only supports comparison operators (such as
!=,<,>). Logical operators (AND, OR) cannot be used within a Filter function. The AND and OR operators can be used with other functions that refer to a filter function.
IF
The IF function sets a condition. If the condition is met, the first value will be returned.
(Optional) Add a second value to return if the condition is not met. You can nest IF functions to create logic chains.
Syntax
IF(LogicalArgument, value1, value2)
or
IF(LogicalArgument,value1)
For example, if you entered:
IF(1 < 2, "true", "false")
the system would return true.
UNIQUE
The UNIQUE function returns a list of all unique values for incoming items. The Unique function is case sensitive.
Syntax
UNIQUE([array])
For example, if you entered:
UNIQUE([1, 2, 3, 3])
the system would return [1, 2, 3].
Operators
Operators are additional modifiers that allow you to use the functions to create more complex calculations.
| Operator | Description | Example | Type |
|---|---|---|---|
| = | Equal | 1 = 2==> false | Comparison |
| != | Not Equal | 1 != 2==> true | Comparison |
| > | Greater Than | 1 > 2==> false | Comparison |
| < | Less Than | 1 < 2==> true | Comparison |
| > = | Greater Than or Equal | 1 >= 2==> false | Comparison |
| <= | Less Than or Equal | 1 <= 2==> true | Comparison |
| ORor | At least one of the conditions is true | 1 <= 2 OR 1 = 2==> true | Logical |
| ANDand | All of the conditions are true | 1 <= 2 AND 1 = 2==> false | Logical |
Example Incident Tag Value Formulas
These elements can be combined together to create tags that use sophisticated formulas to calculate their values, such as:
Business Scope Tag
This formula creates a simple tag to help operators see at a glance how widespread a system issue is.
IF(COUNT(UNIQUE({alert_tags.service})) > 3 AND {incident.status} = "Critical", ">3 affected services", "<=2 affected services")
In this formula IF the COUNT of UNIQUE alert service tags is greater than three AND the incident status is “Critical”, then the “>3 affected services” tag will be added to the incident. If the count of unique service values is less than three, or the incident status is not “Critical”, then the “<=2 affected services” tag will be added to the incident.
Tiered Priority Filter
This formula creates a priority tier to automatically assign BigPanda priority using a filter for specific alert properties.
IF(FILTER(bp_priority, alert_status, !=, ok)= P1, 1000, IF(FILTER(bp_priority, alert_status, !=, ok)= P2, 900, IF(FILTER(bp_priority, alert_status, !=, ok)= P3, 800, IF(FILTER(bp_priority, alert_status, !=, ok)= P4, 700, IF(FILTER(bp_priority, alert_status, !=, ok)= P5, 600)))))
IF an alert matches the first FILTER, where the bp_priority value is P1, then the incident receives a priority value of 1000. IF not, the next FILTER is applied, looking for P2 alerts. The formula will run through each FILTER to apply the highest fitting priority level to the incident.
To learn more about BigPanda priority, see the Prioritize Incidents documentation.
Hyperlinked Incident Tag
Feature Rollout
This formula requires the CONCAT function, which is currently only available in sandbox and testing instances.
Combine formulas to create a hyperlinked incident tag that generates a dynamic search containing encoded characters.
First, create a composition alert enrichment tag. For the purpose of this example, we'll create a tag called search_service to search for the value of a service tag. Create your tag with the following parameters:
BPQL Condition query filter: service = "*"
Composition Template: https://a.bigpanda.io/#/app/investigator%3Fquery%3Dservice%3D%22${service}%22%26timeframe%3D-7d%26sort%3Dstart%5D
BigPanda's search will looks at the service tag and combine it with the encoding in the composition template.
To create a clean hyperlink with this search link, create an incident enrichment tag using the following example formula.
BPQL Condition filter: search_service = “*”
BPFL Value: UNIQUE(CONCAT("", "[Search|", {alert_tags.search_service}, "]"))
The result is a hyperlinked incident tag that will generate a unified search for the parameters specified in the alert enrichment step.
Next Steps
Learn how to use BPFL to create Automatic Incident Enrichment Tags
Find information about BigPanda Query Language (BPQL)
Updated about 1 month ago