BigPanda Formula Language (BPFL)

BigPanda Formula Language enables the use of complex calculations when configuring automatic enrichment tags.

Automatic Incident Enrichment Tags are able to use formula calculations when adding Incident Tags to allow for deeper detail and context. The updated BigPanda Formula Language allows greater precision and detail in configuring your automatic enrichment formulas.

Functions and variables within the formula language are similar to those of Microsoft Excel, and are sophisticated enough to support tag enrichment rules that depend on the results of other alert or incident tags.

Create and Edit Formulas

Formulas can be added or edited through the new Incident Tag Automatic Enrichment editor.

In the Automatic Enrichment field, you’ll have the option to set a Condition and Value.

1544

BigPanda Formula Editor

👍

Universal tags

Leave the Condition field blank if you would like the Value formula to run on every new incident. If an enrichment item has a blank condition, it will be the last item run for the tag. Make sure that any blank condition items are added after all other enrichment items.

Enter a formula in the Value field to have the system run a calculation based on the functions and attributes on each qualifying incident and then apply the correct tags based on that calculation.

BigPanda formulas are able to pull alert and incident data, and perform multi-factor functions in addition to standard mathematical operators.

Format Considerations

When building BPFL formulas, leverage simple strings or variables.

  • With the exception of the Unique function, BigPanda Formula Language is case insensitive.
  • In BPFL, you are able to use spaces between formula elements.
  • BPFL does not support the use of wildcard (*) values.

Link syntax

Create a selectable link with a shortened URL syntax.

Syntax

[URLName|URLLink]

Incident Data

BigPanda Formula Language allows you to retrieve alerts and incident data as part of the formula. There are two key methods to pulling incident data into formulas: Alert Tags and Incident Metadata. Both methods require specific syntax and should be contained in braces.

Alert Tags

Use a specified alert tag type to pull an array of values from all alerts in the incident. The available tags you can enter here are determined by the alert tags configured in your system.

Syntax

{alert_tags.tagName}

For example, if you enter:

{alert_tags.host}

the system would add an array of the host tags for each alert into the formula.

Incident Metadata

Use incident metadata to pull a value or array from a specific field in the BigPanda incident data.

Available Metadata Tags:

  • id - returns a string containing the ID of the incident
  • source_system - returns an array with all the integration IDs of the alerts
  • status - returns the current status of the incident (“Critical”, “Warning“, ”Unknown“, ”Ok“)
  • number_of_alerts - returns the number of alerts in an incident
  • is_flapping - returns true if the incident is in a flapping state, otherwise, returns false

Syntax

{incident.metadataField}

For example, if you enter:

{incident.status}

the system would enter the incident status value into the formula.

Functions

Most formulas use functions, or preset calculation types, with operators to modify the functions. The supported functions in BigPanda are CONCAT, COUNT, FILTER, IF, and UNIQUE. These functions can be combined together to create more complex formulas. Each function runs a calculation on information entered between following parenthesis.

CONCAT

The CONCAT (concatenate) function combines two or more strings together. These strings can contain other functions and dynamic content.

❗️

Delimiter Required

BigPanda CONCAT requires a delimiter. Use an empty delimiter "" to have no space between values.

Syntax

CONCAT(delimiter, string1, string2, ...., string_n)

For example, if you enter

CONCAT(“-”, {alert_tags.host}, {alert_tags.service})

the system will combine the values into a single string: hostvalue-servicevalue.

COUNT

The COUNT function adds up the total number of incoming values.

Syntax

COUNT(array)

For example, if you entered:

COUNT([1, 2, 3, 3])

the system would return 4.

FILTER

The FILTER function extracts an array of field values based on a conditional value for an alert or incident metadata field. The ExtractedField and ConditionField are both case sensitive. The ExtractedField is the field you want to pull the values from, and the ConditionField is the field that will be checked to see if it matches the filter condition.

Syntax

FILTER(ExtractedField, ConditionField, Operator, ConditionValue)

For example, if you entered:

FILTER(bp_priority, alert_status, !=, ok)

the system would return an array of bp_priority values for all alerts where the alert_status is not ok.

The Filter function is able to pull condition values from additional alert metadata fields. Available alert metadata fields:

  • alert_primary_property
  • alert_secondary_property
  • alert_status
  • alert_source_system
  • alert_maintenance_plans
  • alert_active
  • alert_flapping

❗️

Filter operators

The Filter function only supports comparison operators (such as !=, <, >). Logical operators (AND, OR) cannot be used within a Filter function. The AND and OR operators can be used with other functions that refer to a filter function.

IF

The IF function sets a condition. If the condition is met, the first value will be returned.

(Optional) Add a second value to return if the condition is not met. You can nest IF functions to create logic chains.

Syntax

IF(LogicalArgument, value1, value2)

or

IF(LogicalArgument,value1)

For example, if you entered:

IF(1 < 2, "true", "false")

the system would return true.

UNIQUE

The UNIQUE function returns a list of all unique values for incoming items. The Unique function is case sensitive.

Syntax

UNIQUE([array])

For example, if you enter:

UNIQUE([1, 2, 3, 3])

the system would return [1, 2, 3].

Operators

Operators are additional modifiers that allow you to use the functions to create more complex calculations.

OperatorDescriptionExampleType
=Equal1 = 2
==> false
Comparison
!=Not Equal1 != 2
==> true
Comparison
>Greater Than1 > 2
==> false
Comparison
<Less Than1 < 2
==> true
Comparison
> =Greater Than or Equal1 >= 2
==> false
Comparison
<=Less Than or Equal1 <= 2
==> true
Comparison
OR
or
At least one of the conditions is true1 <= 2 OR 1 = 2
==> true
Logical
AND
and
All of the conditions are true1 <= 2 AND 1 = 2
==> false
Logical

Example Incident Tag Value Formulas

These elements can be combined together to create tags that use sophisticated formulas to calculate their values, such as:

Business scope tag

This formula creates a simple tag to help operators see at a glance how widespread a system issue is.

IF(COUNT(UNIQUE({alert_tags.service})) > 3 AND {incident.status} = "Critical", ">3 affected services", "<=2 affected services") 

In this formula IF the COUNT of UNIQUE alert service tags is greater than three AND the incident status is “Critical”, then the “>3 affected services” tag will be added to the incident. If the count of unique service values is less than three, or the incident status is not “Critical”, then the “<=2 affected services” tag will be added to the incident.

Tiered priority filter

This formula creates a priority tier to automatically assign BigPanda priority using a filter for specific alert properties.

IF(FILTER(bp_priority, alert_status, !=, ok)= P1, 1000, IF(FILTER(bp_priority, alert_status, !=, ok)= P2, 900, IF(FILTER(bp_priority, alert_status, !=, ok)= P3, 800, IF(FILTER(bp_priority, alert_status, !=, ok)= P4, 700, IF(FILTER(bp_priority, alert_status, !=, ok)= P5, 600))))) 

IF an alert matches the first FILTER, where the bp_priority value is P1, then the incident receives a priority value of 1000. IF not, the next FILTER is applied, looking for P2 alerts. The formula will run through each FILTER to apply the highest fitting priority level to the incident.

To learn more about BigPanda priority, see the Prioritize Incidents documentation.

Consolidated description incident tag

Combine formulas to create a description tag that list of all unique hosts and checks on an incident, with a count of the number of correlated alerts.

BPFL Value: CONCAT("-",UNIQUE({alert_tags.host}),UNIQUE({alert_tags.check}),"AlertCount=",{incident.number_of_alerts})

The result is an incident tag that lists the information in a single consolidated value as so:

production-database-11116-production-database-11154-cpu overloaded-router unresponsive-AlertCounts=-6

Hyperlinked incident tag

Combine formulas to create a hyperlinked incident tag that generates a dynamic search containing encoded characters.

First, create a composition alert enrichment tag. For the purpose of this example, we'll create a tag called search_service to search for the value of a service tag. Create your tag with the following parameters:

BPQL Condition query filter: service = "*"

Composition Template: https://a.bigpanda.io/#/app/investigator%3Fquery%3Dservice%3D%22${service}%22%26timeframe%3D-7d%26sort%3Dstart%5D

BigPanda's search will looks at the service tag and combine it with the encoding in the composition template.

To create a clean hyperlink with this search link, create an incident enrichment tag using the following example formula.

BPQL Condition filter: search_service = “*”

BPFL Value: UNIQUE(CONCAT("", "[Search|", {alert_tags.search_service}, "]"))

The result is a hyperlinked incident tag that will generate a unified search for the parameters specified in the alert enrichment step.

Next Steps

Learn how to use BPFL to create Automatic Incident Enrichment Tags

Find information about BigPanda Query Language (BPQL)