BigPanda Formula Language (BPFL)
BigPanda Formula Language enables the use of complex calculations when configuring automatic enrichment tags.
Automatic Incident Enrichment Tags are able to use formula calculations when adding Incident Tags to allow for deeper detail and context. The updated BigPanda Formula Language allows greater precision and detail in configuring your automatic enrichment formulas.
Functions and variables within the formula language are similar to those of Microsoft Excel, and are sophisticated enough to support tag enrichment rules that depend on the results of other alert or incident tags.
Create and Edit Formulas
Formulas can be added or edited through the new Incident Tag Automatic Enrichment editor.
In the Automatic Enrichment field, you’ll have the option to set a Condition and Value.

BigPanda Formula Editor
Universal Tags
Leave the Condition field blank if you would like the Value formula to run on every new incident. If an enrichment item has a blank condition, it will be the last item run for the tag. Make sure that any blank condition items are added after all other enrichment items.
Enter a formula in the Value field to have the system run a calculation based on the functions and attributes on each qualifying incident and then apply the correct tags based on that calculation.
BigPanda formulas are able to pull alert and incident data, and perform multi-factor functions in addition to standard mathematical operators.
With the exception of the Unique function, BigPanda Formula Language is case insensitive.
In BPFL, you are able to use spaces between formula elements.
BPFL does not support the use of wildcard (
*
) values.
Incident Data
BigPanda Formula Language allows you to retrieve alerts and incident data as part of the formula. There are two key methods to pulling incident data into formulas: Alert Tags and Incident Metadata. Both methods require specific syntax and should be contained in braces.
Alert Tags
Use a specified alert tag type to pull an array of values from all alerts in the incident. The available tags you can enter here are determined by the alert tags configured in your system.
Syntax
{alert_tags.tagName}
For example, if you entered:
{alert_tags.host}
the system would add an array of the host tags for each alert into the formula
Incident Metadata
Use incident metadata to pull a value or array from a specific field in the BigPanda incident data.
Available Metadata Tags:
id
- returns a string containing the ID of the incidentsource_system
- returns an array with all the integration IDs of the alertsstatus
- returns the current status of the incident (“Critical”, “Warning“, ”Unknown“, ”Ok“)number_of_alerts
- returns the number of alerts in an incidentis_flapping
- returns true if the incident is in a flapping state, otherwise, returns false
Syntax
{incident.metadataField}
For example, if you entered:
{incident.status}
the system would enter the incident status into the formula
Functions
Most formulas are centered in functions, or preset calculation types, with operators to modify the functions. The supported functions in BigPanda are COUNT, UNIQUE, and IF. These functions can be combined together to create more complex formulas. Each function runs a calculation on information entered between following parenthesis.
COUNT
The COUNT function adds up the total number of incoming values.
Syntax
COUNT(array)
For example, if you entered:
COUNT([1, 2, 3, 3])
the system would return 4
UNIQUE
The UNIQUE function returns a list of all unique values for incoming items. The Unique function is case sensitive.
Syntax
UNIQUE(array)
For example, if you entered:
UNIQUE([1, 2, 3, 3])
the system would return [1, 2, 3]
IF
The IF function sets a condition. If the condition is met, the first value will be returned. (Optional) Add a second value to return if the condition is not met. You can nest IF functions to create logic chains.
Syntax
IF(LogicalArgument, value1, value2)
IF(LogicalArgument,value1)
For example, if you entered:
IF(1 < 2, "true", "false")
the system would return “true”
FILTER
The FILTER function extracts an array of field values based on a conditional value for an alert or incident metadata field. The ExtractedField
and ConditionField
are both case sensitive. The ExtractedField
is the field you want to pull the values from, and the ConditionField
is the field that will be checked to see if it matches the filter condition.
Syntax
FILTER(ExtractedField, ConditionField, Operator, ConditionValue)
For example, if you entered:
FILTER(bp_priority, alert_status, !=, ok)
the system would return an array of bp_priority values for all alerts where the alert_status is not ok
.
The Filter function is able to pull condition values from additional alert metadata fields. Available alert metadata fields:
- alert_primary_property
- alert_secondary_property
- alert_status
- alert_source_system
- alert_maintenance_plans
- alert_active
- alert_flapping
Filter Operators
The Filter function only supports comparison operators (such as !=, <, >). Logical operators (AND, OR) cannot be used within a Filter function. The AND and OR operators can be used with other functions that refer to a filter function.
Operators
Operators are additional modifiers that allow you to use the functions to create more complex calculations.
Operator | Description | Example | Type |
---|---|---|---|
= | Equal | 1 = 2 ==> false | Comparison |
!= | Not Equal | 1 != 2 ==> true | Comparison |
> | Greater Than | 1 > 2 ==> false | Comparison |
< | Less Than | 1 < 2 ==> true | Comparison |
> = | Greater Than or Equal | 1 >= 2 ==> false | Comparison |
<= | Less Than or Equal | 1 <= 2 ==> true | Comparison |
OR or | At least one of the conditions is true | 1 <= 2 OR 1 = 2 ==> true | Logical |
AND and | All of the conditions are true | 1 <= 2 AND 1 = 2 ==> false | Logical |
Example Incident Tag Value Formulas
These elements can be combined together to create tags that use sophisticated formulas to calculate their values, such as:
Business Scope Tag
This formula creates a simple tag to help operators see at a glance how widespread a system issue is.
IF(COUNT(UNIQUE({alert_tags.service})) > 3 AND {incident.status} = "Critical", ">3 affected services", "<=2 affected services")
In this formula IF the COUNT of UNIQUE alert service tags is greater than three AND the incident status is “Critical”, then the “>3 affected services” tag will be added to the incident. If the count of unique service values is less than three, or the incident status is not “Critical”, then the “<=2 affected services” tag will be added to the incident.
Tiered Priority Filter
This formula creates a priority tier to automatically assign BigPanda priority using a filter for specific alert properties.
IF(FILTER(bp_priority, alert_status, !=, ok)= P1, 1000, IF(FILTER(bp_priority, alert_status, !=, ok)= P2, 900, IF(FILTER(bp_priority, alert_status, !=, ok)= P3, 800, IF(FILTER(bp_priority, alert_status, !=, ok)= P4, 700, IF(FILTER(bp_priority, alert_status, !=, ok)= P5, 600)))))
IF an alert matches the first FILTER, where the bp_priority
value is P1
, then the incident receives a priority value of 1000. IF not, the next FILTER is applied, looking for P2 alerts. The formula will run through each FILTER to apply the highest fitting priority level to the incident.
To learn more about BigPanda priority, see the Prioritize Incidents documentation.
Next Steps
Learn how to use BPFL to create Automatic Incident Enrichment Tags
Find information about BigPanda Query Language (BPQL)
Updated 3 months ago