Automatic Incident Enrichment Tags are able to use formula calculations when adding Incident Tags to allow for deeper detail and context. The updated BigPanda Formula Language allows greater precision and detail in configuring your automatic enrichment formulas.

Functions and variables within the formula language are similar to those of Microsoft Excel, and are sophisticated enough to support tag enrichment rules that depend on the results of other alert or incident tags.

Create and Edit Formulas

Formulas can be added or edited through the new Incident Tag Automatic Enrichment editor.

In the Automatic Enrichment field, you’ll have the option to set a Condition and Value.

👍
Universal Tags
Leave the Condition field blank if you would like the Value formula to run on every new incident. If an enrichment item has a blank condition, it will be the last item run for the tag. Make sure that any blank condition items are added after all other enrichment items.

Enter a formula in the Value field to have the system run a calculation based on the functions and attributes on each qualifying incident and then apply the correct tags based on that calculation.

BigPanda formulas are able to pull alert and incident data, and perform multi-factor functions in addition to standard mathematical operators.

With the exception of the Unique function, BigPanda Formula Language is case insensitive.

📘
In BPFL, you are able to use spaces between formula elements.

🚧
BPFL does not support the use of wildcard (*) values.

Incident Data

BigPanda Formula Language allows you to retrieve alerts and incident data as part of the formula. There are two key methods to pulling incident data into formulas: Alert Tags and Incident Metadata. Both methods require specific syntax and should be contained in braces.

Alert Tags

Use a specified alert tag type to pull an array of values from all alerts in the incident. The available tags you can enter here are determined by the alert tags configured in your system.

Syntax
{alert_tags.tagName}

For example, if you entered:
{alert_tags.host}
the system would add an array of the host tags for each alert into the formula

Incident Metadata

Use incident metadata to pull a value or array from a specific field in the BigPanda incident data.

Available Metadata Tags:

id - returns a string containing the ID of the incident
source_system - returns an array with all the integration IDs of the alerts
status - returns the current status of the incident (“Critical”, “Warning“, ”Unknown“, ”Ok“)
number_of_alerts - returns the number of alerts in an incident
is_flapping - returns true if the incident is in a flapping state, otherwise, returns false

Syntax
{incident.metadataField}

For example, if you entered:
{incident.status}
the system would enter the incident status into the formula

Functions

Most formulas are centered in functions, or preset calculation types, with operators to modify the functions. The supported functions in BigPanda are COUNT, UNIQUE, and IF. These functions can be combined together to create more complex formulas. Each function runs a calculation on information entered between following parenthesis.

COUNT

The COUNT function adds up the total number of incoming values.

Syntax
COUNT(array)

For example, if you entered:
COUNT([1, 2, 3, 3])
the system would return 4

UNIQUE

The UNIQUE function returns a list of all unique values for incoming items. The Unique function is case sensitive.

Syntax
UNIQUE(array)

For example, if you entered:
UNIQUE([1, 2, 3, 3])
the system would return [1, 2, 3]

IF

The IF function sets a condition. If the condition is met, the first value will be returned. (Optional) Add a second value to return if the condition is not met. You can nest IF functions to create logic chains.

Syntax
IF(LogicalArgument, value1, value2)
IF(LogicalArgument,value1)

For example, if you entered:
IF(1 < 2, "true", "false")
the system would return “true”

FILTER

The FILTER function extracts an array of field values based on a conditional value for an alert or incident metadata field. The ExtractedField and ConditionField are both case sensitive. The ExtractedField is the field you want to pull the values from, and the ConditionField is the field that will be checked to see if it matches the filter condition.

Syntax
FILTER(ExtractedField, ConditionField, Operator, ConditionValue)

For example, if you entered:
FILTER(bp_priority, alert_status, !=, ok)
the system would return an array of bp_priority values for all alerts where the alert_status is not ok.

The Filter function is able to pull condition values from additional alert metadata fields. Available alert metadata fields:

alert_primary_property
alert_secondary_property
alert_status
alert_source_system
alert_maintenance_plans
alert_active
alert_flapping

📘
Filter Operators
The Filter function only supports comparison operators (such as !=, <, >). Logical operators (AND, OR) cannot be used within a Filter function. The AND and OR operators can be used with other functions that refer to a filter function.

Operators

Operators are additional modifiers that allow you to use the functions to create more complex calculations.

Operator	Description	Example	Type
=	Equal	1 = 2 ==> false	Comparison
!=	Not Equal	1 != 2 ==> true	Comparison
>	Greater Than	1 > 2 ==> false	Comparison
<	Less Than	1 < 2 ==> true	Comparison
> =	Greater Than or Equal	1 >= 2 ==> false	Comparison
<=	Less Than or Equal	1 <= 2 ==> true	Comparison
OR or	At least one of the conditions is true	1 <= 2 OR 1 = 2 ==> true	Logical
AND and	All of the conditions are true	1 <= 2 AND 1 = 2 ==> false	Logical

Example Incident Tag Value Formulas

These elements can be combined together to create tags that use sophisticated formulas to calculate their values, such as:

Business Scope Tag
This formula creates a simple tag to help operators see at a glance how widespread a system issue is.

IF(COUNT(UNIQUE({alert_tags.service})) > 3 AND {incident.status} = "Critical", ">3 affected services", "<=2 affected services")

In this formula IF the COUNT of UNIQUE alert service tags is greater than three AND the incident status is “Critical”, then the “>3 affected services” tag will be added to the incident. If the count of unique service values is less than three, or the incident status is not “Critical”, then the “<=2 affected services” tag will be added to the incident.

Tiered Priority Filter
This formula creates a priority tier to automatically assign BigPanda priority using a filter for specific alert properties.

IF(FILTER(bp_priority, alert_status, !=, ok)= P1, 1000, IF(FILTER(bp_priority, alert_status, !=, ok)= P2, 900, IF(FILTER(bp_priority, alert_status, !=, ok)= P3, 800, IF(FILTER(bp_priority, alert_status, !=, ok)= P4, 700, IF(FILTER(bp_priority, alert_status, !=, ok)= P5, 600)))))

IF an alert matches the first FILTER, where the bp_priority value is P1, then the incident receives a priority value of 1000. IF not, the next FILTER is applied, looking for P2 alerts. The formula will run through each FILTER to apply the highest fitting priority level to the incident.

To learn more about BigPanda priority, see the Prioritize Incidents documentation.

Next Steps

Learn how to use BPFL to create Automatic Incident Enrichment Tags

Find information about BigPanda Query Language (BPQL)