BigPanda Formula Language (BPFL)

BigPanda Formula Language enables the use of complex calculations when configuring automatic enrichment tags.

Automatic Incident Enrichment Tags are able to use formula calculations when adding Incident Tags to allow for deeper detail and context. The updated BigPanda Formula Language allows greater precision and detail in configuring your automatic enrichment formulas.

Functions and variables within the formula language are similar to those of Microsoft Excel, and are sophisticated enough to support tag enrichment rules that depend on the results of other alert or incident tags.

Create and Edit Formulas

Formulas can be added or edited through the new Incident Tag Automatic Enrichment editor.

In the Automatic Enrichment field, you’ll have the option to set a Condition and Value.


BigPanda Formula Editor


Universal Tags

Leave the Condition field blank if you would like the Value formula to run on every new incident. If an enrichment item has a blank condition, it will be the last item run for the tag. Make sure that any blank condition items are added after all other enrichment items.

Enter a formula in the Value field to have the system run a calculation based on the functions and attributes on each qualifying incident and then apply the correct tags based on that calculation.

BigPanda formulas are able to pull alert and incident data, and perform multi-factor functions in addition to standard mathematical operators.

With the exception of the Unique function, BigPanda Formula Language is case insensitive.


In BPFL, you are able to use spaces between formula elements.


BPFL does not support the use of wildcard (*) values.

Incident Data

BigPanda Formula Language allows you to retrieve alerts and incident data as part of the formula. There are two key methods to pulling incident data into formulas: Alert Tags and Incident Metadata. Both methods require specific syntax and should be contained in braces.

Alert Tags

Use a specified alert tag type to pull an array of values from all alerts in the incident. The available tags you can enter here are determined by the alert tags configured in your system.


For example, if you entered:
the system would add an array of the host tags for each alert into the formula

Incident Metadata

Use incident metadata to pull a value or array from a specific field in the BigPanda incident data.

Available Metadata Tags:

  • id - returns a string containing the ID of the incident
  • source_system - returns an array with all the integration IDs of the alerts
  • status - returns the current status of the incident (“Critical”, “Warning“, ”Unknown“, ”Ok“)
  • number_of_alerts - returns the number of alerts in an incident
  • is_flapping - returns true if the incident is in a flapping state, otherwise, returns false


For example, if you entered:
the system would enter the incident status into the formula


Most formulas are centered in functions, or preset calculation types, with operators to modify the functions. The supported functions in BigPanda are COUNT, UNIQUE, and IF. These functions can be combined together to create more complex formulas. Each function runs a calculation on information entered between following parenthesis.


The COUNT function adds up the total number of incoming values.


For example, if you entered:
COUNT([1, 2, 3, 3])
the system would return 4


The UNIQUE function returns a list of all unique values for incoming items. The Unique function is case sensitive.


For example, if you entered:
UNIQUE([1, 2, 3, 3])
the system would return [1, 2, 3]


The IF function sets a condition. If the condition is met, the first value will be returned. (Optional) Add a second value to return if the condition is not met. You can nest IF functions to create logic chains.

IF(LogicalArgument, value1, value2)

For example, if you entered:
IF(1 < 2, "true", "false")
the system would return “true”


The FILTER function extracts an array of field values based on a conditional value for an alert or incident metadata field. The ExtractedField and ConditionField are both case sensitive. The ExtractedField is the field you want to pull the values from, and the ConditionField is the field that will be checked to see if it matches the filter condition.

FILTER(ExtractedField, ConditionField, Operator, ConditionValue)

For example, if you entered:
FILTER(bp_priority, alert_status, !=, ok)
the system would return an array of bp_priority values for all alerts where the alert_status is not ok.

The Filter function is able to pull condition values from additional alert metadata fields. Available alert metadata fields:

  • alert_primary_property
  • alert_secondary_property
  • alert_status
  • alert_source_system
  • alert_maintenance_plans
  • alert_active
  • alert_flapping


Filter Operators

The Filter function only supports comparison operators (such as !=, <, >). Logical operators (AND, OR) cannot be used within a Filter function. The AND and OR operators can be used with other functions that refer to a filter function.


Operators are additional modifiers that allow you to use the functions to create more complex calculations.

=Equal1 = 2
==> false
!=Not Equal1 != 2
==> true
>Greater Than1 > 2
==> false
<Less Than1 < 2
==> true
> =Greater Than or Equal1 >= 2
==> false
<=Less Than or Equal1 <= 2
==> true
At least one of the conditions is true1 <= 2 OR 1 = 2
==> true
All of the conditions are true1 <= 2 AND 1 = 2
==> false

Example Incident Tag Value Formulas

These elements can be combined together to create tags that use sophisticated formulas to calculate their values, such as:

Business Scope Tag
This formula creates a simple tag to help operators see at a glance how widespread a system issue is.

IF(COUNT(UNIQUE({alert_tags.service})) > 3 AND {incident.status} = "Critical", ">3 affected services", "<=2 affected services")

In this formula IF the COUNT of UNIQUE alert service tags is greater than three AND the incident status is “Critical”, then the “>3 affected services” tag will be added to the incident. If the count of unique service values is less than three, or the incident status is not “Critical”, then the “<=2 affected services” tag will be added to the incident.

Tiered Priority Filter
This formula creates a priority tier to automatically assign BigPanda priority using a filter for specific alert properties.

IF(FILTER(bp_priority, alert_status, !=, ok)= P1, 1000, IF(FILTER(bp_priority, alert_status, !=, ok)= P2, 900, IF(FILTER(bp_priority, alert_status, !=, ok)= P3, 800, IF(FILTER(bp_priority, alert_status, !=, ok)= P4, 700, IF(FILTER(bp_priority, alert_status, !=, ok)= P5, 600)))))

IF an alert matches the first FILTER, where the bp_priority value is P1, then the incident receives a priority value of 1000. IF not, the next FILTER is applied, looking for P2 alerts. The formula will run through each FILTER to apply the highest fitting priority level to the incident.

To learn more about BigPanda priority, see the Prioritize Incidents documentation.

Next Steps

Learn how to use BPFL to create Automatic Incident Enrichment Tags

Find information about BigPanda Query Language (BPQL)