Automatic Incident Tags

Automatic Enrichment allows you to define conditions to automatically calculate incident tag values.

Incident tags are key-value pairs that allow you to quickly see summary information for a particular incident rather than needing to review all of the related alerts. These tags add data sets to your incidents by adding contextual information, details, or other enrichment. To learn more about how Incident Tags work in BigPanda, please see the Incident Tags Documentation.

Incident Tags Automatic Enrichment uses formula calculations to add incident tags to new and updating incidents. Each time an incident is updated, or a new incident is created, BigPanda will run the formula to automatically add relevant incident tags to the incident.

Relevant Permissions

Roles with the following permissions can access the Incident Tags Settings Page:

Incident-tags-definitions_Read

Read-only - View the Incident Tags section of the BigPanda Settings.

Incident-tags-definitions_Full_Access

Full access - View, create and edit incident tags in the Incident Tags section of the BigPanda Settings.

To learn more about how BigPanda's permissions work, please see the RBAC - Role Based Access Control documentation.

Configuring Automatic Enrichment

Automatic Enrichment are created, configured, and managed on individual tags in the Incident Tags list. To learn more about configuring incident tags, please see the Managing Incident Tags documentation

To configure automatic enrichment:

  1. Navigate to Settings > Incident Tags
  2. From the list of incident tags, select the tag you'd like to automate, or select New Incident Tag to create a new tag
  3. In the right pane, the tag details will include a list of any previously configured automatic enrichment
  4. Select the Pencil edit icon, or Edit Incident Tag to open the tag editor
Incident Tags PageIncident Tags Page

Incident Tags Page

  1. In the Automatic Enrichment section you will be able to edit any previously created Automatic Enrichments.
  2. To add a new Automatic Enrichment, select New Item
Incident Tag EditorIncident Tag Editor

Incident Tag Editor

In the Automatic Enrichment field, you’ll have the option to set a Condition and Value.

Automatic Enrichment Conditions and ValuesAutomatic Enrichment Conditions and Values

Automatic Enrichment Conditions and Values

Conditions are set using BigPanda Query language to establish specific triggers for the enrichment.

Conditions use the BigPanda Query Language (BPQL) filter to calculate which incidents the formula should apply to based on alert and incident data. The system will not run the value formula for any incidents that do not meet the specified criteria.

Leave the Condition field blank if you would like the Value formula to run on every new incident.

To learn about using BPQL to filter incidents, see the BigPanda Query Language (BPQL) documentation.

The Value field determines what tag values will be applied to the triggering incident.

You can add up to 10 automatic enrichment calculations to each incident tag. The system will search for the first automatic enrichment that meets the conditions and add that value to the incident.

📘

Multi-value tags have the option to instead search for Any enrichment items that meet the condition and apply them in an array to the incident. Use the First/Any toggle at the top of Automatic Enrichment to change this setting.

Automatic Enrichment can be configured to apply a simple default value, or to use a formula to add more complex tag data.

Default Values

Default Values apply a specific value or array to each new or updated incident. All incidents that meet the Condition formula will have this value added.

Default Values apply a specific value to each new or updated incident. All incidents that meet the Condition formula will have this exact value added to them.

Default values are configured differently for Priority, Text, and Multi-Value tags.

Priority

Priority tags use the level’s Order ID for automatic enrichment. Enter the Order ID of the desired Priority tag in the Value field.

For example, if you want every new incident that meets the Condition to get a default value of P1, mark 1000 in the Value field.

Priority Incident Tag EditorPriority Incident Tag Editor

Priority Incident Tag Editor

Text

Text tags are able to add any text string as the tag value. Enter the text string surrounded by quotation marks. Each string can support up to 256 characters.

For example, if you want every new incident that meets the Condition to get a default value of billing, enter “billing” in the Value field.

Text Incident Tag EditorText Incident Tag Editor

Text Incident Tag Editor

Multi-Value

Multi-value tags add an array of values as the tag value. Enter the desired array, wrapped in brackets. Each text string of the array should be surrounded by quotation marks.

For example, if you want every new incident that meets the Condition to get a default value of both "billing" and "payment", enter [“billing”, “payment”] in the Value field.

If you have multiple Automatic Enrichments, select a method for the multi-value items to be calculated:

  • First(default): The system will calculate each automatic enrichment in order until the incident meets a condition. The system will then add that value and will not continue to calculate the other enrichment calculations.
  • Any: The system will calculate all automatic enrichments and add the values of all conditions met by the incident.
Multi-value Tag EditorMulti-value Tag Editor

Multi-value Tag Editor

Enrichment Formulas

Formula enrichment uses a calculation to add incident specific information as the tag value. Formula calculations to add detail and context to new and updated incidents based on the functions and attributes of each qualifying incident and then apply the correct tag values based on that calculation.

BigPanda formulas are able to pull alert and incident metadata, and perform multi-factor functions in addition to standard mathematical operators.

BigPanda Values formulas use the updated BigPanda Formula Language for greater precision and detail in configuring your automatic enrichment. The BigPanda Formula Language allows you to use incident and alert data, functions such as Unique or Count, and logical operators to populate values from complex data. For more information on the BigPanda Formula Language, please see the BigPanda Formula Language (BPFL) documentation.

When composing enrichment formulas, ensure that your formula results will fit the necessary syntax of the Incident Tag Type:

+Priority: Configure your formula results so that the syntax returns an Order ID
+Text: The formula can be configured to return any text value
+Multi-value: The formula can be configured to return an array of values

📘

The BigPanda Formula editor will match your formula to the tag type, even if the formula results are not formatted to return that specific data type. If you choose a Text type and enter a formula that results in an array, the array will be shown in the tag field as a text value.

Managing Automatic Enrichment Tags

Automatic Enrichment calculations can be edited or deleted from an Incident Tag at any time. However, incident tag values that have already been calculated according to this automatic enrichment will not be edited or deleted from existing incidents. If the incident is updated after the tag calculation has been changed, the new calculation will run and update the values.

To edit an Automatic Enrichment item:

  1. Navigate to the Incident Tag you’d like to edit on the Incident Tags page.
  2. Select the Pencil icon or the Edit Incident Tag button.
  3. Make changes as needed.
  4. Select Update Tag.

To delete an Automatic Enrichment item:

  1. Navigate to the Incident Tag you’d like to edit on the Incident Tags page.
  2. Select the Pencil icon or Edit Incident Tag button.
  3. Select the Trash icon next to the item you wish to delete.
  4. Select Delete to confirm.
  5. Select Update Tag.
Delete Enrichment Item Confirmation PopupDelete Enrichment Item Confirmation Popup

Delete Enrichment Item Confirmation Popup

Manual Editing

Even if automatic enrichment is configured, you can manually edit an incident tag once it has been added or assigned to an Incident.

If you have modified an incident tag value to a different value, the formula no longer calculates the automatic enrichment values. However, if you deleted the value, the formula calculates it again when an incident is created or updated.

For example, if you manually deleted the value “billing” from the tag named "affected services," when the incident is updated, the formula recalculates and returns “billing.” If you manually changed the value “billing” to “payment,” the value will not be recalculated.