Tag Naming

Tags are used for enrichment, normalization, and deduplication. Learn standard tag names and requirements for tag naming in BigPanda.

BigPanda normalizes alert data from integrated monitoring systems into standard key-value pairs, called tags. Tags are used for enrichment, normalization, and deduplication. The tag name is the first half of the key-value pair that will show up on incidents.

The name should be short, specific, and meaningful to everyone in your organization. We recommend using BigPanda standard tags when possible and consistent formatting across your organization to make tag management easier.

Tag Naming Requirements

Each tag name must be unique and meet these requirements:

  • Start with a letter (a - z).
  • Contain only lowercase letters (a - z), numbers (0 - 9), underscores (_), and hyphens (-). They cannot contain spaces or other special characters.
  • Alert tag names can contain up to 64 characters.
  • Incident tag names can contain up to 20 characters.
  • Priority tag level names can contain up to 10 characters.

❗️

When creating alert tags, if you attempt to create a tag with a name that does not meet the requirements above, a message appears that says Tag name is not valid.

Tags with names that don’t fit the approved formatting will have limited functionality and will be unable to be searched or added as a condition via BigPanda's Query Language.

Standard Tags

To improve data normalization and consistency, we recommend specific tag names for common monitoring elements. Using standard tag names ensures that your data will perform consistently with our system and that you can leverage the full automation capabilities of BigPanda.

When setting up an integration using the Open Integration Manager, BigPanda automatically generates tag name suggestions based on our deep knowledge of successful incident intelligence. See the AI Tag Normalization Suggestions documentation for more information.

Standard tag use is strongly recommended, but is not required.

Standard Tag NameTag DescriptionCommon Source Tag Names
hostName of the target system that generated the alert.
This tag is the default primary property for many integrations
hostname, instance, device, machine, server, hosts
cmdb_ciField used by the outbound ITSM tool to create a ticket. This may be a host, application, service, ephemeral entity, etc.impacted_ci, configuration_item, ci_name
checkName or title of the alert.
This tag is the default secondary property for many integrations.
alert, sdesc, short_desc, title
descriptionFull text or description of the alertsummary, ldesc, long_desc, problem
applicationThe impacted application.app, app_name, impacted_app
serviceImpacted service.impact_service, srvc
assignment_groupAssignee group in the outbound tool.support_group, routing_group, escalation_group, workgroup
business_groupThe line of business impacted by the alert.business_unit, logical_group, lob
priorityImportance or severity of the alert.severity, inc_priority
impactImpact of the alert on the host or service.inc_impact
urgencyLevel of urgency for alert resolution.inc_urgency
environmentThe instance or dev environment that triggered the alert. For example, prod, dev, etc.
Key field for topology mapping.
env, tier, stage
network_deviceNetworking device associated with the alert.
Key field for topology mapping.
router, routers, switch, switches, hub, repeater, bridge, gateway
clusterMulti-server connection associated with the alert.
Key field for topology and correlation.
rack, tower
locationPhysical location where the alert triggered.physical_location, device_location
runbook_urlLink or location of related runbookrunbook_link, knowledge_base, ki_article, support_link, kb_article, wiki_url

Tag Naming Limitations

Some words are already used for tagging and backend functions in BigPanda. These words may have limited functionality within BigPanda when used as tag names.

When creating new alert or incident tags, we recommend users use an alternate name (i.e. "short_description") for the tag to bring that data into the BigPanda system.

📘

Some tag names have special character limits or restrictions on the length or type of values that can be sent with that tag.

  • Most alert tag values: an alphanumeric combo, up to 512 characters
  • description tag values: an alphanumeric combo, up to 2048 characters
  • Most incident tag values: an alphanumeric combo, up to 256 characters
  • priority tag values: need to be configured to calculate to a value. See the Priority Tag documentation for more details.

Alert Tag Name Limitations

Some words are reserved and cannot be used as alert tag names in BigPanda. Tags with these names may be able to be saved, but will not enrich alerts.

Reserved words during OIM configuration:

  • incident_identifier
  • primary_property
  • secondary_property

Reserved words during Alert Enrichment tag configuration

  • description
  • severity

Incident Tag Name Limitations

Some words are tied to incident metadata and behavior and cannot be used as incident tag names in BigPanda. Tags with these names may be able to be saved, but will not apply to incidents.

  • alerts
  • assignee
  • assigner
  • active
  • attachments
  • changed_at
  • comments
  • correlation_matchers_log
  • end
  • environments
  • flapping
  • folders
  • id
  • incident_tags
  • is_flapping
  • is_in_maintenance
  • is_snoozed
  • maintenance
  • number_of_alerts
  • severity
  • source_system
  • status
  • shared
  • snooze
  • start
  • updated_at

The priority incident tag is a unique incident tag automatically included in all BigPanda systems. This tag can be customized or deactivated, but cannot be removed or duplicated. See the Priority Tag documentation for more details.

Functionality Limitations

Some tag names are tied to backend processes in a way that means they have limited functionality within parts of BigPanda, including correlation patterns, BPQL conditions and searches. Tags with these names still function as normal tags, but may have limited downstream capabilities.

WordCan be used in BPQL Condition FiltersCan be used in Correlation PatternsCan be searched with Unified Search
descriptionNoNoYes
incident_identifierNoNoNo
primary_propertyNoNoNo
secondary_propertyNoNoNo
severityYesYesNo
source_systemNoYesYes
statusYesNoYes
timestampNoNoNo
alertsNoYesYes
assigneeYesYesNo
assignerYesYesNo