Dynamic Variables

Use dynamic variables to customize emails and outbound webhooks with unique alert and incident data. Dynamic variables include both standard fields and organization-specific custom tag variables.

The available standard fields may be different between the Email Parser and Webhook v2 workflow configurations. Use the Message helper when configuring an email integration, or the Retrieve available dynamic fields API call when configuring webhooks to confirm which fields are supported.

Message helper for email integration

When creating a new email template, you can either manually add dynamic variables, or you use the helper list from the email template editor.

To open the helper, either type {{ or click the {{ button on the formatting menu. A list of available categories and fields will appear. Select the desired field, or enter the category or field name to filter the list.

Standard available variables for Email Parser

Dynamic variable message tags can include alert fields, incident data, incident metadata, incident tags, and preview links.

Primary Alert Fields

The primary alert is the oldest, most severe alert correlated into an incident.

Field name	Description	Format
primaryAlert.id	System-generated unique identifier for the alert.	String
primaryAlert.status	The most severe status the alert triggered Possible returns are: [critical, warning, unknown, ok]	String
primaryAlert.is_active	Whether the alert is active and has not been resolved.	Boolean
primaryAlert.primary_property	Name of the main object that triggered the alert.	String
primaryAlert.secondary_property	Name of the secondary object or sub-item that triggered the alert.	String
primaryAlert.source_system	Integrated monitoring system(s) that sent the alert to BigPanda.	Array of strings
primaryAlert.incident_key	Deduplication rule for the primary alert, usually primary_secondary values.	String
primaryAlert.description	Brief summary (max. 2048 characters) of the alert included by certain monitoring tools	String
primaryAlert.primary	Value of primary property.	String
primaryAlert.secondary	Value of the secondary property.	String
primaryAlert.maintenance	Whether the alert is currently suppressed through a maintenance plan.	Boolean
primaryAlert.tags.<tagname>	The tag value associated with the alert for a given tag.	String

Incident Data

Field name	Description	Format
incident.id	System-generated unique identifier for the incident.	String
incident.state	Type of incident event that triggered a notification. `Opened` state covers new and updated incidents. One of: [Opened, Reopened, Closed, Is flapping, Is no longer flapping]	String
incident.status	Current incident status, which is determined by the most severe status of the correlated alerts. Possible statuses: [critical, warning, unknown, ok].	String
incident.is_active	Whether the incident contains at least one active alert and has not been manually resolved. An incident is automatically resolved when all the alerts are resolved.	Boolean
incident.severity	The highest status reached by any alert in the incident at any time.	String
incident.flapping	Whether at least one correlated alert has changed states frequently enough to be treated as flapping.	Boolean
incident.updated_at	Time of last change to incident, in Unix epochs.	Timestamp (in seconds)
incident.last_change	Time of the last change to the incident that triggered applicable sharing updates, in Unix epochs.	Timestamp (in seconds)
incident.start	Time when the earliest correlated alert was received, in Unix epochs.	Timestamp (in seconds)
incident.end	Time when the incident status was set to ok, in Unix epochs.	Timestamp (in seconds)
incident.alert_table	The first 5 alerts correlated to the incident, sorted by timestamp.	Array of Objects

Share Metadata

Field name	Description	Format
metadata.environment_name	Name of the environment in BigPanda where the incident was shared from.	String
metadata.environment_id	System ID of the environment group in BigPanda where the incident was shared from. (This ID is found in the URL when you open the environment in BigPanda.)	String
metadata.sender_name	The name of the user who initiated the share. Autoshares will list BigPanda as the sender.	String
metadata.sender_email	The name of the user who initiated the share. Autoshares will list BigPanda as the sender.	String

Incident Tags

Field name	Description	Format
incident_tag.itd_ai_reasoning_1	Explanation of the logical path the AI traveled to suggest the root cause.	String
incidentTags.<tag_id>	The value(s) of the specified incident tag as related to the incident.	Array of Strings?

AI Processing delay

AI tags are generated at a 1-3 minute delay after initial incident processing. To include AI tags in static messages such as email, ensure the AutoShare is configured at a 3 minute delay.

Links

Field Name	Description	Format
links.preview	The url where the incident preview can be accessed. The URL does not require BigPanda login.	String
links.console	A direct link to the incident in BigPanda. This URL requires BigPanda login.	String
links.timeline	A direct link to the incident’s timeline view in BigPanda. This URL requires BigPanda login	String

Field Name

Description

Format

links.preview

The url where the incident preview can be accessed.

The URL does not require BigPanda login.

String

links.console

A direct link to the incident in BigPanda.

This URL requires BigPanda login.

String

links.timeline

A direct link to the incident’s timeline view in BigPanda.

This URL requires BigPanda login

String

Standard available fields for Webhook v2 Workflows

Dynamic variables can include alert fields, incident data, incident metadata, incident tags, and preview links.

Primary alert fields

Field	Description	Format	Feature support
primaryAlert.id	System-generated unique identifier for the alert.	String	Webhook v2, Email
primaryAlert.status	The most severe status the alert triggered. Possible returns are: [critical, warning, unknown, ok]	String	Webhook v2, Email
primaryAlert.is_active	Whether the alert is active and has not been resolved.	Boolean	Webhook v2, Email
primaryAlert.primary_property	Name of the main object that triggered the alert.	String	Webhook v2, Email
primaryAlert.secondary_property	Name of the secondary object or sub-item that triggered the alert.	String	Webhook v2, Email
primaryAlert.source_system	Integrated monitoring system(s) that sent the alert to BigPanda.	Array of strings	Webhook v2, Email
primaryAlert.incident_key	Deduplication rule for the primary alert, usually primary_secondary values.	String	Webhook v2, Email
primaryAlert.description	Brief summary (max. 2048 characters) of the alert included by certain monitoring tools	String	Webhook v2, Email
primaryAlert.primary	Value of primary property.	String	Webhook v2, Email
primaryAlert.secondary	Value of secondary property.	String	Webhook v2, Email
primaryAlert.maintenance	Whether the alert is currently suppressed through a maintenance plan.	Boolean	Webhook v2, Email
primaryAlert.tags.<tagname>	The tag value associated with the alert for a given tag.	String	Webhook v2, Email

Incident data

Field	Description	Format	Feature support
incident.id	System-generated unique identifier for the incident.	String	Webhook v2, Email
incident.status	Current incident status, which is determined by the most severe status of the correlated alerts. Possible statuses: [critical, warning, unknown, ok].	String	Webhook v2, Email
incident.is_active	Whether the incident contains at least one active alert and has not been manually resolved. An incident is automatically resolved when all the alerts are resolved.	Boolean	Webhook v2, Email
incident.severity	The highest status reached by any alert in the incident at any time.	String	Webhook v2, Email
incident.flapping	Whether at least one correlated alert has changed states frequently enough to be treated as flapping.	Boolean	Webhook v2, Email
incident.updated_at	Time of last change to incident, in Unix epochs.	Timestamp (in seconds)	Webhook v2, Email
incident.last_change	Time of the last change to the incident that triggered applicable sharing updates, in Unix epochs.	Timestamp (in seconds)	Webhook v2, Email
incident.start	Time when the earliest correlated alert was received, in Unix epochs.	Timestamp (in seconds)	Webhook v2, Email
incident.end	Time when the incident status was set to `ok`, in Unix epochs.	Timestamp (in seconds)	Webhook v2, Email
incident.alert_table	An HTML-formatted table with the first 5 alerts correlated into the incident, sorted by timestamp. This variable should only be used in email templates.	Array of objects	Email
incident.resolved	Whether the incident has been resolved.	Boolean	Webhook v2
incident.snoozed	Whether the incident is currently snoozed.	Boolean	Webhook v2
incident.snooze_config	The settings for an incident snooze, including when the incident is scheduled to wake and whether automatic cancelling is enabled.	Object	Webhook v2
incident.alerts_array	All alerts correlated into the incident in JSON string format. This variable should only be used in webhook customization.	Array of objects	Webhook v2

Share metadata

These fields provide information on the share action itself.

Field	Description	Format	Feature support
metadata.environment_name	Name of the environment in BigPanda where the incident was shared from.	String	Webhook v2, Email
metadata.environment_id	Name of the environment group in BigPanda where the incident was shared from.	String	Webhook v2, Email
metadata.sender_name	The name of the user who initiated the share. Autoshares will list BigPanda as the sender.	String	Webhook v2, Email
metadata.sender_email	The email address of the user who initiated the share. Autoshares will list BigPanda as the sender.	String	Webhook v2, Email
metadata.event_types	Information on the different triggers that occurred within the scope of the incident being shared. (See Available Triggers for the full list of supported triggers.)	Array of strings	Webhook v2
metadata.performer_email	The email address of the account that added a comment to the incident.	String	Webhook v2
metadata.performer_name	Name of the account that added a comment to the incident.	String	Webhook v2
metadata.comment	Comments added to the incident in BigPanda.	String	Webhook v2
metadata.message	The annotation added to the share action.	String	Webhook v2

Incident tags

Field	Description	Format	Feature support
incident_tag.itd_ai_reasoning_1	Explanation of the logical path the AI traveled to suggest the root cause.	String	Email
incidentTags.<tag_id>	The value(s) of the specified incident tag as related to the incident.	Array of strings	Email

AI Processing delay

AI tags are generated at a 1-3 minute delay after initial incident processing. To include AI tags in static messages such as email, ensure the AutoShare is configured at a 3 minute delay.

Links

Field	Description	Format	Feature support
links.preview	The URL where the incident preview can be accessed. The URL does not require BigPanda login.	String	Webhook v2, Email
links.console	A direct link to the incident in BigPanda. This URL requires BigPanda login.	String	Webhook v2, Email
links.timeline	A direct link to the incident’s timeline view in BigPanda. This URL requires BigPanda login	String	Webhook v2, Email

Field

Description

Format

Feature support

links.preview

The URL where the incident preview can be accessed.

The URL does not require BigPanda login.

String

Webhook v2, Email

links.console

A direct link to the incident in BigPanda.

This URL requires BigPanda login.

String

Webhook v2, Email

links.timeline

A direct link to the incident’s timeline view in BigPanda.

This URL requires BigPanda login

String

Webhook v2, Email

Assignee

Field	Description	Format	Feature support
assignee.name	Name of the account that was assigned the incident.	String	Webhook v2
assignee.username	The email address of the BigPanda user who was assigned the incident.	String	Webhook v2

Assigner

Field	Description	Format	Feature support
assigner.name	Name of the account that assigned the incident.	String	Webhook v2
assigner.username	The email address of the BigPanda user who assigned the incident.	String	Webhook v2

Additional fields

Field	Description	Format	Feature support
similarities	Incident data for Similar Incidents, if configured. Attributes: `incident_id` - The unique identifier of the similar incident. `overallSimilarityScore` - Similarity score for the related incident. `llmGeneratedOverallSimilaritySummary` - The AI-generated summary of why an incident was marked as similar. `serviceNowTicket` - The similar incident ID in ServiceNow. `status` - The most severe status the alert triggered. Possible returns are: [`critical`, `warning`, `unknown`, `ok`] `alertCount` - The number of alerts corresponding to this incident. `priority` - The priority tag assigned to the incident. `primary` - The primary property tag for the incident. `secondary` - The secondary property tag for the incident. `assignee` - The user(s) assigned to the similar incident.	Array of objects	Webhook v2
relatedChanges	Schema definitions for all RCC relations. Attributes: `suggested_by_bigpanda` - A boolean field to indicate if the change was suggested by BigPanda. `history` - An array of objects with `related_changes` history. `metadata.change` - The change object related to the incident. `incident_id` - The unique identifier of the related incident. `comment` - A comment included with the action. `match_certainty` - The confidence level of the match. One of: None, Suspect, Match. `match_type` - The type of match. `score` - The relatedness score assigned to the change relation by the BigPanda algorithm. `created_at` - Unix time when the match was created. `updated_at` - Unix time of the last update. `id` - The unique identifier of the incident. `match_weight_value` - Weight of the match related to the incident.	Array of objects	Webhook v2

Field

Description

Format

Feature support

similarities

Incident data for Similar Incidents, if configured.

Attributes:

incident_id - The unique identifier of the similar incident.

overallSimilarityScore - Similarity score for the related incident.

llmGeneratedOverallSimilaritySummary - The AI-generated summary of why an incident was marked as similar.

serviceNowTicket - The similar incident ID in ServiceNow.

status - The most severe status the alert triggered. Possible returns are: [critical, warning, unknown, ok]

alertCount - The number of alerts corresponding to this incident.

priority - The priority tag assigned to the incident.

primary - The primary property tag for the incident.

secondary - The secondary property tag for the incident.

assignee - The user(s) assigned to the similar incident.

Array of objects

Webhook v2

relatedChanges

Schema definitions for all RCC relations.

Attributes:

suggested_by_bigpanda - A boolean field to indicate if the change was suggested by BigPanda.

history - An array of objects with related_changes history.

metadata.change - The change object related to the incident.

incident_id - The unique identifier of the related incident.

comment - A comment included with the action.

match_certainty - The confidence level of the match. One of: None, Suspect, Match.

match_type - The type of match.

score - The relatedness score assigned to the change relation by the BigPanda algorithm.

created_at - Unix time when the match was created.

updated_at - Unix time of the last update.

id - The unique identifier of the incident.

match_weight_value - Weight of the match related to the incident.

Array of objects

Webhook v2

In this section:

Dynamic Variables

Standard available variables for Email Parser

Primary Alert Fields

Incident Data

Share Metadata

Incident Tags

Links

Standard available fields for Webhook v2 Workflows

Primary alert fields

Incident data

Share metadata

Incident tags

Links

Assignee

Assigner

Additional fields

Search results