Skip to main content

Manage Alert Tags

BigPanda ingests raw event data from integrated monitoring systems and normalizes, enriches, and contextualizes them into key-value pairs called tags. Tags drive alert normalization and deduplication, correlation into incidents, incident enrichment, and automation.

Alert tags may be added to alerts through initial event ingestion and normalization, or may be added through enrichment rules and enrichment maps .

As alert tags are generated through many routes and serve a variety of functions in incident management, it is necessary to regularly review and adjust tag configuration. The Tag Manager allows you to easily view and categorize the various tags across your BigPanda processes.

Key Features

  • View tag groups to visualize potential gaps or noise in enrichment

  • Identify tag coverage and values across recent incidents

  • Visualize by tag category or source system

  • Quickly adjust tag categorization for downstream analytics

Data limitations

The Tag Manager includes the last 10 values for tags applied during the last 30 days.

Data is updated every 4-6 hours in synch with unified analytics data.

Relevant Permissions

Roles with the following permissions can access the Alert Enrichment page in BigPanda Settings:

Role Name

Description

Alert Enrichment

View and use Alert Enrichments UI and API.

Permission access levels can be adjusted by selecting either View or Full Access. To learn more about how BigPanda's permissions work, see the Roles Management documentation.

View Alert Tag Usage Details

Alert tag usage details are visible in BigPanda at Settings > Tag Manager.

Settings_Tag_Manager.png

Tag manager

Alert tags are sorted into groups by either Category or Source.

View by category

Alert tag categories group tags together by the type of contextual information the tag provides to an incident. Tag categories affect which tags are used to calculate analytics values for alert and incident quality.

Tag categories are:

  • Host: The system that generated the event.

  • CI: A configuration item associated with the event.

  • Check: The name or title of the event.

  • Ownership: The people or teams responsible for handling the incident.

  • Priority: The impact or severity of the alert.

  • Runbook: How the incident should be addressed.

  • Other: Additional context for the alert.

The total number of tags associated with each category is visible beside the category name.

Within categories, each alert tag is listed by name, with the percentage of alerts enriched by the tag.

View by source

Alert tag source groups tags together by the integration or enrichment rule that added the tag to an alert. Sources are ordered alphabetically and include all integrations and enrichment rules. Each source lists the number of tags that were added through that source in the last 30 days.

Select a source to see the list of tags that were added from that source.

Each tag lists the percentage of alerts that were enriched with that tag through that source.

Identify monitoring context gaps

Different integration sources may receive dramatically different payloads. Review sources with low enrichment rates for critical tags to make sure that these events are enriched through the initial event, or downstream enrichment rules.

View additional tag details

Select a tag tile to view additional details about the tag.

The Recent values tab shows a list of the last 10 values that have been added to alerts in the last 30 days.

The Sources tab shows the enrichment payloads and rules that led to the enriched value, grouped by initial event source system.

Understanding Tag Percentages

Alert tag percentages update to reflect the coverage and impact of tags over the last 30 days.

On the landing page:

  • By Category: The percent of all alerts that were enriched with the tag

  • By Source: The percent alerts with events from specific integration sources that were enriched with the tag

settings_tagmanager_source.png

Tag percentages by source

In tag details:

  • Top %: The percentage of alerts with events from specific integration sources that were enriched with the tag

  • Line %: The percentage of alerts from that integration source that were enriched by the enrichment rule or payload alert tag.

settings_tagmanager_tagdetails.png

Tag details

Manage Alert Tag Categories

Many tags are sorted into default categories based on the tag normalization and analytics settings.

You can edit the category association for each alert tag.

Downstream impacts

Tag category is used to calculate analytics across the BigPanda platform. Before changing tag categories, coordinate with your analytics teams.

Edit alert tag category

Alert tag categories are managed in BigPanda at Settings > Tag Manager.

Click Customize or Edit category to open the tag category manager.

In the Tags dropdown, add, edit, or delete tags for each category. All tags that enriched an alert in the last 30 days can be categorized. Begin typing to sort the dropdown list by tag name.

One category per tag

Each alert tag can only be associated with one category.

If an alert tag does not appear in the dropdown, confirm that it was:

  • Enriched an alert in the last 30 days.

  • Not been added to a different category.

  • Configured as an alert tag, not an incident tag.

Next Steps

Investigate Alert Quality Reporting

Learn more about Navigating the Settings Menu

Dig into Alert Enrichment

Learn about the Data Engineering process in BigPanda University

In this section: