Tag Normalization and Alert Quality
BigPanda ingests raw event data from integrated monitoring systems and normalizes, enriches, and contextualizes them into key-value pairs called tags. Tags drive alert normalization and deduplication, correlation into incidents, incident enrichment, and automation.
Tag normalization transforms and cleanses data from disparate tools into a standardized format. This includes tasks like converting fully qualified domain names to short names and ensuring that all data adheres to the same naming conventions.
Normalization in BigPanda occurs at several points, including the alert source, the Open Integration Manager (OIM) configuration, and during alert enrichment. We recommend configuring normalization as early in the event pipeline as possible.
The following options are available for transforming tags:
Adjust values at the monitoring source layer
Leverage the OIM configuration to set appropriate tag names and values
Use Alert Enrichment to take advantage of mapping enrichment along with extraction and composition alert tags
Benefits of Tag Normalization
Normalization aligns all of your alert tags into a consistent and standardized naming convention, which helps improve alert quality and makes it easier for your organization to scale.
The following are key benefits of normalization:
Easier platform configuration - data unification process simplifies downstream configuration and improves the maintainability of BigPanda while also driving improved alert quality.
Improved Unified Analytics experience - normalizing tags gives you the ability to report on your most highly populated tags in Unified Analytics dashboards.
Consistent views for operators - different alert sources will look similar from a tag perspective.
Improved alert quality - normalization helps ensure your alerts contain the contextual information needed, improving MTTR for your organization.
Key principles of tag normalization
Start with a baseline of standard tags (host, check, application, service, assignment_group)
Adapt to your company tools and terminology
Normalized alert tags should represent the primary focus for downstream teams
Normalized tags allow for the introduction of additional monitoring sources
Normalized tags should always define and meet minimal criteria for downstream actions (ticketing, automation, reporting)
Downstream setup can be done at various points (integration level, Open Integration Manager (OIM) level, enrichment sources, or custom tags)
Use Alert Views to bring standardized tags to the top of an alert’s list of tags
The 5 Ws of tag normalization
Normalized tags should always answer one of the “5 Ws”:
Who is generating event (host, application, service)
What do I need to solve this issue (runbook_url)
Where do I need to escalate to (assignment_group)
Why is this event happening (check)
When do I need to have this addressed by (priority, impact, urgency)
These 5 Ws align with the Alert Tag Categories that define Alert Quality.
Normalized Alert Categories
Alert tag categories group tags together by the type of contextual information the tag provides to an incident. Tag categories affect which tags are used to calculate analytics values for alert and incident quality. Using normalized tags gives you the most accurate reporting experience in Unified Analytics.
The following tag categories are tracked in the Tag Manager:
Category | Description | Example Tags |
|---|---|---|
Host | The system that generated the event. | Host Hosts Bp_host Server Object Instance Switch Router Ip Ip_address Network_device Hostname Device Machine Node |
CI | A configuration item associated with the event. | Config_item Application App App_Name Bp_application Service Bp_service srvc Bp_v_config_item Impacted_Ci Configuration_Item CI_Name CMDB_CI bp_c |
Check | The name or title of the event. | Check Bp_check Trigger Title Alert Sdesc Short_desc |
Ownership | The people or teams responsible for handling the incident. | Assignment_group Business_group Bp_v_business_segment Bp_assignment_group Bp_group Support_team Owning_org Routing_group Escalation_group Support_group Escalation_group BP_Workgroup Workgroup |
Priority | The impact or severity of the alert. | Impact BP_Impact urgency Priority BP_Priority INC_Priority INC_Impact INC_Urgency |
Runbook | How the incident should be addressed. | Kb Runbook_url Runbook_link KM BP_Runbook KB_article Support_link Wiki_url Knowledge_base Ki_article |
Other | Additional context for the alert. |
Tag Manager
As alert tags are generated through many routes and serve a variety of functions in incident management, it is necessary to regularly review and adjust tag configuration. The Tag Manager allows you to easily view and categorize the various tags across your BigPanda processes.
In the Tag Manager you can change a tag’s associated category and reorder the tags within each category. Making changes to the tags in these categories can affect alert quality measurements in Unified Analytics.
Alert Quality
Sending high quality alerts to BigPanda decreases MTTR by helping your team to easily understand the action needed to handle incidents.
BigPanda measures alert quality by applying rules to check for attributes contributing to actionability. High quality alerts contain business and technical context that enables your team to effectively troubleshoot issues. Your alert quality impacts the amount of time it takes for your team to take action on issues, so sending high quality alerts to BigPanda is critical to giving operators the context they need to resolve incidents quickly.
You can visualize your alert quality levels using the Unified Analytics Alert Quality Dashboard.
The Alert Quality Dashboard separates alerts by the following quality levels:
Quality Level | Description | Requirements |
|---|---|---|
High | Contains important data needed to triage and resolve the alert. | Must contain alerts from the following categories: (Host or CI) AND Check AND Ownership & Routing AND Priority AND (Runbooks or Dependency or Enrichment). |
Medium | Contains the minimal technical context to support action on the alert. These alerts have just enough information to be valuable. | Must contain alerts from the following categories: (Host or CI) AND Check. |
Low | Lacks key information or was identified as irrelevant or misconfigured. | Low quality alerts do not meet the logic criteria for Medium or High Quality Alerts. |
You can choose the default tags for each of the categories used to measure alert quality using the Tag Manager.
Alert Tags and Unified Analytics
Unified Analytics uses normalized tags, calculated fields, and dashboards to provide insight into your incident management workflows. The normalized tags within the alert tag categories affect the data that appears in Unified Analytics dashboards. To ensure that your reporting is accurate in your dashboards, it’s crucial to ensure that your tags are standardized.