Extracting and composing alert fields
-
- UpdatedAug 1, 2024
- 4 minutes to read
- Washington DC
- Service Operations Workspace for ITOM
Extracting and composing are ways to manage what you see in the alert output, making it simpler to filter, group, and read. Alert automation enables you to extract values from event payload's alert field and place it in an alert output field. Composing allows you to merge multiple alert fields into a single output field.
Extracting alert fields
Alert notifications often contain relevant context buried within event payloads. By enriching alert outputs with values from the existing payload, you can better understand the significance of alerts and determine the appropriate steps for resolution. For example, a host name typically includes crucial information such as service, node, cluster, datacenter, and domain. To automatically add the value for a cluster tag based on incoming host data, you can extract just the cluster data.
.*
on each end. For example, (\w+).acme.com.*
captures the host name in a fully qualified domain name. The parser for the regex engine is Perl Compatible Regular Expressions (PCRE) compatible.

Example: Extracting alert fields
- Source input field: Select the event field from which you want to extract data. In this case, the field is Resource.
- Regular expression: Use a regular expression to extract the specific part you need from the selected field's value. For example, if the Resource field value contains "Zabbix integration" and you want to extract "Zabbix", your regular expression must be (…...).*.
- Alert output:
- Choose an existing alert field, an existing alert tag, or manually enter a new field name. In this case, let's enter a new field name mynewfield.
- Set mynewfield as a tag for later use in tag-based grouping. Notice the tag displayed before the field name.
After applying the regular expression to the selected field's value (in this case the Resource field value), verify the extracted word displayed below the Alert output field. For instance, it should show "Zabbix" if the regular expression matches correctly.
- Preview multiple events: Previewing multiple events allows you to verify if the regular expression accurately extracts data from a range of example events. This helps determine if any adjustments to the regular expression are needed.
Composing alert fields
When creating an alert output, you can select or manually enter fields, tags, or free text to include. This data can be easily read, filtered, and grouped for better management and understanding of the alerts.

Example: Composing alert fields
- Scenario 1:
- Source input field: Select an existing alert field and add the text "and", followed by entering a new field name such as NewTest. For example: ${classification} and
${NewTest}.
Note that alert fields are displayed in the
${field}
syntax format. You can also select the field name from the drop-down list, and the syntax will be added automatically. - Alert output: Enter the name of the new alert field where you want to display the values from the input fields. For example, let's name it mynewfield.
Set mynewfield as a tag for later use in tag-based grouping. Notice the tag displayed before the field name.
- Source input field: Select an existing alert field and add the text "and", followed by entering a new field name such as NewTest. For example: ${classification} and
${NewTest}.
- Scenario 2:
- Source input field: Select existing alert fields and include any desired free text for how you want them to appear in the alert output field. For example: ${ci_type} and ${node} with state
${resolution_state}.
Alert fields are displayed in the
${field}
syntax format. You can also select the field name from the drop-down box, and the syntax will be added automatically. - Alert output: Select an existing alert field where you want to display the values from the input fields. For instance, select Description.
- Source input field: Select existing alert fields and include any desired free text for how you want them to appear in the alert output field. For example: ${ci_type} and ${node} with state
${resolution_state}.