1. Home
  2. Alert Rules Engine
  3. Alert Rules Engine: Transformations

Alert Rules Engine: Transformations


Versions Supported: Enterprise

VictorOps Version Required: N/A SaaS

A transformation is a way to change alert data before it arrives at your VictorOps timeline. Typing the name of an existing field into the Transform’s ‘alert field’ box, allows you to overwrite that field with a new value of your choosing.

Transformation actions can also add entirely new fields to an alert.  This can be accomplished by simply typing the desired name of the field into the alert field section and assigning a value.

Transformation Uses

Changing the routing key

Change the routing key of a particular set of alerts that need to create incidents for a different team.  Assuming you set up an integration that sends all alerts to your Database team, but you want a particular subset of incidents related to a specific host (db03) to go to the Development team (routing_key = devs)

VictorOps Alert Rules Engine, when entity_id matches *db03* set routing_key to devs set.

Adding a new alert field

Add a new unique field to an alert by a new field name to the alert field, this will automatically create a new field. The value of the new field can be set anything you want.

VictorOps Alert Rules Engine: when entity_id matches match_value, set new_field_name to value of new field.

Muting Noisy Alerts

Some alerts coming into the timeline can be distracting and cause unnecessary paging. By transforming the message_type field to INFO these noisy alerts can be muted.

VictorOps Alert Rules Engine: when state_message matches *noisy alert message*, set message_type to INFO

Timestamp Based Muting

To leverage timestamps to mute or adjust alerts use the Regex method and a chained rule. We recommend scoping the rule with a chain to only affect alerts for a specific routing_key or monitoring_tool.

The following example will transform alerts to the teamA routing_key to INFO type on Thursday, Saturday, and Sunday UTC.

Our alert_received_week_time_utc field is a ISO8601 week date formatted timestamp. For example, 2020-W10-3TT17:38:32Z is the form YEAR-WEEK-DAY-TIME and the days are expressed 1-7 for Monday-Sunday. You may want to augment the example regular expression to account for timezone differences from UTC.

Change the Appearance of Incidents and Notifications

By using variable expansion and transformations, you can alter alert fields. An example is changing the display name or entity_display_name field when it matches a value to show more details. In order to display the monitoring tool an incident came from, you would set the entity_display_name to ${{monitoring_tool}}.

VictorOps Alert Rules Engine: when entity_display_name matches *, set entity_display_name to ${{monitoring_tool}}

Combining Multiple Different Alerts Into One Single Incident

To combine multiple different alerts into one single incident, first find a value to match which associates multiple different incidents. Then, transform the entity_id field to a set value. By pre-determining the entity_id, VictorOps will automatically aggregate the alerts.

VictorOps Alert Rules Engine: when entity_id matches disk*, set entity_id to Disk Problems

Transform/Create fields with RegEx

When dealing with text, there may be information we want to extract via RegEx capture groups. Using RegEx capture groups (contained in parenthesis( ) ) we can add new alert fields or transform existing ones similar to the use of wildcard matching.

In this example, we use RegEx to look for “error” or “ERROR” in the subject field, then set the message_type to INFO as above to mute a noisy alert.

VictorOps Alert Rules Engine matching with RegEx.

For additional information on how to annotate alerts, see this article.

For help with AND/OR logic, see this article.

Updated on March 27, 2020

Was this article helpful?

Related Articles