Keep’s Alert Mapping enrichment feature provides a powerful mechanism for dynamically enhancing alert data by leveraging external data sources, such as CSV files and topology data. This feature allows for the matching of incoming alerts to specific records in a CSV file or topology data based on predefined attributes (matchers) and enriching those alerts with additional information from the matched records.

Introduction

In complex monitoring environments, the need to enrich alert data with additional context is critical for effective alert analysis and response. Keep’s Alert Mapping and Enrichment enables users to define rules that match alerts to rows in a CSV file or topology data, appending or modifying alert attributes with the values from matching rows. This process adds significant value to each alert, providing deeper insights and enabling more precise and informed decision-making.

How It Works

Mapping with CSV Files

  1. Rule Definition: Users define mapping rules that specify which alert attributes (matchers) should be used for matching alerts to rows in a CSV file.
  2. CSV File Specification: A CSV file is associated with each mapping rule. This file contains additional data that should be added to alerts matching the rule.
  3. Alert Matching: When an alert is received, the system checks if it matches the conditions of any mapping rule based on the specified matchers.
  4. Data Enrichment: If a match is found, the alert is enriched with additional data from the corresponding row in the CSV file.
CVS file will look like:
regionresponsible_teamseverity_override
us-east-1team-alphahigh
us-west-2team-betamedium
eu-central-1team-gammalow

Mapping with Topology Data

  1. Rule Definition: Users define mapping rules that specify which alert attributes (matchers) should be used for matching alerts to topology data.
  2. Topology Data Specification: Topology data is associated with each mapping rule. This data contains additional information about the components and their relationships in your environment.
  3. Alert Matching: When an alert is received, the system checks if it matches the conditions of any mapping rule based on the specified matchers.
  4. Data Enrichment: If a match is found, the alert is enriched with additional data from the corresponding topology data.

Practical Example

Imagine you have a CSV file with columns representing different aspects of your infrastructure, such as region, responsible_team, and severity_override. By creating a mapping rule that matches alerts based on service and region, you can automatically enrich alerts with the responsible team and adjust severity based on the matched row in the CSV file. Similarly, you can use topology data to enrich alerts. For example, if an alert is related to a specific service, you can use topology data to find related components and their statuses, providing a more comprehensive view of the issue.

Core Concepts

  • Matchers: Attributes within the alert used to identify matching rows within the CSV file or topology data. Common matchers include identifiers like service or region.
  • CSV File: A structured file containing rows of data. Each column represents a potential attribute that can be added to an alert.
  • Topology Data: Information about the components and their relationships in your environment. This data can be used to enrich alerts with additional context.
  • Enrichment: The process of adding new attributes or modifying existing ones in an alert based on the data from a matching CSV row or topology data.

Creating a Mapping Rule

To create an alert mapping and enrichment rule:
  1. Define the Matchers: Specify which alert attributes will be used to match rows in the CSV file or topology data.
  2. Specify the Data Source: Provide the CSV file or specify the topology data to be used for enrichment.
  3. Configure the Rule: Set additional parameters, such as whether the rule should override existing alert attributes.

Best Practices

  • Keep CSV Files and Topology Data Updated: Regularly update the CSV files and topology data to reflect the current state of your infrastructure and operational data.
  • Use Specific Matchers: Define matchers that are unique and relevant to ensure accurate matching.
  • Monitor Rule Performance: Review the application of mapping rules to ensure they are working as expected and adjust them as necessary.