Documentation Index
Fetch the complete documentation index at: https://docs.keephq.dev/llms.txt
Use this file to discover all available pages before exploring further.
Keep workflows support enrichment, a powerful feature that allows you to enhance alerts with additional data, making them more actionable and meaningful. Enrichments add custom fields or modify existing ones in an alert directly from your workflow.
Why Enrich Alerts?
- Provide Context: Add critical information, such as related customer data or ticket IDs.
- Enable Automation: Use enriched fields in subsequent actions for dynamic processing.
- Improve Visibility: Surface essential metadata for better decision-making.
How to Enrich Alerts
Using the enrich_alert Directive
The enrich_alert directive is used in actions to add or update fields in the alert. You specify a list of key-value pairs where:
key is the field name to add or update.value is the data to assign to the field. It can be a static value or dynamically derived from steps or other parts of the workflow.disposable is an optional attribute that determines whether the enrichment is temporary and should be discarded when a new alert is received. If disposable is set to True, the enrichment is added to disposable_enrichments and marked with dispose_on_new_alert=True.
Example Workflow with Enrichment
workflow:
id: enrich-alert-example
description: Demonstrates enriching alerts
triggers:
- type: alert
steps:
- name: get-customer-details
provider:
type: mysql
config: "{{ providers.mysql-prod }}"
with:
query: "SELECT * FROM customers WHERE customer_id = '{{ alert.customer_id }}'"
single_row: true
actions:
- name: enrich-alert-with-customer-data
provider:
type: mock
with:
enrich_alert:
- key: customer_name
value: "{{ steps.get-customer-details.results.name }}"
- key: customer_tier
value: "{{ steps.get-customer-details.results.tier }}"
- The
get-customer-details step fetches customer data based on the alert.
- The
enrich_alert directive adds customer_name and customer_tier to the alert.
Enrichment Syntax
Key-Value Pairs
Each enrichment is defined as a key-value pair:
enrich_alert:
- key: field_name
value: field_value
disposable: true
- Static Values: Use static strings or numbers for straightforward enrichments:
- key: alert_source
value: "Monitoring System"
- key: severity_level
value: "{{ alert.severity }}"
Conditional Enrichment
You can combine enrichment with conditions to enrich alerts dynamically:
actions:
- name: enrich-critical-alert
if: "{{ alert.severity == 'critical' }}"
provider:
type: mock
with:
enrich_alert:
- key: priority
value: high
Advanced Use Cases
Enrich Alerts with Results from Actions
Enrichments can use results from actions, allowing dynamic updates based on previous steps:
enrich_alert:
- key: ticket_id
value: "{{ actions.create-ticket.results.ticket_id }}"
- key: ticket_url
value: "{{ actions.create-ticket.results.ticket_url }}"
Enrichment Workflow Example
This example demonstrates how to enrich an alert with ticket details from ServiceNow:
workflow:
id: servicenow-ticket-enrichment
triggers:
- type: alert
steps:
- name: fetch-alert-details
provider:
type: keep
with:
filter: "alert_id == '{{ alert.id }}'"
actions:
- name: create-servicenow-ticket
provider:
type: servicenow
config: "{{ providers.servicenow }}"
with:
table_name: INCIDENT
payload:
short_description: "Alert: {{ alert.name }}"
description: "{{ alert.description }}"
enrich_alert:
- key: ticket_id
value: "{{ results.sys_id }}"
- key: ticket_url
value: "{{ results.link }}"
Troubleshooting Enrichment
Enrichment without an Alert/Incident
If there is no alert/incident present in the trigger (for example interval trigger or manual call in workflow page), the enrichment rule would not have an alert/incident to apply to. The enrichment process typically requires an alert/incident to be present to apply the specified enrichments. Without an alert/incident, the enrichment rule would not execute as intended. A workaround is to use a foreach directive and pass it an object containing the “fingerprint” variable.
