In FlashDuty incident details, incident labels display alert source data information in key:value format. These labels come from various alert events integrated with FlashDuty. When automatically generated labels from source data cannot meet business requirements, you can enrich alerts with additional label information through label enrichment to improve incident handling efficiency.Label Uses#
In FlashDuty, labels are the basic data model for alert events and incident handling. Labels serve many purposes, including but not limited to:Incident List: The incident list supports quick filtering by labels, making it easier for users to view and manage all incident records with the same labels, improving incident handling efficiency and focus
Route Configuration: When matching channels with routing rules, labels can be used as conditions to route events with the same labels to one or multiple channels
Drop Rule: When specific alerts are not needed, they can be matched using labels in drop rules
Assignment Notification: Labels can be used in assignment conditions to implement more precise and flexible notification strategies
Alert Grouping: By intelligently using same or different labels as dimensions during grouping, effectively categorize alert events and reduce noise, improving incident clarity and handling efficiency
Silence Rule: Labels can be included in silence conditions for precise filtering and silencing of alerts associated with specific labels, enabling advanced customization and noise control
Inhibit Rule: Labels serve as key conditions, allowing inhibit rules to more accurately identify and block alert events meeting specific criteria (including label matches), optimizing system efficiency and reducing false alarms
Label Enrichment: The label enrichment feature allows automatic extraction or derivation of new labels from existing source labels during configuration, optimizing label structure and enhancing resource classification and management flexibility
Configuring Label Enrichment#
Each alert event in the integration center has label enrichment configuration options, which can be configured after creating the alert event.Types of Label Enrichment#
Extract: Using regular expressions to extract needed information from alert titles, detailed descriptions, and existing label fields to automatically generate additional labels.
Compose: Composition rules can build new labels using Go template syntax, extracting label values with {{.Labels.Field}} format or generating new labels using fixed values.
Map: Maps source key-value pairs to new key-value pairs through mapping relationships. Requires pre-creating schema mapping relationships and uploading metadata before configuration. See configuration examples below. Delete: Removes labels with specified names. If the label to be deleted doesn't exist, the operation is ineffective.
Configuration Instructions#
Conditions: When performing label enrichment, you can configure prerequisite rules to restrict whether labels are generated or deleted (disabled by default). When restricted, labels won't be generated or deleted if conditions aren't met. You can learn how to configure conditions in Configuring Filter Conditions. Override: When generating new labels based on conditions, you can choose whether to override existing labels (disabled by default). For example, if a new label named "host" with value "A" is generated, it will override the original label if "host" already exists in the original alert.
Preview: After configuring rules, preview is supported to visually observe the configuration effects.
Multiple label rules can be configured and will execute from top to bottom. When a rule doesn't match, corresponding labels won't be generated/deleted, without any notification.
Configuration Examples#
Scenario: Alert events come from email integration, and key information needs to be extracted from descriptions as labels for other scenarios, such as extracting IP and trigger values as separate labels.1.1 Original Alert#
2. Label Composition#
Scenario: The company's log platform can directly access log details through domain+eventID+timestamp, but alert information only contains eventID and timestamp labels, so these need to be combined into an access URL.2.1 Original Alert#
2.2 Composition Rules#
2.3 Composition Results#
3. Label Mapping#
Scenario: When the label values in the source alert information are not fixed and cannot be直观定位其含义时, you can map the source labels to new defined labels and values through mapping. For example, the source alert only contains resource type ID information, but you want to show the resource type name corresponding to each ID, which can be achieved through mapping.The following is an example of a mapping table file, the purpose of which is to map the resource type ID in the alert to the actual resource type name.| ID | Type |
|---|
| A | server |
| B | router |
| C | gateway |
| D | database |
| E | MQ |
3.2 Create Mapping Table#
1.
Enter Integrations -> Mappings -> Create mapping schema.
2.
Fill in basic information, such as name, description, management team, etc.
3.
In the Mapping Data section, upload the prepared csv file (if the number is small, add it after creation in the mapping details page).
4.
Select Source Labels, such as ID, select Result Labels, such as Type.
5.
Click Create, complete the mapping table creation.
3.3.1 Original Alert#
The original alert information only contains resource ID, without resource type name.
3.3.2 Mapping Effect#
Through the configured mapping relationship, the resource ID is mapped to a new resource type name label.
Appendix: Mapping Table Data ManagementIn the mapping table details page, you can manage the mapping table data, including adding, editing, and deleting.1.
Data search: You can search for data by the value of the source label.
2.
Data Add: Manually add mapping data.
3.
Data Upload: Upload new mapping table data, which will overwrite existing data.
4.
Data Download: Download the current mapping table data to your local machine.
5.
Data display: Display the current mapping table data, which can be edited or deleted.
If you do not want the source label to exist, you can achieve this through the delete rule. Also, label mapping supports API management, which can be referred to Label Mapping API. 