Skip to main content
Version: 6.0

Field Configuration

General Description

Fields for incidents can be configured in the Search Anywhere Framework module settings section. To do this, go to Main Menu - System Params - Module Settings - Incident Manager - Incident Fields.

Card Settings

In the settings interface, fields can be configured. By default, the system provides the following fields:

  • Assignee
  • Status
  • Severity
  • Related Incidents

System Field Configuration

All fields except status are available for editing:

  • Assignee — you can configure the list using a dynamic query, more details in the corresponding section Dynamic Filters
  • Status — not configurable
  • Severity — available for editing in the interface: Severity Editing

Creating New Fields

To create a new field, you need to:

  1. Click the + button
  2. Fill in the parameters of the new field Creating New Fields

General parameters:

  • Field Name - name of the new field
  • Field Identifier - system name of the new field
  • Bulk Editing - participation of the field in bulk incident editing
  • Field Type - data type of the new field (available types are listed in the section Available Field Types)

Filtering settings:

  • Field Name for Filters - name of the field used for filtering in the incident manager
  • Display as Filter - whether to display the new field as a filter for searching
  • Use as Exclusion - option that controls filter operation. When enabled, filtering checks for inequality of values
  • Helper Text (placeholder) - example or hint that disappears when text is entered
  1. Click the Save button

Now this field can be selected in Incident Type.

Available Field Types

  • Number
  • Date and Time
  • Text
  • Multiline Text
  • Markdown
  • Multi-Select
  • Select

Dynamic Filters

For fields with type select and multi-select, the ability to use Dynamic Options is available. To do this, you need to specify a search query and time parameters, as well as fields whose values will be used as the key and filter value.

Example

Let's create a field test_select, enable the options Display in Incident Card and Display as Filter and set Field Type - Select. We'll specify a static filter value where the key will be equal to test and the value 10. In addition, we'll specify dynamic options. When executing the specified query, the key will take the value test_dynamic and the filter value will become equal to 1.

Setting up test_select field

Setting up dynamic filter in incident card

If after setup you open the created filter, it will have values test and test_dynamic. When selecting them, incidents will be filtered where the value of the test_select field equals 10 or 1 respectively.

Tokens

Description

Token - a variable whose value is substituted into the query in the Dynamic Options section for fields of type select and multi-select. A variable that provides flexible configuration of data filtering on the Incident Manager page.

Using tokens allows making incident filtering more dynamic and convenient for users.

Token Creation

Tokens are created in incident field settings. Similarly to tokens used in dashboards, the main field for its configuration is System Name - a unique token name by which it will be identified.

For fields in the incident card, the system name is the Field Identifier:

  • Token Prefix - value that will be added before the token value
  • Token Suffix - value that will be added after the token value

Basic Token Settings

For fields of type multi-select, there are fields for settings:

  • Token Value Prefix - value that will be added before each value contained in the active multi-select list
  • Token Value Suffix - value that will be added after each value contained in the active multi-select list
  • Separator - value that will be added between values in the active multi-select list

Token Settings for Multi-Select

Usage in Queries

After creating a token, it can be used in queries in the Dynamic Queries section.

To do this, you need to:

  1. Create a new field/open an existing one with type select or multi-select
  2. In the dynamic options section, in the search item, write a search query containing the token
  3. Save the field in the incident card

Now when changing the filter that acts as a token in the dynamic options of other filters, filters dependent on the token will automatically update the value options.

For using tokens in Search Anywhere Framework panel queries, the following syntax is provided:

Using tokens in dynamic filter options

Example search query using a token:

source winlog_auth
| search $event_code$

Exclusion Filters

For all fields, the ability to switch to exclusion filter mode is available. In normal mode, incidents are searched where the field value corresponds to the value set in the filter. In exclusion filter mode, the result of the search query is a list of incidents that contain a field value different from the value in the corresponding filter.

To enable exclusion filter, you need to select the Use as Exclusion option in the card field settings.

Exclusion Filter

Editing Existing Fields

To edit field parameters, you need to:

  1. Select the field in the list and click on it
  2. The editor for the selected field parameters will appear on the right side, make changes
  3. Click the Save button

Deleting Fields

To delete a field, click the × button next to the field name. In the dialog box that appears, confirm the action by clicking the Delete button or cancel the action by clicking the Cancel button.