## Introduction
In modern Operations teams, efficiently categorizing and prioritizing incidents is critical to maintaining system reliability and ensuring quick resolutions. When incident reports or alerts flood in from various sources, manual tagging based on content keywords can be time-consuming and prone to human error. Automating the process of tagging incidents based on certain keywords can improve triage speed, route issues to the correct teams, and enhance incident analysis.
This article provides a detailed, technical walkthrough on how to build an automation workflow in n8n that tags incoming incidents based on keywords detected in their descriptions or payloads. This solution benefits Operations specialists who handle incident management platforms by reducing manual effort and improving accuracy.
### Who Benefits?
– Operations and SRE teams triaging incidents
– Automation engineers integrating incident platforms
– Startup teams aiming to improve incident management efficiency
—
## Tools and Services Used
– **n8n:** An open-source, node-based workflow automation tool used for building the automation logic.
– **Incident Management Platform API:** For example, PagerDuty, Opsgenie, or service-specific APIs where incidents are created or updated.
– **Optional:** Slack for notifications or Google Sheets for logging.
This tutorial will assume a generic incident API supporting REST with JSON data.
—
## Workflow Overview
**Goal:** Automatically apply tags to incidents based on keywords found in the incident’s title or description.
**Trigger:** New incident creation event from the incident management system.
**Process:**
1. Receive incident data via trigger node.
2. Extract relevant text fields (e.g., title, description).
3. Search those fields for predefined keywords.
4. Assign tags based on matched keywords.
5. Update incident with tags via API.
6. Optional: Send notification or log the tagging.
—
## Step-by-Step Tutorial
### Step 1: Setting Up the Trigger Node
– Use the **Webhook** node or the native trigger for your incident management system (e.g., PagerDuty Trigger node).
– Configure it to fire when a new incident is created.
– Make sure your incident system sends JSON payloads containing the incident’s description and other metadata.
**Tips:**
– Test the webhook by generating a dummy incident.
– Use n8n’s execution preview to inspect the incoming data.
—
### Step 2: Extracting Incident Text Fields
– Add a **Set** or **Function** node.
– Extract `title`, `description`, or any other relevant text fields from the incoming data.
Example in Function node:
“`javascript
return [{
title: items[0].json.incident.title,
description: items[0].json.incident.description || “”
}];
“`
—
### Step 3: Define Keyword-to-Tag Mapping
– Use the **Function** node to define your keywords and their corresponding tags.
Example keyword mapping:
“`javascript
const keywordTagMap = {
“database”: “database-issue”,
“timeout”: “performance”,
“authentication”: “security”,
“error 500”: “server-error”
};
// Extract text fields
const text = (items[0].json.title + ” ” + items[0].json.description).toLowerCase();
const tags = [];
for (const keyword in keywordTagMap) {
if (text.includes(keyword)) {
tags.push(keywordTagMap[keyword]);
}
}
return [{ json: { tags } }];
“`
**Tip:** Normalize text to lowercase for case-insensitive matching.
—
### Step 4: Handle Cases with No Matches
– To keep the workflow robust, check if tags are found.
– If no tags are detected, you can assign a default tag like `unclassified` or skip updating.
Modify the previous function node:
“`javascript
const tags = [];
for (const keyword in keywordTagMap) {
if (text.includes(keyword)) {
tags.push(keywordTagMap[keyword]);
}
}
if(tags.length === 0) {
tags.push(‘unclassified’);
}
return [{ json: { tags } }];
“`
—
### Step 5: Update Incident with Tags
– Use an **HTTP Request** node to call the incident management API update endpoint.
– Set the request method to `PATCH` or `PUT` depending on API.
– In the body, pass the tags array in the required format.
Example configuration:
– URL: `https://api.incidentservice.com/incidents/{{ $json.incident.id }}`
– Authorization: Bearer Token (use credentials store in n8n)
– Body (JSON):
“`json
{
“tags”: {{$json[“tags”]}}
}
“`
—
### Step 6: Optional – Send Notification (e.g., Slack)
– Add a **Slack** node to send a message to an operations channel notifying that an incident was tagged.
Example message:
“Incident {{$json.incident.id}} tagged with {{$json.tags.join(“, “)}}”
—
## Common Errors and Troubleshooting
– **API Authentication Failures:** Ensure API tokens are correct and have the right permissions.
– **No Tags Applied:** Verify that the text fields actually contain keywords matching your map.
– **Malformed JSON in API Request:** Ensure the payload matches the API specification EXACTLY.
– **Webhook Not Receiving Data:** Double-check that the webhook URL is correctly configured in the incident system.
– **Performance:** For large scales, consider caching keyword mapping in environment variables or external config.
—
## Scaling and Adaptation
– **Dynamic Keyword List:** Store keywords and tags in a Google Sheet or database and fetch dynamically.
– **Multiple Languages:** Add language detection and apply keyword sets accordingly.
– **Complex Matching:** Use Regular Expressions for more flexible keyword detection.
– **Incident Severity Routing:** Extend to assign priority tags based on phrases or patterns.
– **Batch Processing:** If you have bulk incident ingestion, use the n8n batch capabilities to process multiple incidents.
—
## Summary
Automating incident tagging based on keywords with n8n equips Operations teams with faster, more accurate triage capability. This guide walked through setting up triggers, keyword matching logic, incident updates, and optional notifications—all within n8n’s low-code environment.
By customizing and scaling this workflow, organizations can reduce manual overhead, standardize incident metadata, and improve incident response outcomes.
—
## Bonus Tip
Leverage the n8n **Code** node’s ability to integrate third-party NLP libraries or APIs (like Google Natural Language or IBM Watson) to implement semantic tagging beyond simple keyword matching for a future-proof, intelligent incident classification system.