keephq · talboren · May 5, 2025 · Apr 16, 2025 · Apr 17, 2025 · Apr 17, 2025
diff --git a/docs/snippets/providers/cloudwatch-snippet-autogenerated.mdx b/docs/snippets/providers/cloudwatch-snippet-autogenerated.mdx
@@ -1,4 +1,4 @@
-{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py 
+{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py
 Do not edit it manually, as it will be overwritten */}
 
 ## Authentication
@@ -33,11 +33,11 @@ steps:
       provider: cloudwatch
       config: "{{ provider.my_provider_name }}"
       with:
-        log_group: {value}  
-        log_groups: {value}  
-        remove_ptr_from_results: {value}  
-        query: {value}  
-        hours: {value}  
+        log_group: {value}
+        log_groups: {value}
+        remove_ptr_from_results: {value}
+        query: {value}
+        hours: {value}
 ```
 
 
@@ -47,3 +47,4 @@ steps:
 Check the following workflow examples:
 - [retrieve_cloudwatch_logs.yaml](https://github.com/keephq/keep/blob/main/examples/workflows/retrieve_cloudwatch_logs.yaml)
 - [slack_basic.yml](https://github.com/keephq/keep/blob/main/examples/workflows/slack_basic.yml)
+- [slack_basic_cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/slack_basic_cel.yml)
diff --git a/docs/snippets/providers/console-snippet-autogenerated.mdx b/docs/snippets/providers/console-snippet-autogenerated.mdx
@@ -35,6 +35,7 @@ actions:
 Check the following workflow examples:
 - [aks_basic.yml](https://github.com/keephq/keep/blob/main/examples/workflows/aks_basic.yml)
 - [change.yml](https://github.com/keephq/keep/blob/main/examples/workflows/change.yml)
+- [complex-conditions-cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/complex-conditions-cel.yml)
 - [console_example.yml](https://github.com/keephq/keep/blob/main/examples/workflows/console_example.yml)
 - [consts_and_dict.yml](https://github.com/keephq/keep/blob/main/examples/workflows/consts_and_dict.yml)
 - [cron-digest-alerts.yml](https://github.com/keephq/keep/blob/main/examples/workflows/cron-digest-alerts.yml)
@@ -45,7 +46,9 @@ Check the following workflow examples:
 - [incident-enrich.yaml](https://github.com/keephq/keep/blob/main/examples/workflows/incident-enrich.yaml)
 - [incident_example.yml](https://github.com/keephq/keep/blob/main/examples/workflows/incident_example.yml)
 - [inputs_example.yml](https://github.com/keephq/keep/blob/main/examples/workflows/inputs_example.yml)
+- [multi-condition-cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/multi-condition-cel.yml)
 - [mustache-paths-example.yml](https://github.com/keephq/keep/blob/main/examples/workflows/mustache-paths-example.yml)
+- [pattern-matching-cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/pattern-matching-cel.yml)
 - [severity_changed.yml](https://github.com/keephq/keep/blob/main/examples/workflows/severity_changed.yml)
 - [webhook_example.yml](https://github.com/keephq/keep/blob/main/examples/workflows/webhook_example.yml)
 - [webhook_example_foreach.yml](https://github.com/keephq/keep/blob/main/examples/workflows/webhook_example_foreach.yml)
diff --git a/docs/snippets/providers/datadog-snippet-autogenerated.mdx b/docs/snippets/providers/datadog-snippet-autogenerated.mdx
@@ -1,4 +1,4 @@
-{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py 
+{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py
 Do not edit it manually, as it will be overwritten */}
 
 ## Authentication
@@ -10,14 +10,14 @@ This provider requires authentication.
 - **oauth_token**: For OAuth flow (required: False, sensitive: True)
 
 Certain scopes may be required to perform specific actions or queries via the provider. Below is a summary of relevant scopes and their use cases:
-- **events_read**: Read events data. (mandatory) 
+- **events_read**: Read events data. (mandatory)
 - **monitors_read**: Read monitors (mandatory) ([Documentation](https://docs.datadoghq.com/account_management/rbac/permissions/#monitors))
 - **monitors_write**: Write monitors  ([Documentation](https://docs.datadoghq.com/account_management/rbac/permissions/#monitors))
-- **create_webhooks**: Create webhooks integrations  
-- **metrics_read**: View custom metrics.  
-- **logs_read**: Read log data.  
-- **apm_read**: Read APM data for Topology creation.  
-- **apm_service_catalog_read**: Read APM service catalog for Topology creation.  
+- **create_webhooks**: Create webhooks integrations
+- **metrics_read**: View custom metrics.
+- **logs_read**: Read log data.
+- **apm_read**: Read APM data for Topology creation.
+- **apm_service_catalog_read**: Read APM service catalog for Topology creation.
 
 
 
@@ -33,24 +33,25 @@ steps:
       provider: datadog
       config: "{{ provider.my_provider_name }}"
       with:
-        query: {value}  
-        timeframe: {value}  
-        query_type: {value}  
+        query: {value}
+        timeframe: {value}
+        query_type: {value}
 ```
 
 
 
 
 
 Check the following workflow examples:
+- [complex-conditions-cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/complex-conditions-cel.yml)
 - [db_disk_space.yml](https://github.com/keephq/keep/blob/main/examples/workflows/db_disk_space.yml)
 - [dd.yml](https://github.com/keephq/keep/blob/main/examples/workflows/dd.yml)
 - [keep_semantic_alert_example_datadog.yml](https://github.com/keephq/keep/blob/main/examples/workflows/keep_semantic_alert_example_datadog.yml)
 
 
 ## Topology
-This provider pulls [topology](/overview/servicetopology) to Keep. It could be used in [correlations](/overview/correlation-topology) 
-and [mapping](/overview/enrichment/mapping#mapping-with-topology-data), and as a context 
+This provider pulls [topology](/overview/servicetopology) to Keep. It could be used in [correlations](/overview/correlation-topology)
+and [mapping](/overview/enrichment/mapping#mapping-with-topology-data), and as a context
 for [alerts](/alerts/sidebar#7-alert-topology-view) and [incidents](/overview#17-incident-topology).
 
 ## Provider Methods
@@ -69,4 +70,3 @@ The provider exposes the following [Provider Methods](/providers/provider-method
 - **resolve_incident** Resolve an active incident (action, scopes: incidents_write)
 
 - **add_incident_timeline_note** Add a note to an incident timeline (action, scopes: incidents_write)
-
diff --git a/docs/snippets/providers/newrelic-snippet-autogenerated.mdx b/docs/snippets/providers/newrelic-snippet-autogenerated.mdx
@@ -1,4 +1,4 @@
-{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py 
+{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py
 Do not edit it manually, as it will be overwritten */}
 
 ## Authentication
@@ -28,11 +28,13 @@ steps:
       provider: newrelic
       config: "{{ provider.my_provider_name }}"
       with:
-        nrql: {value}  
+        nrql: {value}
         query: {value}  # query to execute
 ```
 
 
 
 
-If you need workflow examples with this provider, please raise a [GitHub issue](https://github.com/keephq/keep/issues).
+
+Check the following workflow example:
+- [complex-conditions-cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/complex-conditions-cel.yml)
diff --git a/docs/snippets/providers/opsgenie-snippet-autogenerated.mdx b/docs/snippets/providers/opsgenie-snippet-autogenerated.mdx
@@ -1,4 +1,4 @@
-{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py 
+{/* This snippet is automatically generated using scripts/docs_render_provider_snippets.py
 Do not edit it manually, as it will be overwritten */}
 
 ## Authentication
@@ -7,7 +7,7 @@ This provider requires authentication.
 - **integration_name**: OpsGenie integration name (required: True, sensitive: False)
 
 Certain scopes may be required to perform specific actions or queries via the provider. Below is a summary of relevant scopes and their use cases:
-- **opsgenie:create**: Create OpsGenie alerts (mandatory) 
+- **opsgenie:create**: Create OpsGenie alerts (mandatory)
 
 
 
@@ -23,8 +23,8 @@ steps:
       provider: opsgenie
       config: "{{ provider.my_provider_name }}"
       with:
-        query_type: {value}  
-        query: {value}  
+        query_type: {value}
+        query: {value}
 ```
 
 
@@ -58,6 +58,7 @@ actions:
 Check the following workflow examples:
 - [failed-to-login-workflow.yml](https://github.com/keephq/keep/blob/main/examples/workflows/failed-to-login-workflow.yml)
 - [opsgenie-close-alert.yml](https://github.com/keephq/keep/blob/main/examples/workflows/opsgenie-close-alert.yml)
+- [opsgenie-create-alert-cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/opsgenie-create-alert-cel.yml)
 - [opsgenie-create-alert.yml](https://github.com/keephq/keep/blob/main/examples/workflows/opsgenie-create-alert.yml)
 - [opsgenie_open_alerts.yml](https://github.com/keephq/keep/blob/main/examples/workflows/opsgenie_open_alerts.yml)
 
@@ -68,4 +69,3 @@ The provider exposes the following [Provider Methods](/providers/provider-method
 - **close_alert** Close an alert (action, scopes: opsgenie:create)
 
 - **comment_alert** Comment an alert (action, scopes: opsgenie:create)
-
diff --git a/docs/snippets/providers/prometheus-snippet-autogenerated.mdx b/docs/snippets/providers/prometheus-snippet-autogenerated.mdx
@@ -39,6 +39,7 @@ Check the following workflow examples:
 - [enrich_using_structured_output_from_vllm_qwen.yaml](https://github.com/keephq/keep/blob/main/examples/workflows/enrich_using_structured_output_from_vllm_qwen.yaml)
 - [http_enrich.yml](https://github.com/keephq/keep/blob/main/examples/workflows/http_enrich.yml)
 - [kubernetes.yml](https://github.com/keephq/keep/blob/main/examples/workflows/kubernetes.yml)
+- [multi-condition-cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/multi-condition-cel.yml)
 
 ## Connecting via Webhook (omnidirectional)
 

diff --git a/docs/snippets/providers/slack-snippet-autogenerated.mdx b/docs/snippets/providers/slack-snippet-autogenerated.mdx
@@ -56,6 +56,7 @@ Check the following workflow examples:
 - [raw_sql_query_datetime.yml](https://github.com/keephq/keep/blob/main/examples/workflows/raw_sql_query_datetime.yml)
 - [slack-message-reaction.yml](https://github.com/keephq/keep/blob/main/examples/workflows/slack-message-reaction.yml)
 - [slack_basic.yml](https://github.com/keephq/keep/blob/main/examples/workflows/slack_basic.yml)
+- [slack_basic_cel.yml](https://github.com/keephq/keep/blob/main/examples/workflows/slack_basic_cel.yml)
 - [slack_basic_interval.yml](https://github.com/keephq/keep/blob/main/examples/workflows/slack_basic_interval.yml)
 - [trello_new_card_alert.yml](https://github.com/keephq/keep/blob/main/examples/workflows/trello_new_card_alert.yml)
 - [workflow_only_first_time_example.yml](https://github.com/keephq/keep/blob/main/examples/workflows/workflow_only_first_time_example.yml)

diff --git a/docs/workflows/examples/create-servicenow-tickets.mdx b/docs/workflows/examples/create-servicenow-tickets.mdx
@@ -22,9 +22,7 @@ workflow:
   description: create a ticket in servicenow when an alert is triggered
   triggers:
     - type: alert
-      filters:
-        - key: source
-          value: r"(grafana|prometheus)"
+      cel: source.contains("grafana") || source.contains("prometheus")
   actions:
     - name: create-service-now-ticket
       if: "not '{{ alert.ticket_id }}' and {{ alert.annotations.ticket_type }}"

diff --git a/docs/workflows/examples/highsev.mdx b/docs/workflows/examples/highsev.mdx
@@ -27,13 +27,7 @@ workflow:
   description: handle alerts
   triggers:
     - type: alert
-      filters:
-        - key: source
-          value: sentry
-        - key: severity
-          value: critical
-        - key: service
-          value: r"(payments|ftp)"
+      cel: source.contains("sentry") && severity == "critical" && (service == "payments" || service == "ftp")
   actions:
     - name: send-slack-message-team-payments
       if: "'{{ alert.service }}' == 'payments'"

diff --git a/docs/workflows/examples/update-servicenow-tickets.mdx b/docs/workflows/examples/update-servicenow-tickets.mdx
@@ -27,9 +27,7 @@ workflow:
       provider:
         type: keep
         with:
-          filters:
-          - key: ticket_type
-            value: servicenow
+          cel: ticket_type == "servicenow"
   actions:
     - name: update-ticket
       foreach: "{{ steps.get-alerts.results }}"

diff --git a/docs/workflows/syntax/triggers.mdx b/docs/workflows/syntax/triggers.mdx
@@ -6,7 +6,6 @@ title: "Triggers"
 
 Triggers in Keep Workflow Engine define **when a workflow is executed**. Triggers are the starting point for workflows and can be configured to respond to a variety of events, conditions, or schedules.
 
-
 A workflow can have one or multiple triggers, and these triggers determine the specific circumstances under which the workflow is initiated. Examples include manual invocation, time-based schedules, or event-driven actions like alerts or incident updates.
 
 Triggers are defined under the `triggers` section of a workflow YAML file. Each trigger has a `type` and optional additional configurations or filters.
@@ -35,16 +34,45 @@ triggers:
 
 ### Alert Trigger
 
-Executes a workflow when an alert is received, with optional filters for alert properties.
+Executes a workflow when an alert is received.
 
 ```yaml
 triggers:
   - type: alert
 ```
 
-### Filtering Alert
+<Note>
+  If no filters or CEL expressions are specified, the workflow will be executed
+  for every alert that comes in.
+</Note>
+
+### Filtering Alerts
+
+There are two ways to filter alerts in Keep:
 
-You can filter alerts by specific properties like `severity`, `source`, or use regex to match specific `service`.
+#### 1. CEL-based Filtering (Recommended)
+
+Keep uses [Common Expression Language (CEL)](https://github.com/google/cel-spec/blob/master/doc/langdef.md) for filtering alerts. CEL provides a powerful and flexible way to express conditions using a simple expression language.
+
+```yaml
+triggers:
+  - type: alert
+    cel: source.contains("datadog") && severity == "critical"
+```
+
+Common CEL patterns:
+
+- String matching: `source.contains("prometheus")`
+- Exact matching: `severity == "critical"`
+- Multiple conditions: `source.contains("datadog") && severity == "critical"`
+- Pattern matching: `name.contains("error") || name.contains("failure")`
+- Complex conditions: `(source.contains("datadog") && severity == "critical") || (source.contains("newrelic") && severity == "error")`
+
+You can test and experiment with CEL expressions using the [CEL Playground](https://playcel.undistro.io/).
+
+#### 2. Legacy Filtering (Deprecated)
+
+The old filtering mechanism is deprecated but still supported for backward compatibility. It uses a list of key-value pairs with optional regex patterns.
 
 ```yaml
 triggers:
@@ -63,7 +91,6 @@ triggers:
 Runs workflows when an incident is created, updated, or resolved.
 
 ```yaml
-
 triggers:
   - type: incident
     on:
@@ -80,9 +107,10 @@ triggers:
   - type: alert
     only_on_change:
       - status
-
 ```
 
 ## Summary
 
-Triggers are a powerful way to control the execution of workflows, ensuring that they respond appropriately to manual actions, schedules, or events. By leveraging filters and configurations, workflows can be fine-tuned to execute only under specific conditions.
+Triggers are a powerful way to control the execution of workflows, ensuring that they respond appropriately to manual actions, schedules, or events. By leveraging CEL expressions or filters, workflows can be fine-tuned to execute only under specific conditions.
+
+For more information about CEL expressions, refer to the [CEL Language Definition](https://github.com/google/cel-spec/blob/master/doc/langdef.md) and experiment with expressions in the [CEL Playground](https://playcel.undistro.io/).
diff --git a/examples/workflows/complex-conditions-cel.yml b/examples/workflows/complex-conditions-cel.yml
@@ -0,0 +1,13 @@
+workflow:
+  id: complex-conditions-monitor-cel
+  name: Complex Conditions Monitor (CEL)
+  description: Monitors alerts with complex conditions using CEL filters.
+  triggers:
+    - type: alert
+      cel: (source.contains("datadog") && severity == "critical") || (source.contains("newrelic") && severity == "error")
+  actions:
+    - name: notify
+      provider:
+        type: console
+        with:
+          message: "Critical Datadog or error NewRelic alert: {{ alert.name }}"
diff --git a/examples/workflows/multi-condition-cel.yml b/examples/workflows/multi-condition-cel.yml
@@ -0,0 +1,13 @@
+workflow:
+  id: multi-condition-monitor-cel
+  name: Multi-Condition Monitor (CEL)
+  description: Monitors alerts with multiple conditions using CEL filters.
+  triggers:
+    - type: alert
+      cel: source.contains("prometheus") && severity == "critical" && environment == "production"
+  actions:
+    - name: notify
+      provider:
+        type: console
+        with:
+          message: "Critical production alert from Prometheus: {{ alert.name }}"
diff --git a/examples/workflows/opsgenie-create-alert-cel.yml b/examples/workflows/opsgenie-create-alert-cel.yml
@@ -0,0 +1,22 @@
+workflow:
+  id: opsgenie-critical-alert-creator-cel
+  name: OpsGenie Critical Alert Creator (CEL)
+  description: Creates OpsGenie alerts for critical Coralogix issues with team assignment and alert enrichment tracking using CEL filters.
+  triggers:
+    - type: manual
+    - type: alert
+      cel: source.contains("coralogix") && severity == "critical"
+  actions:
+    - name: create-alert
+      provider:
+        config: "{{ providers.opsgenie }}"
+        type: opsgenie
+        if: "not '{{ alert.opsgenie_alert_id }}'"
+        with:
+          message: "{{ alert.name }}"
+          responders:
+            - name: "{{ alert.team }}"
+              type: team
+          enrich_alert:
+            - key: opsgenie_alert_id
+              value: results.alertId
diff --git a/examples/workflows/pattern-matching-cel.yml b/examples/workflows/pattern-matching-cel.yml
@@ -0,0 +1,13 @@
+workflow:
+  id: pattern-matching-monitor-cel
+  name: Pattern Matching Monitor (CEL)
+  description: Monitors alerts with pattern matching using CEL filters.
+  triggers:
+    - type: alert
+      cel: name.contains("error") || name.contains("failure")
+  actions:
+    - name: notify
+      provider:
+        type: console
+        with:
+          message: "Error or failure detected: {{ alert.name }}"
diff --git a/examples/workflows/slack_basic_cel.yml b/examples/workflows/slack_basic_cel.yml
@@ -0,0 +1,15 @@
+workflow:
+  id: cloudwatch-slack-notifier-cel
+  name: CloudWatch Slack Notifier (CEL)
+  description: Forwards AWS CloudWatch alarms to Slack channels with customized alert messages using CEL filters.
+  triggers:
+    - type: alert
+      cel: source.contains("cloudwatch")
+    - type: manual
+  actions:
+    - name: trigger-slack
+      provider:
+        type: slack
+        config: " {{ providers.slack-prod }} "
+        with:
+          message: "Got alarm from aws cloudwatch! {{ alert.name }}"
diff --git a/keep-ui/app/(keep)/workflows/workflow-tile.tsx b/keep-ui/app/(keep)/workflows/workflow-tile.tsx
@@ -41,6 +41,7 @@ function TriggerTile({ trigger }: { trigger: Trigger }) {
       {trigger.type === "interval" && <span>{trigger.value} seconds</span>}
       {trigger.type === "alert" && (
         <span className="text-sm text-right">
+          {trigger.cel && <Fragment>CEL = {trigger.cel}</Fragment>}
           {trigger.filters &&
             trigger.filters.map((filter) => (
               <Fragment key={filter.key}>