Searching and filtering incidents

Search for incidents by name, or filter the list based on selected criteria.

  1. Click the navigation icon at the upper-left corner of the screen to go to the main navigation menu.
  2. In the main navigation menu, click Operate > Incidents.

Search incidents

  • Click anywhere in the Search Search field.
  • Type a description of the incident in the search field. For example, type "failed" and the system will show in the table all incidents that contain the text "failed" in the description.

Predefined incident filters

Predefined filters All incidents are displayed in the incident list by default. Click the Down chevron icon Downward-pointing chevron icon to select from the following predefined filters:

  • Predefined filters High priority

  • Predefined filters Unassigned

Filter incidents

Click Filter Filter to open the filter side panel. There are two filter modes available to build your filter, Basic and Advanced.

Note: Advanced filters cannot be viewed in Basic mode.

Search and filter incidents
Figure. Search and filter incidents

Basic mode

  • Select from the following filters for incidents:

    • Priority: P1 - highest priority, through to P5 - lowest.
    • Status: Unassigned, Assigned, In progress, On hold, or Resolved.
    • Owner: Find owners to filter by.
    • User groups: Find user groups to filter by.
    • First occurrence: under 5 minutes, under 30 minutes, under 1 hour, 1 hour to 1 day, 1 day to 7 days, 7 days to 15 days, 15 days to 30 days, 30 days and above.
    • Impacted applications: Find impacted applications to filter by. This filter is not supported in Advanced mode or restriction filters.
    • Other properties: Create more personalized filters by using incident properties.
    • Alert properties: Apply filters to the incident list based on alert details within incidents. This filter is not supported in Advanced mode or restriction filters.

  • Expand Other properties or Alert properties and complete the fields as follows:

    • AND and OR: when adding conditions, you can join multiple condition types by using the AND and OR operators. The AND operator means that incidents or alerts are matched only if all of the individual conditions are true. The OR operator means that incidents or alerts are matched if any of the individual conditions are true. The default behavior for incident or alert filter conditions is AND.

    • Property: select from incident or alert attributes that are predefined for Cloud Pak for AIOps and common to most incidents or alerts.

    • Operator: select a comparison operator from this list. The range of comparisons available is determined by your selection in the Property field.

    • Value: the fields (or free-form string value) that appear here are dependent on the options that are selected in the Property and Operator lists.

    • Click Apply to apply your filter condition.

  • Click Reset filter to clear changes that have been applied to a filter, or select Clear all from the list of options (three vertical dots). From the options list you can also Delete filter and Edit filter settings.

Advanced mode

  • The Advanced tab allows you to create custom filter conditions. The filter language is based on a version of the PostgreSQL WHERE clause. For more information about the filter language syntax, see Advanced filter language syntax.

    Advanced filter conditions
    Figure. Advanced filter conditions

  • When entering a filter on the Advanced tab, the syntax is validated as you construct the expression. The editor does not allow you to apply or save a malformed expression. A green checkmark Syntax correct indicates that the syntax is correct.

    Malformed expression
    Figure. Malformed expression

  • As you type, example values are suggested based on supported alert and incident properties. For more information about properties that can be searched on with data types, see Issue resolution API reference (Swagger). However, you are not required to use these values. Custom properties can be used (suggestions are not provided). Note, you cannot use alert properties in incident advanced filters. Alert or incident insight properties are not supported.

    When a filter is saved in advanced mode, it cannot be converted back to basic mode. The Basic tab is no longer displayed when editing an advanced filter.

    Advanced filter
    Figure. Advanced filter

    Warning: Excessive use of regular expressions with the Like operator can impact on performance.

  • Click Apply to apply your filter condition.

  • Click Reset filter to clear changes that have been applied to a filter, or select Clear all from the list of options (three vertical dots). From the options list you can also Delete filter and Edit filter settings.

To update an existing filter

  • After you have modified the existing filter criteria, click Save.

  • A Filter updated message is displayed to confirm that your changes have been saved.

Note: An asterisk (*) is displayed next to the filter name if there are unsaved changes to the selected filter. An asterisk is also displayed when another user has modified the current filter. Unsaved filters are only applied to the already fetched alerts. Click Reset filter in the filter side panel to get the latest changes to the filter and have them applied to the incident list.

To create or save a new filter

  • Click the three vertical dots in the Filter conditions side panel to open the list of options.

  • To modify an existing filter and save it under a new name, select Save as a new filter.

    Save as new filter
    Figure. Save as new filter dialog

    1. Enter a Filter name and Description.

    Filters side panel
    Figure. alerts save as new filter

    Note: Filter names must be unique across different categories of filters, whether a normal filter or a restriction filter set by an administrator. If a chosen filter name is already in use for any type of filter, an error message is displayed to say the filter name already exists.

    Select who can use this filter from the following options:

    • Only me

    • Specified users, user groups, or both: to manage access, you can select users, user groups, or both. Any selections you make includes yourself. After you select the users or user groups who can use the filter, you must specify their level of access:

      • Can use: users can see the filter in the drop-down list and apply it to the list of alerts.
      • And edit: users can use, edit, and save the filter.
      • And manage: users can use, edit, and manage the filter name, description, and access control.

    • Everyone: additionally specify if everyone can Use this filter or Edit this filter.

    1. Click Save as new filter.

  • To create a new blank filter, select Create filter. This is equivalent to Save as a new filter > All incidents.

    Note: Alternatively, if you are an administrator who has manage profiles privileges enabled, you can set Role Based Access Control (RBAC) functionality that allows you to see and click the Save as a new restriction filter option, thus applying certain restriction filters, incidents in this case.

    Save as new restriction filter
    Figure. Save as new restriction filter

    The Save a new restriction filter dialog that opens is slightly different from the regular Save a new filter dialog window also in terms of fields to complete, as shown below.

    Filters side panel
    Figure. Incidents save a new filter

    Filters side panel
    Figure. Incidents save a new restriction filter

    Notes:

    • A Role Based Access Control (RBAC) restriction filter can be applied to a user that filters the data they see, but they can also apply their own filter conditions on top of that RBAC filter.

    • Free-form string values that are applied on top of a saved filter, either by using the search text field or the filter conditions side panel, are case-insensitive. However, saved filters applied to the incident list are case-sensitive.