Application incidents

An incident is a collection of insights that are derived from different data sources such as logs, events, and alerts. Incidents can help you build understanding and help drive remediation.

Incidents represent the determination of an incident and are categorized by priority from 1 (high) to 5 (low).

Before you begin

Incidents are created automatically when the underlying data integrations, AI models, and processes are set up and running. To display an incident against an application, the application must be associated with the incident.

Note: If an issue or an alert occurs and is part of a resource or group of resources but occurs prior to an application being created, then the related incident will not appear in the application details view. It will however appear in the application hub incident count.

  1. Configure a ChatOps integration. For more information, see ChatOps insight management

  2. Define or edit an application. For more information, see Defining and managing applications.

    The application needs to include the resource groups that are associated with the incident incidents.

  3. Configure an integration to the data source that provides the incident data, such as for obtaining event or log data. For more information, see Configuring Integrations.

  4. Create and train an AI model to process the data.

    For example:

    Log anomaly detection: You can train a log anomaly detection model to generate log anomalies, which can then be raised through an incident.

    Event grouping: You can group multiple events into an incident.

    Similar tickets: You can search for similar tickets in the context of an incident.

    You might need to enable the integration data flow to collect a sufficient quantity and quality of data from your data source for model training.

    For more information, see Managing AI models.

  5. After the model training is complete, ensure that the integration data flow is enabled and set to collect live data for event, incident, or anomaly detection.

When you have the ChatOps integration set up, the data flow enabled and AI model training completed and working, incidents are created automatically when incidents occur.

Where incidents are associated with an application, the incidents are shown as summary cards on the details page for that application.

View incidents for an application

When you have integrations set up to begin creating incidents and an incident that is associated with a application, the incident can be viewed against that specific application:

  1. Log in to the IBM Cloud Pak for AIOps console.

  2. From the main navigation, click Resource management.

  3. From the Resource management page, select the Applications tab and find the application which is associated with the incidents that you want to view. Complete either of the following steps:

    • If your application is set as a favorite, click View details on the summary card for the application in the Favorites section of the page.

    • For any application, find the application in the table of all applications by searching for it or browsing the table.

  4. You can view all incidents for that application within the collapsible Incidents section on the right side of the page.

    If multiple incidents are associated with the application, you can use the Search field to find your incident, or filter the list of incidents by using the Last updated, Priority, or Number of alerts drop-down. You can also click the Filter icon to open a filter dialog, which you can use to filter the incidents at a more granular level by priority, status or time range.

For each incident listed in the Incidents sidebar, the displayed summary card includes the following information:

  • Incident title that is generated based on the events
  • Timestamp for when the incident was last updated
  • Short description of the incident
  • Assigned priority
  • Status
  • Number of alerts generated

Note: You can expand an incident to view more details by clicking anywhere on an incident card. The additional details for the incident include the following information:

  • The application name and the link to the application within the Resource management page
  • The incident Slack or Microsoft teams link, if defined
  • Incident ID
  • Incident owner
  • User group
  • Date and timestamp for when the incident was created
  • Additional Alert details
  • A View incident link

The additional Alert details include Show history and Center to buttons, which you can click to zoom into the affected resources in the Topology viewer to display the alerts in their historical context.

You can click the View incident link to view the same details for the incident.

If you are using a Slack or Teams integration, you can also click the chat link on this dialog to open the connected ChatOps service and work with the incident and related incidents in your ChatOps interface. Threads might be associated with the incident, which can include links to the individual alerts that comprise the incident and any updates to the incident. If the probable cause information is available, the links are highlighted. You can click the probable cause links to open the topology for the associated resource in the Topology viewer.

View relevant events shows the events that are grouped within the incident. You can click the event link to view the log source for that event.

If you click to Search Recommended actions, the similar tickets search dialog is opened to show you similar past tickets.

For more information, see ChatOps insight management.