Using the Incidents page
Using the incident management feature, you can list your current incidents. You can view all incidents, or incidents that are assigned to you or groups you are a member of. You can take ownership of incidents, and work with your teams and tools to resolve incidents.
About this task
Overview of the Incidents page.
Incidents are sorted based on priority level and the last time they changed, with the highest priority and the latest incident to have changes shown at the beginning of the list. Incidents of all priority levels are displayed by default.
Search and filter fields
Use the Search field to find incidents. You can use spaces when searching for more than one word, for example, when searching for a specific incident description. Search works on the following incident information:
Use the Filter to display incidents that do not have an owner, or to display incidents in specific states, such as Unassigned, In progress, or Escalated. You can also filter for incidents based on their priority level. Incidents of all priority levels are displayed by default.
Note: Select No owner to display all incidents that do not have a user assigned as the owner, even if the incident is assigned to a group. The No owner filter is mutually exclusive with the various Show status filters, such as Unassigned, Assigned, and On hold. For example, if No owner is selected, and then you select Assigned, the No owner filter is automatically deselected. Conversely, if Assigned is selected, and then you select No owner, the Assigned filter is automatically deselected. The same holds for any single or multiple selected of the Show status filters.
Displays information about the incident, including ID, priority level, short description, and ownership. Also shows the time the incident was last changed, and how long the incident has been open for based on the time elapsed since the first occurrence of the associated alerts. The Open for label changes to Duration when the incident is set to resolved.
The incident description is based on the resource data contained in the alert information. The same resource data is used to correlate the alerts into an incident.
To display a list of the top 5 resources affected by the incident, click the information icon next to Top resources affected.
Hover the cursor over the alert types count to display the top 5 alert types related to the incident.
Note: When alerts arrive as resolved (but correlate with an incident) the alert will be included in the total alerts count, but not in the resources affected eventype counts.
You can take ownership of incidents or assign them to other groups or users by clicking You have the option of assigning the incident to a group you are a member of, or to another user who is a member of that group. You can also click Show all to have all groups displayed, and assign the incident to a group you are not a member of. If the incident is assigned to a group already, but not to a user within that group, then all groups are displayed. Alternatively, click the User tab to look for a specific user to assign the incident to. If you click User and select a user who is a member of more than one group, then you must specify which group the incident is assigned to..
You can also resolve an incident here by clicking.
Displays the icon for the highest alert severity level that occurs in the incident, together with a total count for such alerts.
A link shows the total number of alerts that are part of the incident. Clicking the link opens the Alerts tab of the incident details page. A link opens the Resolution view where you can investigate the incident in more detail, and includes options for resolving it. For more information, see Table 2.
You can also use the grippy to drag the incident to the sidebar and assign it to a group or user.
Shows users or groups, or the incidents assigned to you. Use the drop-down list to switch between them.
Drag an incident to a user or group to assign it to them. You can also drag a user or group from the sidebar to an incident to assign the user or group to the incident.
Use the grippy to drag users, groups, or incidents.
Overview of the incident details UI.
Click Investigate on the incident bar in any of the incident lists to access the Resolution view.
Provides information about the incident, including priority level, description, ownership, status, the most recent timeline, and a list of runbooks available to perform for potential resolution. You can set the status of the incident here to In progress, On hold, or Resolved.
If available, a list of runbooks is shown, sorted based on success rate and user rating. Information is also displayed about whether a runbook is a manual or an automated one. You can select runbooks to run against the alerts causing the incident by clickingfor the runbook you want to apply. You can also preview the details of the runbook before running it by clicking .
The runbooks are associated with the alerts as set in runbook triggers. For more information, see the related link at the end of this topic.
Note: You can execute runbooks manually as mentioned earlier. You can also have runbooks that run automatically if they contain only automated steps and were selected to run automatically when assigned to alerts in a runbook trigger. These runbooks show Type: Automated. A status message is shown in the timeline for manual runbooks indicating whether they ran successfully, did not work, are in progress, or were paused.
Important: If you take an action against an incident that is not assigned to an owner, such as running a runbook manually, the incident status is automatically set to In progress, and the incident is assigned to you. The incident is also automatically assigned to you if you manually set the incident state to In progress. If you are a member of more than one group, then you must choose a group. You will be taking ownership of the incident and working to resolve it as a member of the selected group.
Re-selecting No owner will clear any other status.
The Resolution view also includes the Collaborate list showing colleagues you can assign the incident to.
You can also assign the incident to another group by clicking the Assign group link in the Group field. You have the option of assigning the incident to a group you are a member of, or to another user who is a member of that group. You can also click Show all to have all groups displayed, and assign the incident to a group you are not a member of. If the incident is assigned to a group already, but not to a user within that group, then all groups are displayed. Alternatively, click the User tab to look for a specific user to assign the incident to. If you click User and select a user who is a member of more than one group, then you must specify which group the incident is assigned to.
To access the Alerts tab, click Alerts on the incident bar in any of the incident lists, or click the incident assigned to you in the sidebar (available when My incidents is selected from the drop-down menu). You can also click the Alerts link in the Resolution view to go to the Alerts tab, or click the tab itself.
Lists all the active alerts and alert groups that are part of the incident.
For more information on how the alerts are presented in this tab, see the Monitoring alerts link at the end of this topic.
Click the Timeline tab in the Resolution view.
Displays the full history of the incident and its related alerts, including the alerts that are correlated to the incident, time when the incident was generated, state changes such as assignments made, and comments added manually. The timeline is sorted from newest to oldest by default. You can optionally flip the timeline. To do this, click the drop-down list and select Oldest first.
You can also add comments using the Add comment button.
Click the Resources tab in the Resolution view.
Displays a list of the resources affected, including Resource name, Type of resource, and the number of Alerts per resource.