Incident Pane 🔗
Versions Supported: N/A (SaaS) VictorOps Version Required: Standard andEnterprise
The Incident Pane serves as a repository for recent activities in your Timeline. The Incident Pane, located to the right of the Timeline, houses alerts that come into Splunk On-Call. We currently store seven days or 1,000 events worth of timeline alert history, whichever comes first. Historical data that fall outside of the aforementioned storage parameters of the Incident Pane may be obtained through the use of the VictorOps API .
The tabs along the top level in the Incident Pane are the Incident Owner tabs which define the association of incidents by all activity, individual user interaction and team interaction. These tabs allow you to quickly limit the scope of work from all incidents to incidents that pertain only to you and your team.
In order to display all or only certain panes (People, Timeline & Incident) select Customize View and in this drop-down, a user can de-select any of the options and then re-select if wanted.
The Incident pane, located to the right of the Timeline, houses alerts that come into Splunk On-Call. At the top of the Incident pane, you will see three categories: Triggered, Acknowledged, and Resolved.
From the Triggered tab, you may select a single incident or multiple incidents to ack, re-route, or snooze.
From the Acked tab, you may select a single incident or multiple incidents to Resolve, reroute, or snooze.
Once a Triggered incident has been ack’d and resolved, you may view it in the Resolved tab. Here, and in the other tabs, you may select a single incident to review. You may also pop the incident details out into separate window for easier viewing.
Also, note the Control Call (Conference Calling) and Maintenance Mode icons in the upper right-hand corner of the Incident Pane. Control Call is an Enterprise-level feature that enables quick and effective communication via conference call with your team when you’re in the midst of a firefight. Maintenance Mode, on the other hand, allows you to temporarily silence alerts in order to complete work without unnecessarily paging on-call teammates.
When a new incident reaches the Splunk On-Call timeline, the incident will appear in the triggered incidents tab.
Once the triggered incident appears under the Triggered incident tab you may Ack it by selecting the check mark in the upper right corner of the incident.
You also have the option to acknowledge multiple incidents at one time. In order to do this, you select the box on the left corner of the triggered incident in the incident pane.
The Incident Details view provides a holistic overview of all information related to a particular incident including annotation. The incident details view can be accessed in a few ways:
Incident number link located on the top of alert card (Incident #177 Datadog in screenshot below)
Incident Details link in bottom right corner of alert card
Incident number link in the bottom right corner of the alert card
Annotations can be found on the bottom right corner of incident cards
Note: Annotations are added to incidents using the Rules Engine. This feature is only available in the Full Stack plan.
The incident details view contains the incident card and three tabs displaying the detailed payload, Incident Timeline (that is, all events from the timeline related to the incident), and annotations from the most recent alert.
Incidents can be acknowledged, rerouted, and resolved from this view. Additional responders can be added from this view as well.
Popping-out the incident details view for a particular incident will open a new window with a more expansive display. This is useful if there are multiple annotations or a lengthy payload or incident timeline.
Below is an example of the incident popped-out in a new window with a transformed Annotation.
If an incident doesn’t have annotations attached to it, Splunk On-Call will display the following message.