Requirements

The incident pane requires the standard or enterprise level of service.

The incident pane serves as a repository for recent activities in your timeline. The incident pane, located to the right of the timeline, houses alerts that come into Splunk On-Call. We currently store seven days or 1,000 events worth of timeline alert history, whichever comes first. Historical data that fall outside of the aforementioned storage parameters of the Incident Pane may be obtained through the use of the VictorOps API.

Incident owner tabs

The tabs along the top level in the incident pane are the incident owner tabs, which define the association of incidents by all activity, individual user interaction, and team interaction. These tabs allow you to quickly limit the scope of work from all incidents to incidents that pertain only to you and your team.

In order to display all or only certain panes (People, Timeline, or Incident), select Customize View. In the drop-menu menu, select the desired panes.

Incident status tabs

The Incidents pane, located to the right of the Timeline, houses alerts that come into Splunk On-Call. At the top of the incident pane, you will see three categories: Triggered, Acknowledged, and Resolved.

From the Triggered tab, you may select a single incident or multiple incidents to acknowledge, re-route, or snooze.

From the Acked tab, you may select a single incident or multiple incidents to resolve, reroute, or snooze.

Once a triggered incident has been acknowledged and resolved, you may view it in the Resolved tab. Here, and in the other tabs, you may select a single incident to review. You may also pop the incident details out into separate window for easier viewing.

The control call (conference calling) and maintenance mode icons are available in the upper right-hand corner of the Incident Pane. Control call is an enterprise-level feature that enables quick and effective communication via conference call with your team when you’re in the midst of a firefight. Maintenance mode allows you to temporarily silence alerts in order to complete work without unnecessarily paging on-call teammates.

New triggered incident

When a new incident reaches the Splunk On-Call timeline, the incident will appear in the Triggered tab.

Once the triggered incident appears under the Triggered incident tab, you can acknowledge it by selecting the check mark in the upper-right corner of the incident.

You also have the option to acknowledge multiple incidents at one time. Select the box on the left corner of the triggered incident in the incident pane.

Incident details view

The incident details view provides a holistic overview of all information related to a particular incident including annotation. The incident details view can be accessed in a few ways:

• Incident number link located on the top of alert card (Incident #177 Datadog in screenshot below)

• Incident Details link in bottom right corner of alert card

• Incident number link in the bottom right corner of the alert card

The incident details view contains the incident card and three tabs displaying the detailed payload, incident timeline (all events from the timeline related to the incident), and annotations from the most recent alert.

Incidents can be acknowledged, rerouted, and resolved from this view. Additional responders can be added from this view as well.

Popping out the incident details view for a particular incident will open a new window with a more expansive display. This is useful if there are multiple annotations or a lengthy payload or incident timeline.

Below is an example of the incident popped-out in a new window with a transformed annotation.

If an incident doesn’t have annotations attached to it, Splunk On-Call will display the following message: