Use multi-responder incidents

Learn how to use multi-responder incidents.

Splunk On-Call allows you to quickly mobilize teams around an incident. While a regular incident only requires a single acknowledgment to stop paging, multi-responder incidents require responses from each user or escalation policy being paged.

Note: The ability to manually invoke a multi-responder incident response, as opposed to it being automatically invoked though a Routing Key, requires the enterprise level of service.

Use cascading escalation policies

If an alert is sent to an escalation policy that references another escalation policy or set of escalation policies, and multi-responder is enabled, every first step in the escalation policy is required to respond if the parent escalation policy is called via manual incident or additional responder.

Using this, you may build response plays that allow you to organize multiple teams around an incident by calling on only one escalation policy.

Send a incident that requires multiple responders

You may manually send an incident to users and escalation policies, requiring an individual acknowledgment per user or escalation policy.

Manual send an incident requiring multiple responders.

When an incident requires multiple responders, it will not move to an acknowledged state until all required responders have acknowledged it. The following screenshot displays an example of the state of paging and progress of acknowledgment in the incident card.

Manually send an incident requiring multiple responders.

Add responders to an incident

To require responder acknowledgment on an incident:

  1. Select the responder icon.
  2. You will then be prompted by the following modal. Select which user or escalation policies to page and require individual acknowledgment. This is similar to reroute, but instead of canceling paging via a singular acknowledgment, each escalation policy or user must acknowledge to move an incident to an acknowledged state.

View suggested responders

Splunk On-Call can suggest responders who are likely able to help. Splunk On-Call leverages information about user involvement in past incidents to suggest responders that may be added to incident response. If a user is currently not on call, a red warning symbol will appear next to the user’s name.

Suggested responder.

Automate multi-responder functionality using routing keys

To automatically invoke multi-responder functionality on a routing key level:

  1. Under Settings, select Routing Keys.

  2. Hover over an existing routing key and select the pencil icon that appears.

  3. On the Multi-Responder column, select the check box.

  4. Select the adjacent check mark to save the changes.

If multiple escalation policies are specified through the routing key, an acknowledgement will be required from each of them before the incident becomes fully acknowledged.