Incident Management is not available on the Datadog for Government site.
Any event that may lead to a disruption in your organization’s services can be described as an incident, and it is often necessary to have a set framework for handling these events. Datadog’s Incident Management feature provides a system through which your organization can effectively identify and mitigate incidents.
Incidents live in Datadog alongside the metrics, traces, and logs you are collecting. You can view and filter incidents that are relevant to you.
In the Datadog paradigm, any of the following are appropriate situations for declaring an incident:
- An issue is or may be impacting customers or services.
- You do not know whether you should call an incident. Notify other people and increase severity appropriately.
Incident Management requires no installation. To view your incidents, go to the Incidents page to see a feed of all ongoing incidents. You can configure additional fields that appear for all incidents in Incident Settings.
Note: View your Incidents list from your mobile device home screen and manage/create incidents by downloading the Datadog Mobile App, available on the Apple App Store and Google Play Store.
Creating an incident
From a graph
You can declare an incident directly from a graph by clicking the export button on the graph and then clicking Declare incident. The incident creation modal appears, and the graph is added to the incident as a signal.
From the Clipboard
Use the Datadog Clipboard to gather multiple monitors and graphs and to generate an incident. To add a dashboard to the Clipboard, copy any graph, and then select Open Clipboard. Add all of the relevant graphs and monitors to the Clipboard and then click Add to New Incident. Everything on the Clipboard is added to the incident as a signal.
Note: In addition to exporting from an incident, data on the Clipboard can be exported to a new dashboard or a notebook.
From a monitor
You can declare an incident directly from a monitor by clicking Declare incident. The incident creation modal appears, and the monitor is added into the incident as a signal.
You can also add a monitor to an existing incident.
From a Security Signal
Declare an incident directly from a Cloud SIEM or Cloud Workload Security signal by clicking the kebab button on the top right of the side panel, and clicking Declare incident.
Declare an incident from an Application Security Management signal by selecting the export button on the top right of the side panel, and clicking Export to incident.
From the Incidents page
In the Datadog UI, click New Incident to create an incident.
The incident creation modal provides responders with a collapsible side panel that contains helper text and descriptions for the severities and statuses used by your organization. The helper text and descriptions are customizable in the Incident Settings.
Once you have the Datadog integration enabled on Slack, from any Slack channel you can use the slash command
/datadog incident to declare a new incident.
In the creation modal, you add a descriptive title, select whether customers were impacted (yes, no, or unknown) and select a severity level (1-5, unknown).
If the user declaring the incident has connected their Slack to their Datadog account, then, by default, that user will become the Incident Commander. The Incident Commander (IC) can be changed later in-app if necessary. If the person declaring an incident is not a member of a Datadog account, then the IC is assigned to a generic
Slack app user and can be assigned to another IC in-app.
Read more about using the Datadog Slack App here.
If the user declaring the incident is a part of your Datadog account, then that user becomes the Incident Commander (IC) by default. If the person declaring an incident is not part of your Datadog account, then the IC is assigned to a generic
Slack app user. The IC can be changed on the incidents page in the Datadog app.
Once you declare an incident from Slack, it generates an incident channel.
For more information about the Datadog Slack integration, check out the docs.
Describing the incident
No matter where you create an incident, it’s important to describe it as thoroughly as possible to share the information with other people involved in your company’s incident management process.
When you create an incident, an incident modal comes up. This modal has several core elements:
Severity Level: Denotes the severity of your incident, from SEV-1 (most severe) to SEV-5 (least severe). If your incident is under initial investigation, and you do not know the severity yet, select UNKNOWN.
- SEV-1: Critical impact
- SEV-2: High impact
- SEV-3: Moderate impact
- SEV-4: Low impact
- SEV-5: Minor issue
- UNKNOWN: Initial investigation
Note: You can customize the description of each severity level to fit the requirements of your organization.
Title: Give your incident a descriptive title.
Signals: The reason(s) you are declaring the incident. These can be graphs, logs, or other key visuals.
Incident commander: This person is assigned as the leader of the incident investigation.
Additional notifications: Notify other teams or people.
Click on “Declare Incident” to finish creating your incident.
Updating the incident and the incident timeline
An incident’s status can be updated directly on the incident’s overview page, or from Slack within the dedicated incident channel. To update an incident from its Slack channel, use this slash command to open the update modal:
/datadog incident update
Update the impact section to specify customer impact, the start and end times of the impact, and whether the incident is still active. This section also requires a description of the scope of impact to be completed.
In the incident header, you can see the incident’s state, severity, timestamp, impact, and duration, as well as who has responded to the incident. You can also notify responders of updates. There are quick links to chat channels (if not using the Datadog Slack App, video conferencing, and attached postmortem (if one has been added).
Timeline data is automatically categorized, so you can use the facets to filter through timeline content. This is particularly useful for long incidents with longer investigations. This makes it easier for ICs and responders to filter through for who is involved, what progress has been made, and what’s already investigated. As the author of the timeline notes, you can edit the timestamps and message notes as they are created. You can also flag timeline calls to highlight them to other people monitoring the incident.
The default includes the statuses Active, Stable, and Resolved. Completed can be enabled or disabled. You can customize the description of each status level to fit the requirements of your organization.
- Active: Incident affecting others.
- Stable: Incident no longer affecting others, but investigations incomplete.
- Resolved: Incident no longer affecting others and investigations complete.
- Completed: All remediation complete.
As the status of an incident changes, Datadog tracks time-to-resolution as follows:
|Status Transition||Resolved Timestamp|
|Overridden on last transition|
Assessment fields are the metadata and context that you can define per incident. These fields are key:value metric tags. These field keys are added in settings, and the values are then available when you are assessing the impact of an incident on the overview page. For example, you can add an Application field. The following fields are available for assessment in all incidents:
- Root Cause: This text field allows you to enter the description of the root cause, triggers, and contributing factors of the incident.
- Detection Method: Specify how the incident was detected with these default options: customer, employee, monitor, other, or unknown.
- Services: If you have APM configured, your APM services are available for incident assessment. To learn more about configuring your services in APM, see the docs.
- If you are not using Datadog APM, you can upload service names as a CSV. Any values uploaded via CSV are only be available within Incident Management for incident assessment purposes.
- Datadog deduplicates service names case-insensitively, so if you use “My Service” or “my service”, only the manually added one is shown.
- Datadog overrides APM service names in favor of the manually uploaded list.
- Note that if the service is an APM service and no metrics are posted in the past seven days, it does not appear in the search results.
- Further integrate with Datadog products and accurately assess service impact. The Services property field is automatically populated with APM services for customers using Datadog APM.
- Teams: Choose from the teams defined in your organization. It is not necessary to upload a list of teams from a CSV file.
Incident Management collects the following analytic measures:
- Incident Count
- Customer Impact Duration
- Status Active Duration
- Status Stable Duration
- Time to Repair (customer impact end time - created time)
- Time to Resolve (resolved time - created time)
For more information about Incident Management graphs, see Incident Management Analytics.
In addition to integrating with Slack, Incident Management also integrates with:
Ready to try it out?
Work through an example workflow in the Getting Started with Incident Management guide.
Additional helpful documentation, links, and articles: