Any event that may lead to a disruption in your organization’s services can be described as an incident, and it is often necessary to have a set framework for handling these events. Datadog’s Incident Management feature provides a system through which your organization can effectively identify and mitigate incidents.
Incidents live in Datadog alongside the metrics, traces, and logs you are collecting. You can view and filter incidents that are relevant to you.
In the Datadog paradigm, any of the following are appropriate situations for declaring an incident:
Incident Management requires no installation. To view your incidents, go to the Incidents page to see a feed of all ongoing incidents. You can configure additional fields that appear for all incidents in Incident Settings.
You can declare an incident directly from a graph by clicking the export button on the graph and then clicking Declare incident. The incident creation modal appears, and the graph is added to the incident as a signal.
Use the Datadog Clipboard to gather multiple monitors and graphs and to generate an incident. To add a dashboard to the Clipboard, copy any graph, and then select Open Clipboard. Add all of the relevant graphs and monitors to the Clipboard and then click Add to New Incident. Everything on the Clipboard is added to the incident as a signal.
Note: In addition to exporting from an incident, data on the Clipboard can be exported to a new dashboard or a notebook.
You can declare an incident directly from a monitor by clicking Declare incident. The incident creation modal appears, and the monitor is added into the incident as a signal.
You can also add a monitor to an existing incident.
In the Datadog UI, click New Incident to create an incident.
The incident creation modal provides responders with a collapsible side panel that contains helper text and descriptions for the severities and statuses used by your organization. The helper text and descriptions are customizable in the Incident Settings.
Once you have the Datadog integration enabled on Slack, from any Slack channel you can use the slash command
/datadog incident to declare a new incident.
In the creation modal, you add a descriptive title, select whether customers were impacted (yes, no, or unknown) and select a severity level (1-5, unknown).
If the user declaring the incident has connected their Slack to their Datadog account, then, by default, that user will become the Incident Commander. The Incident Commander (IC) can be changed later in-app if necessary. If the person declaring an incident is not a member of a Datadog account, then the IC is assigned to a generic
Slack app user and can be assigned to another IC in-app.
Read more about using the Datadog Slack App here.
If the user declaring the incident is a part of your Datadog account, then that user becomes the Incident Commander (IC) by default. If the person declaring an incident is not part of your Datadog account, then the IC is assigned to a generic
Slack app user. The IC can be changed on the incidents page in the Datadog app.
Once you declare an incident from Slack, it generates an incident channel.
For more information about the Datadog Slack integration, check out the docs.
No matter where you create an incident, it’s important to describe it as thoroughly as possible to share the information with other people involved in your company’s incident management process.
When you create an incident, an incident modal comes up. This modal has several core elements:
Severity Level: Denotes the severity of your incident, from SEV-1 (most severe) to SEV-5 (least severe). If your incident is under initial investigation, and you do not know the severity yet, select UNKNOWN.
Note: You can customize the description of each severity level to fit the requirements of your organization.
Title: Give your incident a descriptive title.
Signals: The reason(s) you are declaring the incident. These can be graphs, logs, or other key visuals.
Incident commander: This person is assigned as the leader of the incident investigation.
Additional notifications: Notify other teams or people.
Click on “Declare Incident” to finish creating your incident.
An incident’s status can be updated directly in the overview page of the incident or from Slack within the dedicated incident channel. To update an incident from Slack, use this slash command to pull up the update modal:
/datadog incident update
You can also update the impact section to specify if there was customer impact, the incident timeline, and whether or not it’s still active. This section also requires a description of the scope of impact to be completed.
In the incident header, you can see the incident’s state, severity, timestamp, impact, and duration, as well as who has responded to the incident. You can also notify responders of updates. There are quick links to chat channels (if not using the Datadog Slack App, video conferencing, and attached postmortem (if one has been added).
Timeline data is automatically categorized, so you can use the facets to filter through timeline content. This is particularly useful for long incidents with longer investigations. This makes it easier for ICs and responders to filter through for who is involved, what progress has been made, and what’s already investigated. As the author of the timeline notes, you can edit the timestamps and message notes as they are created. You can also flag timeline calls to highlight them to other people monitoring the incident.
The default includes the statuses Active, Stable, and Resolved. Completed can be enabled or disabled. You can customize the description of each status level to fit the requirements of your organization.
As the status of an incident changes, Datadog tracks time-to-resolution as follows:
|Status Transition||Resolved Timestamp|
|Overridden on last transition|
Assessment fields are the metadata and context that you can define per incident. These fields are key:value metric tags. These field keys are added in settings, and the values are then available when you are assessing the impact of an incident on the overview page. For example, you can add an Application field. The following fields are available for assessment in all incidents:
Incident Management collects the following analytic measures:
For more information about Incident Management graphs, see Incident Management Analytics.
In addition to integrating with Slack, Incident Management also integrates with:
Work through an example workflow in the Getting Started with Incident Management guide.
Additional helpful documentation, links, and articles: