Investigating an alert

This page describes how to investigate an alert, so that you can decide whether to begin an incident response or to dismiss the alert as unactionable. This page also describes how to create an incident with no pre-existing alert in IRM.

Receiving an alert notification

Depending on how your alerting policies are configured, you receive and acknowledge an alert notification through your notification channel (for instance, email, Slack, or PagerDuty).

Click the View Details link in the alert notification. This takes you to the Alert Details view in the IRM tool.

If you are prompted to choose a Workspace, select it from the drop-down menu in the top navigation bar:

IRM

If you didn't receive an alert notification (for instance, if the alerting policy's notification channels don't include you), you can still search a Workspace for alerts if you have access to the Workspace. You can narrow or broaden the incidents or alerts you see on your dashboard, using the search function at the top.

Search bar

Searches don't persist across sessions. For details on IRM search functionality, read Searching with IRM.

Evaluate an alert

To investigate an alert and create a new incident from it, complete the following steps:

  1. If you aren't already in the IRM console, navigate to it.

    Go to the IRM dashboard

  2. Choose the alert you want to investigate by clicking on its row in the Available Alerts list.

  3. Review the chart, alert details, and any available insights on the Alert Details view to determine an initial diagnosis of the situation.

  4. If the alert is unactionable, and isn't truly affecting your services or users (for example, a false positive alert), dismiss it.

    If the alert is actionable, and warrants further actions to mitigate an issue, start the creation of a new incident by clicking Take action > New incident:

    IRM

    This leads you to the bottom of the page.

  5. Under Investigation updates, enter a brief update of your actions.

  6. To finish creating the incident, click Continue Investigation. This takes you to the Incident Details view, where you can start managing the incident.

Dismiss an alert

When initially triaging an alert, if you determine that the alert is unactionable (for example, isn't actually an issue affecting your services or users), you can dismiss the alert. To do so, select Take Action > Dismiss on the Alert Details view.

Dismiss alert

This action takes you to the bottom of the Alert Details view, and automatically creates an incident, but tags it with the action:dismiss tag, sets its severity to Negligible, and sets its stage to Resolved.

You can continue to add investigation updates or edit the incident like you would any other incident.

Create an incident without an alert

If an issue is affecting your services or users but has not triggered an alert, you can manually create an incident:

  1. In the Incidents section of the IRM dashboard, click Create manual incident

    Create manual incident

    This takes you to the Create manual incident page.

  2. Enter a descriptive title and click Create.

IRM creates an incident with a corresponding alert and the title you specified. You can interact with an incident created this way just as you interact with any other incident.

Next steps

For detailed guidance on managing an incident, go to Managing an incident.

For a description of IRM concepts that you might find useful as you begin using IRM, see Concepts.

Send feedback about...

Stackdriver Incident Response and Management (IRM) Documentation
Need help? Visit our support page.