Searching with IRM

This guide shows you how to search incidents and alerts using the Incident Response and Management (IRM) console.

Getting started

Search functionality is available on the dashboard of the IRM console. To get started, do the following steps:

  1. Go to the IRM console dashboard:

    Go to the IRM dashboard

  2. Using the drop-down menu at the top of the dashboard, select the Workspace whose incidents or alerts you want to search.

The IRM console dashboard features a search box, as indicated by the Search icon:

Search box

In the search box, enter your search query and press ENTER.

A toggle switch lets you limit your search query to the last 7 days of alerts listed under Available alerts. Toggle the switch again to return to an unlimited search.

When searching incidents and alerts, IRM search evaluates the following fields:

  • Incident title
  • Summary
  • Investigation updates
  • Alert titles and alert details of the alerts that are added to incidents

When searching just alerts, IRM search evaluates only the alerts' title field.

Some of these fields are indexed; for details, read indexed fields.

Suggestions and highlighting as you type: When you type a search query into the search box, the search box displays suggestions for matching indexed fields. To choose a suggestion, press TAB. If you don't see suggestions, try pressing CTRL + SPACE.

Using a keyboard: If you are using a keyboard to type a search query into the search box, you can press ESC to exit the editing mode and then press TAB to navigate to the other options on the IRM console dashboard.

Search syntax

IRM search queries can consist of freeform text, key-value pairs, and operators.

All searches on plain text are case-insensitive.

Use parentheses (()) to group expressions within a search query; for example, (foo OR bar) foobar.

Use a colon (:) to indicate a key-value pair; for example, bar:foo. For details on key-value pairs supported by IRM search, go to Indexed fields.

Quotation marks ("") let you match on exact text strings; for example, "foo bar".

Quotation marks

Quotation marks ("") must be used when matching strings that contain special characters such as spaces, colons, parentheses, less than, greater than, equals, and leading dashes in the field's value. For example, a string "v1.compute.logging.rate" is quoted because it contains periods. If you wish to include a quotation mark within a string, precede the quotation mark with a backslash. If searching for the strings AND, OR or NOT, you must use quotation marks.

Search operators

Search operators connect and define relationships between your search terms. The search operators are case sensitive, and must be capitalized. The operators AND and OR cannot be combined in the same expression; use parentheses to separate your expressions.

IRM search recognizes the following search operators:

Operator Matches if: Example query
AND All search terms are present start>2018-12-01 AND foobar
OR One or more search terms are present foobar OR barfoo
NOT The search term is not present "logging rate" NOT stage:resolved

Note that a space between search terms is equivalent to connecting them by the AND operator; foo bar is equivalent to foo AND bar.

Searching by time

You can search incidents by their start (timestamp) fields. IRM assumes that the dates and times you enter in your search queries are in your current time zone, as determined by your browser.

Following are the timestamp formats that are supported by IRM search:

Format Matches incidents that started:
start>7d After the point in time 7 24-hour periods ago
yyyy-MM-dd On that exact date, treated as a calendar-day-wide window
"yyyy-MM-ddTHH:mm" On that exact date with minute resolution
"yyyy-MM-ddTHH:mm:ss" On that exact date with second resolution

The absolute timestamp formats (formats beginning with yyyy) can optionally be followed with a UTC offset in +/-hh:mm format. Also, the "T" separating dates and times can optionally be replaced with a space. Note that any timestamp containing a space or colon needs quotation marks.

Additionally, the < operator matches incidents that began before that timestamp; the > operator matches incidents that began after that timestamp; and the : operator matches incidents on that timestamp.

Following are examples of search queries that reference the incident start field:

Example query Matches incidents that started:
start>2018-11-28 After November 28, 2018
start<=2018-11-28 On or before November 28, 2018
start:2018-11-28 On November 28, 2018
start>"2018-11-28 01:02:03+04:00" After November 28, 2018 at 1:02:03 AM, according to the UTC+04 time zone.

Indexed fields

To find your incidents or alerts more quickly, search using indexed fields. Following are the indexed fields supported by IRM search:

Field Description Example queries
alert_details The text in the Alert Details section for alerts that have been added to an incident. The query alert_details:"SLO Violation" matches incidents where the alert details contain the string "SLO Violation: something bad".
alert_status Indicates whether a triggered alerting policy is firing or recovered. alert_status:"firing"
alert_title The title of alerts that have been added to an incident. You might search for SLO-related incidents by using the key-value pair alert_title:SLO.
escalated Indicates whether the incident has been escalated. The query escalated:true matches incidents that are escalated.
has_tags Indicates whether the incident has tags. The query has_tags:false matches incidents that are untagged.
id The identifier of the incident; shown in the incident's URL. For example, for the URL "", the id is "A.WLi2aro". The query "id:A.WLi2aro" matches an incident with that identifier.
incident_title The title that has been added to the incident. The query incident_title:foo matches incidents with foo in the title.
link_display_name The text of the display name of links that have been added to incidents. The query link_display_name:foo matches incidents with foo in the display name.
link_url The URL string of the links that have been added to incidents. The query link_url:foo matches incidents with foo in the URL string.
severity The severity classification of the incident. Possible values: unspecified, test, negligible, minor, medium, major, huge.
  • severity:major
    Matches incidents with Major severity.
  • severity>=major
    Matches incidents with Major or Huge severity.
stage The stage classification of the incident. Possible values: unspecified, detected, triaged, mitigated, resolved.
  • The query stage: mitigated
    matches incidents where stage is Mitigated.
  • The query stage>=mitigated
    matches incidents where stage is either Mitigated or Resolved.
start The date that the incident started. Specifically, the earliest timestamp of the alerts that are associated with the incident. Relative days can be specified using a lower case "d".
  • start>7d
    Items in the last 7 days, using NOW()-24h*Xd
  • start:2018-12-14
    The start date is any time on the specified date
summary The text in the incidents' summary fields. The query summary:"SLO Violation" matches incidents whose summaries contain the string "SLO Violation".
tag Incidents can be searched based on tags added to them. Equal sign (=) and colon (:) operators are supported for tag search.
  • Both tag:foo and tag=foo queries match incidents with the tag foo or tags where foo is a subcomponent such as foo:bar or bar:foo:baz
  • Queries such as tag:"foo:bar" and tag="foo:bar" match incidents with exactly the tag "foo:bar" or "foo:bar:baz". However, neither query matches tags such as foo or bar.
  • The query tag:foo tag:bar matches incidents with the tag foo and bar. It also matches incidents with tags such as foo:bar:baz.
title Either incident_title or alert title. The query "title:foo" is equivalent to the query "alert_title:foo OR incident_title:foo".
updates The text in the investigation updates for alerts added to an incident. updates:drain matches incidents where drain is written in investigation updates.

Less common searches

Following is a list of additional indexed fields that can help you search your alerts and incidents based on alerting policies that have triggered. In the sample queries below, both equal sign (=) and colon (:) operators are supported.

Field Description Example queries The numeric identifier (non-display) for a monitored resource group associated with an alerting policy."[GROUP_ID]"
metric.type The type of metric associated with an alerting policy. metric.type="" The name (non-display) of an alerting policy."projects/[PROJECT_NAME]/alertPolicies/[POLICY_ID]"
resource.type The monitored resource type associated with an alerting policy. resource.type="gce_instance"
resource.label.$KEY The labels attached to monitored resources associated with an alerting policy. Specify the label key on the left-hand side of the restriction, which restricts your search based on the label value for the key. For example, a monitored resource could have the following label: {key: "zone", value: "us-central1-f"}. To search for alerts on this monitored resource, use"us-central1-f".
signal_state Indicates whether a triggered alerting policy is firing or recovered. signal_state:"firing"
slo_service_name The GCP service name on which the SLO is defined. slo_service_name:"projects/[PROJECT_ID]/services/[SERVICE_NAME]"