Working with Incidents

When an incident is created, Enterprise Manager makes available a rich set of incident management workflow features that let you to manage and track the incident through its complete lifecycle.

  • Assign incident ownership.

  • Track the incident resolution status.

  • Set incident priority.

  • Set incident escalation level.

  • Ability to provide a manual summary.

  • Ability to add user comments.

  • Ability to suppress/unsuppress

  • Ability to manually clear the incident.

  • Ability to create a ticket manually.

All incident management/tracking operations are carried out from Incident Manager. Creation of incidents for events, assignment of incidents to administrators, setting priority, sending notifications and other actions can be automated using (incident) rules.

Incident Status

The lifecycle of an incident within an organization is typically determined by two pieces of information: The current resolution state of the incident (Incident Status) and how important it is to resolve the incident relative to other incidents (Priority). As key incident attributes, the following options are available:

  • New

  • Work in Progress

  • Closed

  • Resolved

You can define additional statuses if the default options are not adequate. In addition, you can change labels using the Enterprise Manager Command Line Interface (EM CLI). See Advanced Topics for more information.

Priority

By changing the priority, you can escalate the incident and perform operations such as assigning it to a specific IT operator or notifying upper-management. The following priority options are available:

  • None

  • Low

  • Medium

  • High

  • Very High

  • Urgent

Priority is often based on simple business rules determined by the business impact and the urgency of resolution.

Incident Attributes

Every incident possesses attributes that provide information as identification, status for tracking, and ownership. The following table lists available incident attributes.

Incident Attribute Definition

Escalated

An escalation level signifying a escalation to raise the level of attention on the incident from your organization's IT or management hierarchy.

Available escalation levels:

  • None (Not escalated)

  • Level 1 through Level 5

Category

Operational or organizational classification for an incident. Incidents (and events) can have multiple categories.

Categories for all events within an incident are aggregated.

Available Categories:

  • Availability

  • Business

  • Capacity

  • Configuration

  • Diagnostics

  • Error

  • Fault

  • Jobs

  • Load

  • Performance

  • Security

Summary

An intuitive message indicating what the incident is about. By default, the incident summary is pulled from the message of the last event of the incident, however, this message can be changed to a fixed summary by any administrator working on the incident.

Incident Created

Date and time the incident was created.

Last Updated

Date and time the incident was last updated or when the incident was closed.

Severity

Severity is based on the worst severity of the events in the incident. For example, Fatal, Warning, or Critical.

Source

Source entities of the incident.

Priority

Priority Values

  • None (Default)

  • Low

  • Medium

  • High

  • Very High

  • Urgent

Status

Incident Status.

  • New (Default)

  • Work in Progress

  • Closed (Terminal state when the incident is closed. See below for more information.)

  • Resolved

You can define additional statuses if the default options are not adequate. In addition, you can change labels using the Enterprise Manager Command Line Interface (EM CLI).

Closed Status: Enterprise Manager automatically sets the status to closed when an incident severity is cleared--administrators do not manually select the Closed status. The incident severity is set to Clear when all of the events contained within the incident have been cleared. Typically the Agent sets the Clear severity, as would be the case when a metric alert value falls below a severity threshold. If an event or incident supports manual clearing, then the Clear option will be shown in the Incident Manager UI. Once an incident has been cleared by an administrator or by Enterprise Manager, only then will Enterprise Manager set the status to Closed.If you do not see the option to clear the incident in the UI, this means Enterprise Manager will automatically set the status to Clear if it detects the monitored condition no longer holds true. For example, you want to indicate that an incident has been fixed. You can set the status to Resolved and Enterprise Manager will set the status to Closed when it clears the severity.

Comment

Annotations added by an administrator to communicate analysis information or actions taken to resolve the incident.

Owner

Administrator/user currently working on the incident.

Acknowledged

Indicates that a user has accepted ownership of an incident or problem. Available options: Yes or No.

When an incident is acknowledged, it will be implicitly assigned to the user who acknowledged it. When a user assigns an incident to himself, it is considered 'acknowledged'. Once acknowledged, an incident cannot be unacknowledged, but can be assigned to another user. Acknowledging an incident stops any repeat notifications for that incident.

Causal Analysis Update

Used for Root Cause Analysis of target down incidents.

Possible Values: Root Cause or Symptom