Incident

An incident A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. starts with a trigger A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device.. (Each trigger comprises one or more indicators An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents. that have been correlated.) Incidents are listed on the Incidents page, which shows information about the incident, including its basic details, along with runbook An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. output A document containing data sets generated by the execution of a runbook, including output of queries and reports from point products, as well as output of analysis or other runbook nodes. data to assist you in identifying the incident's underlying cause.

Certain relationships cause triggers to be grouped into incidents:

Riverbed IQ Ops's default behavior is to group indicators into incidents only if they share two or more types of relationships. For example, two indicators will be grouped into an incident if they share both application and location, but not if they share only an application. However, you can override the system's default behavior and group triggers into incidents manually, or, you can break incidents apart, based on your personal knowledge and judgment.