Use the incident timeline in Grafana IRM
The incident timeline serves as a chronological record of all activities, observations, and decisions made during an incident. It provides a single source of truth that helps responders collaborate effectively and enables post-incident analysis.
This topic explains how to use the timeline to document incident progress, share critical information, and maintain a comprehensive incident record.
About the incident timeline
The Grafana IRM incident timeline:
- Captures key events, actions, and observations chronologically
- Integrates with Slack, allowing you to add Slack messages to the timeline using the robot emoji reaction and use Slack commands to update the incident without leaving Slack
- Connects with Grafana Cloud observability data, including dashboards and data sources like Prometheus and Loki
- Displays dashboard panels for visual context
- Supports quick navigation and filtering of incident activities
- Enables easy information sharing among all incident responders
- Creates a permanent record for post-incident review and analysis
All items added to the timeline are timestamped automatically, creating a detailed history of the incident from start to resolution.
Add content to the timeline
You can add several types of content to the incident timeline to document the incident and provide context for other responders.
Add notes
Notes allow you to document observations, decisions, and actions during an incident:
- Navigate to the incident details page.
- Select the Text tab.
- Enter your note in the text field.
- Click Add note to publish the note to the timeline.
Tip
Use Markdown formatting in your notes for better readability. Common Markdown syntax includes:
**bold text**for bold text*italic text*for italic text`code`forcode- Numbered and bulleted lists
[Link text](URL)for hyperlinksURLs in notes are automatically extracted and added to the Links and Context section for easy reference.
Add queries
Adding queries to the timeline provides data context and helps track metrics related to the incident:
- Navigate to the incident details page.
- Select the Query tab.
- Select a data source.
- Enter your query in the query editor.
- Click Run query to execute and verify the query.
- Add a descriptive title and optional description to provide context.
- Click Add query to publish the query and its results.
Note
Query results are captured as a snapshot at the time they’re added to the timeline. The query doesn’t automatically update, which preserves the historical record of what was observed during the incident.
Example queries
Prometheus query example (HTTP error rate):
sum(rate(http_requests_total{status=~"5.."}[5m])) / sum(rate(http_requests_total[5m])) * 100Loki query example (error logs):
{app="myapp"} |= "error" | logfmtAdd dashboard panels
Visualizations from your dashboards can provide critical context:
- Navigate to the incident details page.
- Select the Panel tab.
- Search for and select the dashboard containing the relevant panel.
- Select the specific panel you want to add.
- Add a descriptive title and optional description explaining the panel’s relevance.
- Click Add panel to include it in the timeline.
Caution
Dashboard panels that use template variables may not render correctly in the timeline as there is no option to specify input variables. For best results, use panels that don’t rely on variables or create specific panels for incident response.
React to timeline entries
You can add emoji reactions to timeline entries to highlight important information:
- Hover over any timeline entry.
- Click the Add reaction (smile face) icon.
- Select an emoji from the picker.
Common emoji reactions and their typical uses:
| Emoji | Typical Use |
|---|---|
| 👍 | Acknowledge or agree with the information |
| ⭐ | Mark as especially important |
| 🔍 | Currently investigating this |
| ✅ | Confirmed or verified |
| ❌ | Disproven or resolved |
Navigate and filter the timeline
As incidents progress, the timeline can grow lengthy. Use these tools to focus on relevant information:
Filter timeline content
To filter the timeline:
- In the timeline view, locate the filter controls at the top.
- Filter by:
- Importance: Select Highly relevant activity, All relevant activity, or All activity
- Time range: Specify an absolute or relative time range
- Reactions: Filter for activities with specific emoji reactions
Search the timeline
To search for specific content in the timeline:
- Use the search field at the top of the timeline.
- Enter keywords related to the content you’re looking for.
- The timeline will display only entries matching your search terms.
Jump to specific points in time
To navigate to a specific point in the incident:
- Use the time range filter at the top of the timeline.
- Set an absolute time range (specific start and end times) or a relative range (last 30 minutes, last hour, etc.).
- Click Apply to filter the timeline to that specific period.
Use the timeline for post-incident analysis
The incident timeline is a valuable resource for post-incident reviews and analysis:
- After incident resolution, navigate to the incident details page.
- Review the complete timeline to understand the incident’s progression.
- Use filters to focus on key decision points and significant actions.
- Identify patterns in the incident response process:
- When was the incident first detected?
- How long did it take to engage the right stakeholders?
- What troubleshooting steps were most effective?
- Were there any communication gaps?
- Use these insights to improve your incident response processes.
Best practices for timeline documentation
For effective timeline usage:
- Document events in real-time as the incident unfolds
- Use consistent formatting for similar types of entries
- Capture key metrics at critical points in the incident
- Use emoji reactions to highlight important information
- Clearly indicate who is taking which actions
- Document external communications and stakeholder updates
- Note when significant phases of the incident begin and end
Related documentation
Was this page helpful?
Related resources from Grafana Labs
