Skip to main content
Solved

Can I use an email to a service orchestration to change the priority for an existing incident?

  • April 7, 2026
  • 4 replies
  • 93 views
C
Forum|alt.badge.img+1

At our organization we generate PagerDuty incidents by using email alerts.

The emails are sent to service integrations. Each service has an individual email. So even without Global Orchestration, we can process the emails into useful incidents using the Service Orchestrations. We aren’t licensed for AIOPs, so we can’t currently use Global Orchestrations.

A typical email might from our SCOM monitoring and have a subject line something like  “ SCOM: Health Service Heartbeat Failure Resolution State: New” or from one of our storage systems like “Storage D1A: Warning filesystem <filesystem> at 80%”.

This email is sent to our PagerDuty integration email and processed using the Service Orchestration rules. For repeated alerts, we can set a custom dedup_key such as the server name or filesystem name. If the dedup_key matches on subsequent alerts, then PagerDuty appends the new alert to the old ticket.

In addition, the dedup_key allows us to close incidents indirectly by using an event rule:  “If events match … (event.custom_details.subject matches regex Closed)” and setting the Alert Behavior to ”Always resolve an alert” checkbox. This effectively allows us to put “Closed” in the subject line. If the email alert otherwise matches the dedup_key it will resolve the alert, which in turn resolves the incident.

All great so far. But what happens when I want to change an existing incident without closing it?

This is precisely the issue I’m having with storage alerts. We send an email first as a “Warning” when the filesystem is filling, but not yet full (say, 80% full). Then, when the filesystem is 100% full, we send out a “Critical” email.

If this second “Critical” email matches the dedup_key, the second alert is simply appended to the existing “Warning” incident without changing the incident priority. That’s not useful.

Of course, my first thought for the second “Critical” email was to use the event rule Step 2: What action(s) should be applied → Incident Data → Basic Event → Set incident priority to … <my custom priority>”.  This works as expected with NEW incidents. But if the dedup_key matches an existing open incident, it appears that the service orchestration ignores the Incident Data section of the rule. 
 

Is there some logic or mechanism that I am missing? Can I change an existing incident’s priority or notes with an email? Is there another mechanism perhaps in Global Orchestration or other AIOps-licensed features that would work?

So far, the only solution seems to be to automatically create a separate incident by adding the priority to the dedup_key. 

Best answer by mwalls

Hi ​@Christian VanderZiel 

There is actually an account setting to allow for this. It’s not in the UI, it’s currently a feature flag that can be set for you. It would change the behavior account-wide.

Support can set it, as can your CSM if you have one assigned to your account. Or you can send me your account name *.pagerduty.com and I’ll look into it. mwalls@pagerduty.com.

    4 replies

    mwalls
    Forum|alt.badge.img
    • mwalls
    • Community Manager đź’š
    • Answer
    • April 7, 2026

    Hi ​@Christian VanderZiel 

    There is actually an account setting to allow for this. It’s not in the UI, it’s currently a feature flag that can be set for you. It would change the behavior account-wide.

    Support can set it, as can your CSM if you have one assigned to your account. Or you can send me your account name *.pagerduty.com and I’ll look into it. mwalls@pagerduty.com.

    C
    Forum|alt.badge.img+1

    FYI, I discussed this feature with our CSM.

    From what I understood, the way that the feature flag works is to automatically raise the priority for any emails/events that match the dedup_key. 

    In our case, this would mean that if an additional “Warning” matches the dedup_key that it would raise the priority of the incident. The way I understand it, it functions like this:
    1st Warning → creates incident #1 with a P-3 custom priority.
    2nd Warning or Critical →  matches dedup_key →  raises priority of incident #1 to a P-2 custom priority.

    This could be an extremely useful feature to escalate urgent unacknowledged issues and might be something that we eventually enable, but it does not solve the problem I am addressing. 

    What I want to happen would be something like this:
    1st Warning → creates incident #1 with a P-3 custom priority.
    2nd Warning → matches dedup_key, ignored.
    1st Critical → matches dedup_key, raises priority of incident #1 with P-2 custom priority.

    C
    Forum|alt.badge.img+1

    There is some discussion on my team on how this is actually going to operate, so we are going to try it in our pagerduty sandbox environment first.

    C
    Forum|alt.badge.img+1

    All right. I can’t seem to edit my earlier answers, but the flag seems to work as I’d hoped in our sandbox environment!  Hurray! 

    I did some experimentation and here’s what I found:

    **************
    PagerDuty dedup_key behavior with service orchestration rules and optional flag set. (Note, this might not apply to global orchestrations or other processes).

    When an alert comes in via email with a matching dedup_key, it is not treated as a new incident.
    Instead, it is applied to the existing incident and processed by the service orchestration rules.

    Example flow:
    1st Warning -- creates a new incident
    Priority set by rule → e.g., P-3

    2nd Warning
    Matches dedup_key
    No new incident created
    No change in priority if it matches the same rule as the first alert.

    1st Critical
    Matches dedup_key
    no new incident created
    Rule matches (e.g., critical regex)
    Priority of existing incident is raised if rule specifies it → e.g., P-2


    Dedup/rule constraints:
    -  If dedup_key matches and a rule matches, the existing incident priority is updated according to that rule.
    -  Priority can be increased incrementally or directly, but can't be decreased even if a matching rule would imply it.
    -  The alert name (summary) is updated to match the most recent alert with the same dedup_key, but the incident title remains the same.

    What cannot be changed via deduplicated alerts in service orchestration (tested):
    - Cannot add incident notes
    - Cannot rename the incident itself
    - Cannot change escalation policy

    Based on my observations, it seems likely that you cannot modify anything beyond raising the priority via a deduplicated alert.
    ********************************************

    Feel free to correct me if you’ve got the inside knowledge or have done your own experiments, of course, but I thought this might be useful to someone else attempting this. 

    Terms & ConditionsAccessibility statement