Setting Incidents: incident_key in EventsV2 API


(Sandy Breeze) #1

Hi PD community,

I’ve just picked up a project where I’d like one of my apps to trigger events and resolve alerts based on thresholds the app gets from looking at devices. However, I’m struggling to find how when hitting eventsv2 endpoint ( the incident_key in the incident can be populated at time of creation? No matter where I put it in the parameters or payload, it always ends up as ‘None’ in the subsequent incident. All the alerts subsequently created under incident contain the dedup_key, but, I want to be able to uniquely identify the incident based on my apps dedup_key I specify, without having to recurse all incidents associated alerts…

Heres an example taken from the class I’ve written - can you tell me where I’m going wrong?

    def trigger(self, description, hostname, details, dedup_key=None):
        data = json.dumps({
            'routing_key' : SERVICE_KEY,
            'event_action': 'trigger',
            'incident_key'   : 'my-identifiable-incident-key',
            'dedup_key'   : dedup_key,
            'payload'     : { 'summary'       : description,
                              'custom_details': details,
                              'source'        : hostname,
                              'severity'      : 'error',
            'client'     : '%s running on %s' % (sys.argv[0], os.uname()[1]),
            'client_url' : '',
        r ='',
        return r

When setting dedup_key in the above, it is the dedup_key in the associated alert. But incident_key is always None in the incident. If I chose to POST ‘incident_key’ in the ‘payload’, incident_key’ never ends up in the actual ‘incident_key’ field when pulling back the incidents again…

I’ll happily use another (appropriate) customisable field if it can make it into incident at time of creation, but I’m wondering why this is the way it is…?


(Anton Van Oosbree) #2

Hi Sandy, to clarify with Alerts enabled on a service it’s expected that the incident_key will be null. This is by design, with the thinking being that (with Alerts enabled) Incidents are a “container” for Alerts, and don’t have an incident/dedup key of their own—rather it’s Alerts that get deduplicated.

One approach would be to turn off Alerts (on a Service’s edit page under Incident Behavior), in which case you can expect to see an Incidents incident_key populated again.

(Sandy Breeze) #3

Hi Anton,
Thanks for your response, that explains the behaviour I’m seeing.

In my case, I have a few integrations which together make up the service. I only want each integration to manage their own events in the service. I was hoping to identify by something in the list of incidents I return for that service, which integration was responsible for raising that incident. Does it follow then, that for each of my integrations, I must also recurse the alerts for each incident in the service, before I can find something unique to the integration that raised it (aside from putting something in the description string for example) ?


(Anton Van Oosbree) #4

Hi Sandy, using Events API v2 with Alerts enabled on the service, an Alert’s ID or dedup_key will be the best way to target a specific Alert.

(Albert Taylor) #5

Sandy, you can find an incident by the events dedup_key by sending a get request to this uri:$dedup_key"

replace $dedup_key with the key you used or got from the events API V2 request.

(Simon Fiddaman) #6

Hey @sanjmonkey, are you actually using alert / incident merging?

Be careful with setting the dedup_key (for alerts) arbitrarily, as alerts with a matching dedup_key will be merged into a single incident (which will hold the same description/title as the initial alert). Obviously it also holds that using a unique dedup_key, even if it’s identifiable - e.g. sourcea_dhejh78 where sourcea_2q1 is your identifiable / fixed part and dhejh78 was the random jibberish for that specific alert.

If you never want this to happen, flip to the old behaviour of incidents only. Same rules would then apply on the incident_key.

Alternatively, have you considered implementing a separate Service for each Integration? There’s no limit to how many Services you can have and if they’re all bound to the same Team the visibility in the Incidents page will be much the same (you can even see which Integration-Service it came from in that list, which you can’t otherwise), and Escalation Policies are reusable.


(system) #7