View incidents

Express displays the most recently created alerts with no filtering.

Searching and filtering incidents

Incidents and incident details reference

The following table lists the incident attributes visible in the Incidents and Incident Details tables.


Express stores all timestamps in UTC format. The dates and times displayed in the UI are based on your browser's local time.




The person assigned to the incident.


A list of the classifications (class field) of all alerts in the incident. The class field is used to categorize the events and metric anomalies that make up an alert. For example, an alert with a "WebServerMonitor" class might include a "web-server-down" event and a "http-requests-failed-rate" anomaly.

Closed on

Timestamp when this incident was closed.

Created At

Timestamp when the Correlation Engine created this incident.


Auto-generated description of the incident, based on the description field in the correlation profile that generated the incident.

First Event Time

Timestamp of the earliest event in this incident.


Express auto-generates this ID when it creates the incident.

Last Event Time

Timestamp of the most recent event in this incident.

Last State Change

The last time a user updated the incident status or severity.

Resolved On

Time when the incident was resolved.


A list of all services that generated the events and metrics included in this incident. This list is derived from the service field in the member alerts in this incident.


The incident severity equals the highest severity of any alert in that incident.


Status of the incident.

Superseded By

Total Alerts

The total number of alerts in the incident.