Skip to main content

Understand superseded incidents

When viewing your APEX AIOps Incident Management data, you may see incidents with a status value of superseded. Superseding occurs when an incident which more completely represents an issue takes the place of one (or more) other incidents. A single incident then represents the other incidents, and the superseded incidents are no longer active.

Creating superseded incidents prevents the duplication or loss of incident data, and ensures that the most accurate, most comprehensive incident representing an issue is always the most recent one. Superseded incidents are not removed, but are made inactive. Keeping the superseded incident preserves the history of the incident up to the time when it was replaced.

The next sections explain the details of how superseding happens, the incident fields involved, and how superseding affects your data.

The superseding process in detail

When two (or more) incidents meet the correlation group Automatic Merge threshold and include at least one alert in common, the incidents can merge together. When merging occurs, the alerts from the involved incidents are added to one of the incidents (the superseding incident), creating an incident that represents the other incidents (the superseded incidents). The superseded status is assigned to the original incidents which were merged. The incident chosen to supersede the others is either the newest of the merging incidents or the one containing the largest number of alerts. After merging, the superseding incident includes all of the alerts in the original incidents.

The life cycle of the superseding incident continues until it is eventually closed, either manually or through automation. The superseded incidents stop updating after merging, however.

When an incident is superseded:

  • No additional alerts are added

  • No further incident status changes occur

  • It is treated as closed, although the assigned status remains superseded

  • The incident severity value remains the same as it was at the time when it was merged

  • The status value for the incident changes to superseded

  • The alerts in the superseded incident can continue to update, as they are part of the superseding incident

Note that merging occurs after correlation, allowing incidents with different correlation definition requirements to merge.

The alerts in superseded incidents continue to display for reference purposes. The alerts are functionally moved to the superseding incident and continue to update if new events are added and other changes occur. When the alerts in the superseded incident are viewed, they reflect their current state.

Refer to Superseding incident example to see a step-by-step example of superseding.

Incident fields

Several incident fields are involved when an incident is superseded by another one. You can use these fields to filter, sort, and trigger workflows and outbound webhook endpoints.

The following fields are directly affected by the superseding process:

  • status

    In the superseded incident, the status is superseded.

    The superseding incident continues as an active incident and can have any incident status appropriate for its current state. This status can potentially be superseded, if an additional superseding scenario occurs.

    Note

    While a chain of superseding occurrences is possible, where superseding incidents are superseded by other superseding incidents, this is rare.

  • superseded by

    In the superseded incident, this is the ID of the current incident which replaced and currently represents this incident.

    If a chain of superseding steps has occurred which has subsequently caused superseding incidents to become superseded themselves, this value represents the most recent active incident in the chain. If only one instance of superseding has occurred, this value is the same as the value for merged into incident.

  • merged into incident

    In the superseded incident, this value indicates the ID of the incident which immediately replaced it.

    Normally, the value in this field is the same as the value for superseded by, but it may differ in the multi-superseding scenario.

  • superseded on

    In the superseded incident, this is the time when the incident was superseded by the merged into incident incident.

View superseded incidents in the Incidents page

The following example shows several incidents involved in superseding and the fields involved in the process.

SupersededIncidentsInGrid.png

You can view the fields associated with superseding in the Incidents page, or you can open the incident in the Situation Room (see the next section) to view additional incident details.

View superseded incidents in the Situation Room

The following image shows a superseded incident in the Situation Room.

SupersededIncidentInSitRoom.png

The incident is marked with the fork symbol. The incident status indicates it is superseded, and includes the ID of the incident which superseded it. To view the latest incident replacing a superseded one, you can click the ID after "superseded by" at the top of the page to open that incident in the Situation Room instead.

In this section: