Alerts and IRM

IRM

Manage

Insights and reporting

Incident insights

Grafana Cloud

Incident insights

Incident insights in Grafana IRM enables you to visualize, analyze, and track incident response data. Use these insights to measure your organization’s response effectiveness, identify trends, and continuously improve your incident management processes.

About incident insights

Incident insights provide:

A pre-built dashboard with key incident response metrics
The ability to build custom dashboards using the Grafana Incident data source
Flexible filtering and exploration by labels, severity, and other dimensions
Customizable dashboard templates to fit your organization’s needs
Embedding of incident metrics into existing Grafana dashboards

Incident insights are included with all Grafana IRM plans at no additional cost.

Set up incident insights

The incident insights dashboard is created automatically when you enable the feature.

To set up and access incident insights for the first time:

In the Grafana Cloud main menu, navigate to Alerts & IRM > IRM.
Select Insights, then click the Incidents tab.
Click Set up Insights dashboard.
You are redirected to the insights dashboard upon completion.

During setup, Grafana IRM:

Configures the Grafana Incident data source
Generates a service account and token with viewer permissions
Creates the pre-built Insights dashboard

To revisit the dashboard later, select Insights from the left menu.

Understand your incident metrics

Grafana IRM tracks several core metrics to help you understand and improve your incident response:

Mean Time To Resolution (MTTR):
The average time from when an incident starts to when it is resolved.
Formula: incidentEnd - incidentStart
- If incidentEnd is not set manually, it defaults to the time the incident was marked as resolved (closedTime).
Mean Time To Detect (MTTD):
The average time from when an incident starts to when it is declared.
Formula: incidentCreated - incidentStart

Incident field definitions:

Field	Description	Editable?
`incidentStart`	Actual start of the incident (editable, even after resolution)	Yes
`incidentCreated`	Timestamp when the incident was declared	No
`incidentEnd`	Actual end of the incident (editable, even after resolution)	Yes
`closedTime`	When the incident was administratively resolved	No

Note
If you edit incidentStart or incidentEnd after an incident is resolved, metrics such as MTTR and MTTD update automatically.

Query syntax

The Incident data source uses the incident query syntax, which is also used to filter the incident in Grafana IRM You can reuse any bookmarked or saved expressions from Grafana IRM.

Example queries

Critical or security-related incidents:
```
or(severity:critical label:security)
```

Active incidents within a timeframe:

status:active started:${__from:date}, ${__to:date}

Resolved incidents without a specific label:
```
status:resolved -label:value
```
Resolved incidents with multiple specific labels:
```
status:resolved or(label:'squad:incident' label:PIR)
```

Filter incidents

When filtering by multiple values:

Label filters (e.g., service_name:accounts service_name:orders) use AND logic. Only incidents with all specified label values will match.
Other filters (like status:active status:resolved) use OR logic.

Note
This behavior is different from other filters. If your query returns no results, check your label filter logic.

Correct or modify incident timelines

If your metrics are inaccurate due to late declaration or resolution of an incident:

Adjust incidentStart or incidentEnd using the timeline editor.
incidentCreated cannot be changed. If this affects your MTTD, consider annotating the incident or filtering it out in your analysis.

Create custom insights dashboards

You can create custom dashboards to visualize incident data that matters most to your teams:

In Grafana Cloud, go to Dashboards > New Dashboard.
Add a new panel.
Select the Grafana Incident data source.
Build queries using the syntax described in the following sections.
Choose visualizations to highlight key metrics.

Use variables in queries

The Query Editor supports Grafana Variables, which allows you to create interactive dashboards. Variables allow you to create dynamic dashboards where users can select different values to update the visualizations.

You can create variables for:

Status: Filter by incident status (active, resolved, etc.)
Severity: Filter by incident severity levels
Labels: Filter by incident labels

Note
Variable names are case-sensitive and must match exactly as shown.

Example: Creating a variable for incident labels

Create a new dashboard variable.
Select the Grafana Incident data source.
Use a query that returns label values.
Configure the variable to allow multi-selection.

Example query using variables:

status:$Status severity:$Severities label:$Labels

Note
Some older queries (such as status:resolved or($labels)) may no longer work. Update your dashboards to use the current variable names.

Troubleshoot dashboard variables or queries

If your dashboard variables or queries are not working, you may be using an outdated Insights dashboard template. To update, consult the latest dashboard template examples or rebuild your dashboard using the current variable names and query syntax.

Analyze incident data

Key metrics for incident analysis include:

Mean Time To Resolution (MTTR): Average time from incident start to resolution
Mean Time To Detect (MTTD): Average time from incident start to declaration
Incident frequency: Number of incidents over time, by severity or service
Team impact: Distribution of incidents across teams and services
Root cause patterns: Common themes in incident causes identified through labels
Time of day patterns: When incidents are most likely to occur