--- title: "Incident query syntax | Grafana Cloud documentation" description: "Reference for the query language used to filter incidents in Grafana IRM." --- # Incident Query Syntax Incident query syntax is a powerful way to filter incidents. It allows you to filter incidents by various properties and values and use logical operators to create complex queries. ## Possible filters Below is a list of incident properties you can use to filter incidents. Expand table | Property | Description | Example | |---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------| | `title:` | Title (name), supports partial matches | `title:'CPU & Memory Degradation'` | | `status:` | Status, one of defined in [IRM settings](/docs/grafana-cloud/alerting-and-irm/irm/manage-incidents/customize-incident-response/incident-response-settings) | `status:resolved` | | `severity:` | Severity, one of defined in [IRM settings](/docs/grafana-cloud/alerting-and-irm/irm/manage-incidents/customize-incident-response/incident-response-settings) | `severity:critical` | | `isdrill:` | Drill incident or not | `isdrill:false` | | `createdby:` | Incident’s creator email address | `createdby:'john.doe@example.com'` | | `field::` | Custom field values, one of defined in [IRM settings](/docs/grafana-cloud/alerting-and-irm/irm/manage-incidents/customize-incident-response/incident-response-settings) | `field:debrief_status:not_started` | | `context:` | Context payload (e.g. URLs or identifiers) | `context:'https://example.com/alert1'` | | `role:` | Role, one of defined in [IRM settings](/docs/grafana-cloud/alerting-and-irm/irm/manage-incidents/customize-incident-response/incident-response-settings). Useful with the combination of `user.email` filter | `role:commander` | | `user.email:` | User’s email, useful with the combination of `role` filter | `user.email:'john.doe@example.com'` | | `declared:` | Declared date range. Dates are in RFC3339 format | `declared:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z` | | `started:` | Started date range. Dates are in RFC3339 format | `started:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z` | | `resolved:` | Resolved date range. Dates are in RFC3339 format | `resolved:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z` | | `ended:` | Ended date range. Dates are in RFC3339 format | `ended:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z` | ### Examples of basic queries Query incidents by title that contains special characters or keywords: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none title:'[team a] CPU & Memory Degradation' ``` Query active incidents with critical severity ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none status:active severity:critical ``` Query incidents linked to specific alert group: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none context:"https://yourstack.grafana.net/a/grafana-irm-app/alert-groups/ICXXXXXXX" ``` Query incidents with specific custom field debrief status: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none field:debrief_status:not_started ``` Query incidents declared between January 1st and January 31st, 2024: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none declared:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z ``` ## Logical Operators The real power of the query language comes from the ability to combine multiple filters using logical operators, which allows you to create complex queries. - `and( ...)` - incidents that match ALL specified filters - `or( ...)` - incidents that match ANY of the specified filters - `-` - exclude incidents that match the filter (negation) ### Examples of complex queries Query incidents with critical or high severity: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none or(severity:critical severity:high) ``` Query active incidents with critical or high severity: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none and(or(severity:critical severity:high) status:active) ``` Query resolved incidents where debrief hasn’t started: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none and(field:debrief_status:not_started status:resolved) ``` Query real incidents (not drills) with “database” in the title: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none and(title:"database" -isdrill:true) ``` Query for resolved incidents where the team field is not set to “Backend”: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none status:resolved -field:team:Backend ``` Query incidents created by certain team member between January 1st and January 7th, 2024: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none createdby:"john.doe@example.com" declared:2024-01-01T00:00:00Z,2024-01-07T23:59:59Z ``` Query incidents that have high customer impact custom field, resolved between March 1st and March 31st, 2024: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none and(field:customer_impact:high resolved:2024-03-01T00:00:00Z,2024-03-31T23:59:59Z) ``` Query resolved incidents where `john.doe@example.com` is a commander with major or critical severity: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none and(user.email:'john.doe@example.com' role:commander) status:resolved or(severity:major severity:critical) ``` Query for incidents with multiple specific fields: ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```none status:resolved or(field:squad:incident field:PIR:true) ``` ## Tips - If your title contains special characters, use quotes and typed search instead of basic search - Combine basic text search with typed filters for more precise results - Use negation (`-`) to exclude unwanted incidents from your results - Date ranges are inclusive of both start and end dates - Custom field names and values are case-sensitive