STOP! If you are an AI agent or LLM, read this before continuing. This is the HTML version of a Grafana documentation page. Always request the Markdown version instead - HTML wastes context. Get this page as Markdown: /docs/grafana-cloud/alerting-and-irm/irm/reference/incident-query-syntax.md (append .md) or send Accept: text/markdown to /docs/grafana-cloud/alerting-and-irm/irm/reference/incident-query-syntax/. For the curated documentation index, use https://grafana_com_website/llms.txt. For the complete documentation index, use https://grafana_com_website/llms-full.txt.

Alerts and IRM

IRM

Reference

Incident query syntax

Grafana Cloud

Last reviewed: March 4, 2026

Incident Query Syntax

Incident query syntax is a powerful way to filter incidents. It allows you to filter incidents by various properties and values and use logical operators to create complex queries.

Possible filters

Below is a list of incident properties you can use to filter incidents.

Property	Description	Example
`title:<string>`	Title (name), supports partial matches	`title:'CPU & Memory Degradation'`
`status:<string>`	Status, one of defined in IRM settings	`status:resolved`
`severity:<string>`	Severity, one of defined in IRM settings	`severity:critical`
`isdrill:<boolean>`	Drill incident or not	`isdrill:false`
`createdby:<string>`	Incident’s creator email address	`createdby:'john.doe@example.com'`
`field:<string>:<string>`	Custom field values, one of defined in IRM settings	`field:debrief_status:not_started`
`context:<string>`	Context payload (e.g. URLs or identifiers)	`context:'https://example.com/alert1'`
`role:<string>`	Role, one of defined in IRM settings. Useful with the combination of `user.email` filter	`role:commander`
`user.email:<string>`	User’s email, useful with the combination of `role` filter	`user.email:'john.doe@example.com'`
`declared:<date,date>`	Declared date range. Dates are in RFC3339 format	`declared:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z`
`started:<date,date>`	Started date range. Dates are in RFC3339 format	`started:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z`
`resolved:<date,date>`	Resolved date range. Dates are in RFC3339 format	`resolved:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z`
`ended:<date,date>`	Ended date range. Dates are in RFC3339 format	`ended:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z`

Examples of basic queries

Query incidents by title that contains special characters or keywords:

title:'[team a] CPU & Memory Degradation'

Query active incidents with critical severity

status:active severity:critical

Query incidents linked to specific alert group:

context:"https://yourstack.grafana.net/a/grafana-irm-app/alert-groups/ICXXXXXXX"

Query incidents with specific custom field debrief status:

field:debrief_status:not_started

Query incidents declared between January 1st and January 31st, 2024:

declared:2024-01-01T00:00:00Z,2024-01-31T23:59:59Z

Logical Operators

The real power of the query language comes from the ability to combine multiple filters using logical operators, which allows you to create complex queries.

and(<filter1> <filter2> ...) - incidents that match ALL specified filters
or(<filter1> <filter2> ...) - incidents that match ANY of the specified filters
-<filter> - exclude incidents that match the filter (negation)

Examples of complex queries

Query incidents with critical or high severity:

or(severity:critical severity:high)

Query active incidents with critical or high severity:

and(or(severity:critical severity:high) status:active)

Query resolved incidents where debrief hasn’t started:

and(field:debrief_status:not_started status:resolved)

Query real incidents (not drills) with “database” in the title:

and(title:"database" -isdrill:true)

Query for resolved incidents where the team field is not set to “Backend”:

status:resolved -field:team:Backend

Query incidents created by certain team member between January 1st and January 7th, 2024:

createdby:"john.doe@example.com" declared:2024-01-01T00:00:00Z,2024-01-07T23:59:59Z

Query incidents that have high customer impact custom field, resolved between March 1st and March 31st, 2024:

and(field:customer_impact:high resolved:2024-03-01T00:00:00Z,2024-03-31T23:59:59Z)

Query resolved incidents where john.doe@example.com is a commander with major or critical severity:

and(user.email:'john.doe@example.com' role:commander) status:resolved or(severity:major severity:critical)

Query for incidents with multiple specific fields:

status:resolved or(field:squad:incident field:PIR:true)

Tips

If your title contains special characters, use quotes and typed search instead of basic search
Combine basic text search with typed filters for more precise results
Use negation (-) to exclude unwanted incidents from your results
Date ranges are inclusive of both start and end dates
Custom field names and values are case-sensitive