Grafana Cloud

Use the incident timeline in Grafana IRM

The incident timeline serves as a chronological record of all activities, observations, and decisions made during an incident. It provides a single source of truth that helps responders collaborate effectively and enables post-incident analysis.

This topic explains how to use the timeline to document incident progress, share critical information, and maintain a comprehensive incident record.

About the incident timeline

The Grafana IRM incident timeline:

  • Captures key events, actions, and observations chronologically
  • Integrates with Slack, allowing you to add Slack messages to the timeline using the robot emoji reaction (🤖) and create tasks using the lightbulb emoji reaction (💡)
  • Connects with Grafana Cloud observability data, including dashboards and data sources like Prometheus and Loki
  • Displays dashboard panels for visual context
  • Supports quick navigation and filtering of incident activities
  • Enables easy information sharing among all incident responders
  • Creates a permanent record for post-incident review and analysis

All items added to the timeline are timestamped automatically, creating a detailed history of the incident from start to resolution.

Add content to the timeline

You can add several types of content to the incident timeline to document the incident and provide context for other responders.

Add status updates

Status updates communicate key changes in the state of the incident to responders and stakeholders. Use status updates to document important development, such as impact, mitigation steps, or resolution. Each status update is timestamped and visible in the timeline, providing a clear record of how the incident evolved.

For more details on managing incident statuses, refer to communicate status updates.

Add notes

Notes allow you to document observations, decisions, and actions during an incident:

  1. Navigate to the incident details page.
  2. Select the Text tab.
  3. Enter your note in the text field.
  4. Click Add note to publish the note to the timeline.

Tip

Use Markdown formatting in your notes for better readability. Common Markdown syntax includes:

  • **bold text** for bold text
  • *italic text* for italic text
  • `code` for code
  • Numbered and bulleted lists
  • [Link text](URL) for hyperlinks

URLs in notes are automatically extracted and added to the Links and context section for easy reference.

Attach images and screenshots

You can attach screenshots and images to incidents to provide more context for responders.
Attachments appear in the incident timeline and the connected Slack incident channel.

Upload an image in the incident timeline

You can upload images directly into the incident timeline using the rich text editor.

  1. Open an incident and navigate to the Activity tab.
  2. In the rich text editor:
    • Drag and drop an image file into the message field, or
    • Click the image icon on the toolbar to select a file from your computer.
  3. Optional: Add a caption, description, or share a related URL.
  4. Click Add note to upload.

The image appears inline in the incident timeline.
If the incident is linked to a Slack channel, the uploaded file is automatically added by IRM.

Note

IRM supports image attachments (for example, PNG, JPG). Other file types are not currently supported.

Capture and attach a Grafana screenshot

You can capture a screenshot from anywhere in Grafana Cloud and attach it directly to an incident.

  1. Press Cmd + I (Mac) or Ctrl + I (Windows/Linux).
  2. Select the area you want to capture, such as a panel or a dashboard.
  3. In the Attach screenshot modal:
    • Choose an existing incident to attach the screenshot to.
    • Add a caption or description (optional).
  4. Click Attach screenshot.

A confirmation message appears when the upload succeeds.
The screenshot, along with a link to its source and any caption, is added to both the incident timeline and the linked Slack channel.

Add queries

Adding queries to the timeline provides data context and helps track metrics related to the incident:

  1. Navigate to the incident details page.
  2. Select the Query tab.
  3. Select a data source.
  4. Enter your query in the query editor.
  5. Click Run query to execute and verify the query.
  6. Add a descriptive title and optional description to provide context.
  7. Click Add query to publish the query and its results.

Note

Query results are captured as a snapshot at the time they’re added to the timeline. The query doesn’t automatically update, which preserves the historical record of what was observed during the incident.

Example queries

Prometheus query example (HTTP error rate):

promql
sum(rate(http_requests_total{status=~"5.."}[5m])) / sum(rate(http_requests_total[5m])) * 100

Loki query example (error logs):

logql
{app="myapp"} |= "error" | logfmt

Add dashboard panels

Visualizations from your dashboards can provide critical context:

  1. Navigate to the incident details page.
  2. Select the Panel tab.
  3. Search for and select the dashboard containing the relevant panel.
  4. Select the specific panel you want to add.
  5. Add a descriptive title and optional description explaining the panel’s relevance.
  6. Click Add panel to include it in the timeline.

Caution

Dashboard panels that use template variables may not render correctly in the timeline as there is no option to specify input variables. For best results, use panels that don’t rely on variables or create specific panels for incident response.

Add content from Slack

If your incident has an associated Slack channel, you can quickly add content using emoji reactions:

  1. In the incident Slack channel, find a message you want to add to the timeline or convert to a task.
  2. React to the message with the appropriate emoji:
    • 🤖 (robot_face): Adds the message to the incident timeline
    • 💡 (bulb): Creates a PIR action item (task) from the message content

This feature allows team members to quickly capture important information and action items discussed in Slack without switching between applications.

React to timeline entries

You can add emoji reactions to timeline entries to highlight important information:

  1. Hover over any timeline entry.
  2. Click the Add reaction (smile face) icon.
  3. Select an emoji from the picker.

Common emoji reactions and their typical uses:

EmojiTypical Use
👍Acknowledge or agree with the information
Mark as especially important
🔍Currently investigating this
Confirmed or verified
Disproven or resolved

As incidents progress, the timeline can grow lengthy. Use these tools to focus on relevant information:

Filter timeline content

To filter the timeline:

  1. In the timeline view, locate the filter controls at the top.
  2. Filter by:
    • Importance: Select Highly relevant activity, All relevant activity, or All activity
    • Time range: Specify an absolute or relative time range
    • Reactions: Filter for activities with specific emoji reactions

Search the timeline

To search for specific content in the timeline:

  1. Use the search field at the top of the timeline.
  2. Enter keywords related to the content you’re looking for.
  3. The timeline will display only entries matching your search terms.

Jump to specific points in time

To navigate to a specific point in the incident:

  1. Use the time range filter at the top of the timeline.
  2. Set an absolute time range (specific start and end times) or a relative range (last 30 minutes, last hour, etc.).
  3. Click Apply to filter the timeline to that specific period.

Use the timeline for post-incident analysis

The incident timeline is a valuable resource for post-incident reviews and analysis:

  1. After incident resolution, navigate to the incident details page.
  2. Review the complete timeline to understand the incident’s progression.
  3. Use filters to focus on key decision points and significant actions.
  4. Identify patterns in the incident response process:
    • When was the incident first detected?
    • How long did it take to engage the right stakeholders?
    • What troubleshooting steps were most effective?
    • Were there any communication gaps?
  5. Use these insights to improve your incident response processes.

Best practices for timeline documentation

For effective timeline usage:

  • Document events in real-time as the incident unfolds
  • Use consistent formatting for similar types of entries
  • Capture key metrics at critical points in the incident
  • Use emoji reactions to highlight important information
  • Clearly indicate who is taking which actions
  • Document external communications and stakeholder updates
  • Note when significant phases of the incident begin and end