1. Home
  2. Reporting
  3. Incident Frequency Report – Splunk On-Call

Incident Frequency Report – Splunk On-Call

Incident Frequency Report


Versions Supported: Enterprise 

What you need to know: The goal of our Incident Frequency Report is to give your team the data and context around incidents to be proactive in your incident management response.

While the Splunk On-Call Timeline gives you the real-time firehose to give your team full context during a firefight, our Incident Frequency Report allows your team to analyze the flow of incidents after the fact. Allowing you to go upstream to solve the incident causing the problem in your system.

To access the Incident Frequency Report (IFR) navigate to Reports >> Incident Frequency.

Team Filtering

Get a holistic overview of all incidents coming into Splunk On-Call by selecting the All drop-down, or take a deep dive into individual teams to uncover specific problem areas affecting your team.


Identifying the problem causing area is hard to pin down, so we give you the ability to identify flapping alerts, the parts of your platform that need attention, and the information to understand from where your incidents are coming. We give you four options to segment your incidents: integrations, host, service, or route key.

Date Range & Bucketing

See how incident trends impact your team on a daily, weekly, or monthly basis. It’s up to you how granular your scope can be.

Table View & Hover State

The table view will adjust to match the top 15 most frequent incidents associated with the selected segment filter.

To see the Hover State, hover over any position on the graph, and a pop-up will give you information for that given period of time. By clicking on that hover state, the table below will focus on the selected time period to highlight what happened during a specific period of time dependent on your time bucketing selection. You can reset the table view by clicking the reset button. Note: Hover state selection will not affect the contents of the CSV. To segment the CSV by a specific date range, adjust the date range rules.

CSV Download

The data delivered in the CSV will always reflect the date range and team segmenting designed in the setting views. Changing the segment by filters and date range bucketing will have no effect on the contents of the download.

Things to note about the CSV

  • Timestamps are at millisecond granularity
  • CSV is sorted by Incident ID in descending order

CSV File Column Headings

When downloading the Incident Frequency CSV file you can expect to find the following columns to include the unit of time/timezone that the incident is recorded in. Time related column headings will appear in this format as of 12/16/2019.

Time to Acknowledge (seconds)
Time to Resolve (seconds)
Incident Start Time (UTC)
Acknowledge Time (UTC)
Resolve Time (UTC)

Incident Frequency Report - CSV Field Definitions

Incident NumberThe unique numeric tag of the entity_id life cycle
Paged TeamsTeams paged by a triggered incident
Paged Escalation PoliciesEscalation Policies paged by a triggered incident
Paged UsersSpecific users paged by a triggered incident
Entity IdCentral identifier for incident: entity_id
Entity Display NameMore succinct, intuitive name for incident that does not affect the entity_id: entity_display_name
Routing Key Used to direct incidents to a specific team: routing_key
Monitoring ToolDefined integration
ServiceThe type of check within a monitoring tool. Built from the entity_display_name field
HostSpecific location of problem. Built from the hostname or host_name fields
Entity TypeField for specific legacy integrations
Last Alert Id ID: VO_UUID
Number Of Alerts Alert count as depicted on the incident card
Incident Start TimeFirst Paged time
Triggered TimeThe time of receipt by VictorOps endpoint: VO_ALERT_RCV
Acknowledged TimeTime of Ack'd incident
Resolved TimeTime of Resolved incident
Acknowledged ByDisplays the username who has acknowledged this incident: ack_author
Resolved ByDisplays the username who has Resolved this incident
Last Alert TimeTime of Last Alert
Current PhaseState of incident: Triggered, Ack’d, Resolved
The above is a quick glossary to define fields in the IFR CSV download. These definitions sometimes differ from the Glossary of Incident Fields.


Incident Fields – Glossary




Updated on November 10, 2020

Was this article helpful?

Related Articles