Split Incidents

The alerts in an incident can be split off and handled as a new incident.

Splitting is separating a source incident's alerts to form a new destination incident. Selected alerts from “source” incidents are moved (along with their history) to the newly created destination incident.
The source incidents maintain their assignee and snooze settings. If the source incident is shared, any further updates to the alerts that remain in the original incident after the split are sent in real time.
The newly created destination incident is subject to the same rules as any other new incident in the system.

Splitting Incidents

  1. In the Alerts tab, on the right pane of the Incident Feed, select the alerts you would like to split out. Click Split at the top right of the Alerts table to open the split pop-up.
    Note: You cannot split out all the alerts in the incident.
  1. Click Split Incident. The split incident now appears in the incidents feed. Both source and destination incidents are marked with the "Manual" badge.

What does the Manual badge signify?

After splitting, because incident correlation was manually intervened, all split incidents will be marked “Manual”. Manual incidents will no longer be included in automatic correlation, meaning no new alerts will be added. Existing alerts can still be updated and splitting/merging existing incidents is still permitted.

To learn more about working with incidents, see Reference: Incidents Tab