NRQL query to get all open incidents by alert policy

I want an NRQL query that will list down all open incidents (which are not yet close) FACET by the alert policy.

Hi, @dnirmal: If you look at the Overview page under Alerts & AI, I bet you can figure it out. Click the three-dot menu in the upper-right corner of the charts, and select View query:

The chart I have indicated has them FACETed by priority; it would require only a minor change to FACET by policy name.

I already tried that query,

FROM NrAiIncident SELECT count(*) as 'Violations' WHERE event = 'open' FACET conditionName

It’s giving me all open incident count including those are already closed, but I need incidents those are not closed yet.

Try WHERE closeTime IS NULL.

Sorry to jump on this thread but this is the issue that I am seeing

NrAiIncident contains events i.e. for a closed incident, there will be an event=‘Open’ entry and an event=‘Close’ entry and the closeTime is only set for entries with event=‘Close’

To find the incidents that are still open we need to be able to retrieve all event=‘Open’ entries and then exclude any event=‘Close’

But I can’t see anyway to do this.

Any suggestions gratefully accepted

Hi, @stuart.elvins1: You are correct, I don’t think it is possible to do this in NRQL. I think you may have to write a script to get two lists of incidents, opened and closed, then get the items from the first list that are not present in the second list.

@stuart.elvins1 and @dnirmal: You may find this post helpful:

