Loading

Create and manage cases

Serverless Observability Stack

Open a new Observability case to keep track of issues and share the details with colleagues. You can create and manage cases using the cases UI.

Requirements

To access and send cases to external systems, you need the appropriate subscription, and your role must have the required Kibana feature privileges. Refer to Configure access to cases in Elastic Observability for more information.

Requirements

For Observability projects, you need the appropriate feature tier, and your role must have the Editor role or higher to create and manage cases. To learn more, refer to Assign user roles and privileges.

To create a case:

  1. Find Cases in the main menu or use the global search field.

  2. Click Create case.

  3. Stack Preview Serverless Preview (Optional) If you defined templates, select one to use its default field values.

  4. Give the case a name, severity, and description.

    Tip

    In the Description, you can use Markdown syntax to format text.

  5. (Optional) Add a category, assignees, and tags.

    You can add users only if they meet the necessary prerequisites.

    You can add users who are assigned the Editor user role (or a more permissive role) for the project.

  6. If you defined custom fields, they appear in the Additional fields section.

  7. (Optional) Under External Connector Fields, you can select a connector to send cases to an external system. If you’ve created any connectors previously, they will be listed here. If there are no connectors listed, you can create one. For more information, refer to External incident management systems.

    Note Stack Planned

    When specifying Additional fields for an IBM Resilient connector, fields that are set when an incident is created or changed (for example, an incident is closed) won't display as an option.

  8. After you’ve completed all of the required fields, click Create case.

Tip

You can also create a case from an alert or add an alert to an existing case. From the Alerts page, click the More options More actions icon and choose either Add to existing case or Create new case, and select or complete the details as required.

To send a case to an external system, click the push button in the External incident management system section of the individual case page. This information is not sent automatically. If you make further changes to the shared case fields, you should push the case again.

For more information about configuring connections to external incident management systems, refer to Configure case settings for Elastic Observability.

You can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes.

Stack Planned To find cases that were created during a specific time range, use the date time picker above the Cases table. The default time selection is the last 30 days. Clicking Show all cases displays every Observability case in your space. The action also adjusts the starting time range to the date of when the first case was created.

To view a case, click on its name. You can then:

  • Add and edit the case's description, comments, assignees, tags, status, severity, and category.
  • Add a connector (if you did not select one while creating the case).
  • Send updates to external systems (if external connections are configured).
  • Refresh the case to retrieve the latest updates.

Provide additional context and resources by adding the following to the case:

Tip Stack Planned

From the Attachments tab, you can search for specific alert IDs and file names.

Escalate alerts and track them in a single place by attaching them to cases. To examine the alerts, click the Alerts tab in the case. In the table, alerts are organized from oldest to newest. To view alert details, click the View details button.

You can find the Alerts tab in the following places:

  • Stack Planned : Go to the case's details page, then select the Attachments tab.
  • Stack 9.0.0 : Go to the case's details page.
Important

Each case can have a maximum of 1,000 alerts.

Note

Add alerts to new and existing cases from the Alerts page.

After you create a case, you can upload and manage files on the Files tab. To find the tab:

  • Stack Planned : Go to the case's details page, then select the Attachments tab.
  • Stack 9.0.0 : Go to the case's details page.

To download or delete the file or copy the file hash to your clipboard, open the action menu . The available hash functions are MD5, SHA-1, and SHA-256.

When you upload a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list.

Note

Uploaded files are also accessible from the Files management page, which you can find using the navigation menu or entering Files into the global search field.

Important

When you export cases as saved objects, the attached case files are not exported.

The Cases page has a search bar for quickly finding cases and case data. You can search for case titles, descriptions, and IDs using keywords and text. Note the following rules for search:

  • Keywords: Searches for keywords (like case and alert IDs) must be exact.
  • Text: Text searches (such as case titles and descriptions) are case-insensitive.
  • Syntax: No special syntax is required when entering your search criteria.

Stack Planned You can also search for alert and event IDs, observable values, case comments, and custom fields (text type only). For example, you can search for a specific IP address that's been specified as an observable, a colleague's comment, or the ID of an alert that's attached to the case.