Skip to main content

Overview

Escalation Routing allows you to automatically direct incoming alerts to specific escalation policies based on their attributes. Instead of using a single default policy for all incidents, you can create rules that match alert properties like severity, host, service, or custom tags to ensure the right team gets notified.

Smart Routing

Route alerts based on severity, service, environment, or any custom field

Priority-Based

Rules are evaluated in priority order - first match wins

Flexible Conditions

Use AND/OR logic with 13 different operators for precise matching

Delayed Escalation

Add delay to allow alerts to auto-resolve before escalating

How Escalation Routing Works

Alert Received

Build Evaluation Context
(severity, host, service, tags, source, etc.)

Evaluate Rules (by priority, lowest first)

┌─────────────────┬─────────────────┐
│                 │                 │
Rule Matches      No Match
      ↓                 ↓
Use Rule's        Use Default
Policy            Policy
      ↓                 ↓
Apply Initial     Start Escalation
Delay (if set)    Immediately

Start Escalation
Key Points:
  • Rules are evaluated in priority order (lower number = evaluated first)
  • The first matching rule determines the escalation policy
  • If no rules match, the tenant’s default escalation policy is used
  • Inactive rules can still match but will suppress notifications

Viewing Routing Rules

The Escalation Routing page displays all your configured rules:
ColumnDescription
RuleName and description
PriorityEvaluation order (lower = first)
ConditionsNumber of conditions and logic type (AND/OR)
PolicyTarget escalation policy
DelayInitial delay before escalation starts
StatusActive or Inactive
Use the search bar and status filter to quickly find specific rules.

Creating Routing Rules

1

Open Create Dialog

Click the Add Rule button in the toolbar
2

Enter Basic Info

  • Name — Descriptive rule name
  • Description — Explain what this rule does and when it should match
3

Configure Conditions

Add conditions that must match for the rule to trigger:
  • Select a field (event property or custom tag)
  • Choose an operator (equals, contains, regex, etc.)
  • Enter the value to match
  • Add more conditions as needed
  • Select AND or OR logic
4

Select Escalation Policy

Choose which escalation policy to use when this rule matches, or select “Use Default Policy”
5

Set Priority and Status

  • Priority — Lower values evaluate first (default: 100)
  • Status — Active or Inactive
6

Configure Initial Delay (Optional)

Set a delay in seconds before escalation begins
7

Save Rule

Click Create Rule to save

Understanding Conditions

Conditions determine when a routing rule triggers. Each condition compares an event field against a value using an operator.

Available Fields

FieldDescription
event.severityAlert severity level
event.priorityAlert priority (P1-P5)
event.hostAffected hostname
event.hostIpHost IP address
event.serviceService or application name
event.environmentEnvironment (production, staging, etc.)
event.regionGeographic region
event.titleAlert title
event.descriptionAlert description

Condition Operators

OperatorDescriptionExample
equalsExact match (case-insensitive)event.severity equals "critical"
not_equalsDoes not matchevent.environment not_equals "development"
containsContains substringevent.title contains "database"
not_containsDoes not containevent.host not_contains "test"
starts_withStarts with prefixevent.host starts_with "prod-"
ends_withEnds with suffixevent.service ends_with "-api"
inValue in listevent.severity in "critical,high"
not_inValue not in listevent.environment not_in "dev,test,staging"
regexRegex pattern matchevent.host regex "^web-[0-9]+$"
existsField existstags.customer exists
not_existsField does not existtags.team not_exists
greater_thanNumeric greater thanextra.errorCount greater_than 100
less_thanNumeric less thanextra.responseTime less_than 5000

Condition Logic

All conditions must match for the rule to trigger.Example: Route to DBA team only for critical database alerts in production
Conditions (AND):
  - event.severity equals "critical"
  - event.service contains "database"
  - event.environment equals "production"
All three conditions must be true.
For complex routing with both AND and OR requirements, create multiple rules with different priorities.

Initial Escalation Delay

The initial delay feature allows you to pause before starting escalation, giving alerts time to auto-resolve.

How It Works

  1. Alert matches a routing rule with initial delay configured
  2. Incident is created but escalation is not started immediately
  3. During the delay period:
    • If the alert auto-resolves → Incident closes, no escalation occurs
    • If the delay expires → Escalation begins normally

Delay Configuration

SettingDescription
0 secondsImmediate escalation (default)
30+ secondsMinimum delay (values 1-29 auto-correct to 30)
VarianceActual delay may vary by ±15 seconds
The delay adds latency before responders are notified. Only use this for alerts that frequently auto-resolve within your monitoring system.

Use Cases

  • Flapping alerts — Alerts that trigger and resolve rapidly
  • Self-healing systems — Infrastructure with auto-remediation
  • Transient issues — Network blips, temporary resource spikes

Rule Priority

Rules are evaluated in priority order (lower number = higher priority):
PriorityEvaluation OrderTypical Use
1-10FirstCritical routing, VIP customers
11-50SecondHigh-priority specific matches
51-100ThirdStandard routing rules
101-500FourthGeneral category rules
501+LastCatch-all rules
When multiple rules could match the same alert, only the highest-priority (lowest number) matching rule is used.

Priority Example

Rule 1 (Priority 10): Premium customers → VIP Support Policy
Rule 2 (Priority 50): Critical severity → Critical Response Policy
Rule 3 (Priority 100): Database service → DBA On-Call Policy
Rule 4 (Priority 500): Everything else → Default Policy
A critical alert for a premium customer’s database would route to VIP Support Policy (Rule 1) because it has the highest priority.

Common Use Cases

Goal: Premium customers get faster responseConditions:
AND:
  - tags.tier equals "premium"
Policy: Premium Support (24/7)Priority: 10 (evaluate first)
Goal: Critical alerts go to senior engineersConditions:
AND:
  - event.severity in "critical,high"
  - event.environment equals "production"
Policy: Critical Response TeamPriority: 20
Goal: Database alerts go to DBA teamConditions:
OR:
  - event.service contains "database"
  - event.service contains "postgres"
  - event.service contains "mysql"
  - event.service contains "redis"
Policy: DBA On-CallPriority: 50
Goal: Regional teams handle their own infrastructureRule 1 (Priority 100):
  • Condition: event.region equals "eu-west-1"
  • Policy: EU Support Team
Rule 2 (Priority 100):
  • Condition: event.region equals "us-east-1"
  • Policy: US East Support Team
Rule 3 (Priority 100):
  • Condition: event.region equals "ap-southeast-1"
  • Policy: APAC Support Team
Goal: Different tools route to different teamsConditions:
AND:
  - source.type equals "prometheus"
  - event.service starts_with "k8s-"
Policy: Platform EngineeringPriority: 75
Goal: Avoid noise from self-healing issuesConditions:
AND:
  - event.service contains "autoscaling"
  - event.severity equals "warning"
Policy: Infrastructure TeamInitial Delay: 300 seconds (5 minutes)Priority: 80
Goal: Create incidents but don’t notify for dev/testConditions:
OR:
  - event.environment equals "development"
  - event.environment equals "staging"
  - event.environment equals "test"
Policy: Any (won’t be used)Status: Inactive (creates incident, suppresses notification)Priority: 1 (evaluate first)

Testing Rules

Before activating a rule, you can test how it would evaluate against sample data:
  1. Use the test endpoint to evaluate your rules
  2. Send sample event data matching expected alerts
  3. Review which rule matched and why
  4. Adjust conditions or priorities as needed
The test feature shows you exactly which rule would match and which policy would be selected, helping you validate your routing logic before it affects real incidents.

Managing Rules

Editing Rules

  1. Click the three-dot menu (⋮) on a rule
  2. Select Edit
  3. Modify conditions, policy, or settings
  4. Save changes

Duplicating Rules

Create a copy of an existing rule:
  1. Click the three-dot menu
  2. Select Duplicate
  3. Modify the copy as needed
  4. Save as a new rule
Duplicating is useful when you need similar rules for different teams or environments.

Activating/Deactivating Rules

Toggle rule status without deleting:
  • Active — Rule is evaluated and routes to its policy
  • Inactive — Rule still matches but suppresses notifications (useful for testing or maintenance)

Deleting Rules

  1. Click the three-dot menu
  2. Select Delete
  3. Confirm deletion
Deleted rules cannot be recovered. Alerts that would have matched will fall through to other rules or the default policy.

Best Practices

Create specific high-priority rules first (VIP customers, critical services), then add broader rules with lower priority.
Leave gaps between priorities (10, 20, 50, 100) so you can insert new rules later without renumbering.
Use the description field to explain why each rule exists and what scenario it handles.
Create rules as inactive first, then test with sample alerts before activating in production.
Configure your integrations to send meaningful tags (team, tier, environment) that you can use in routing conditions.
Audit routing rules when teams change, services are deprecated, or escalation policies are updated.
When rules have similar conditions, ensure priorities are set correctly so the intended rule matches first.

Troubleshooting

  1. Verify rule is Active
  2. Check condition field names match your alert data exactly
  3. Test with sample data to see actual field values
  4. Check if a higher-priority rule is matching first
  5. Verify condition logic (AND vs OR)
  1. Check rule priorities — lower numbers evaluate first
  2. Look for other rules that might match the same alerts
  3. Verify the correct policy is selected in the rule
  4. Test to see which rule actually matches
  1. Verify at least one rule should match the alert
  2. Check all conditions in matching rule are satisfied
  3. Ensure rule is active
  4. Review actual alert field values in webhook samples
  1. Check if matched rule is Inactive (suppresses notifications)
  2. Verify the escalation policy has active targets
  3. Check if initial delay is still pending
  4. Review escalation policy configuration
  1. Verify initialDelaySeconds is set correctly
  2. Remember values 1-29 auto-correct to 30
  3. Actual delay may vary by ±15 seconds
  4. Check if alert resolved before delay expired
  1. Test regex pattern separately
  2. Patterns are case-insensitive
  3. Escape special characters properly
  4. Check for leading/trailing whitespace in values

Quick Reference

Condition Operators

OperatorTypeDescription
equalsStringExact match
not_equalsStringNot equal
containsStringSubstring match
not_containsStringNo substring
starts_withStringPrefix match
ends_withStringSuffix match
inListValue in list
not_inListValue not in list
regexRegexPattern match
existsBooleanField exists
not_existsBooleanField missing
greater_thanNumericGreater than
less_thanNumericLess than

Event Fields

FieldSource
event.severityAlert severity
event.priorityAlert priority
event.hostHostname
event.hostIpIP address
event.serviceService name
event.environmentEnvironment
event.regionRegion
event.titleAlert title
event.descriptionAlert description
source.typeIntegration type
source.idIntegration ID
tags.*Any tag value

Priority Guidelines

RangeUse Case
1-10VIP/Premium routing
11-50Critical overrides
51-100Standard routing
101-500General categories
501+Catch-all rules