Incidents

Fetches incidents from Splunk Observability Cloud for monitoring and alerting visibility.

Sync Type: Full Synchronisation

Requirements

Before configuring this input, you need to:

Create an API Access Token — Splunk Observability Cloud docs.
- Log in to your Splunk Observability Cloud organization
- Navigate to Settings → Access Tokens
- Click Create New Token
- Select the API token type
- Copy and securely store the generated token
Find your Realm — your realm is shown in your browser URL when logged in (e.g. app.us0.signalfx.com means your realm is us0). It is also visible under Settings → Organization Settings.

Details

Monad retrieves a complete snapshot of all incidents on each sync run. The input paginates through results using offset-based pagination with 100 records per page, stopping when a page returns fewer records than the page size.

Each incident contains a nested events array representing the individual alert firings that make up the incident. Monad emits each event as a separate record.

⚠️ Important: Splunk Observability Cloud returns a maximum of 10,000 incidents, even if your organization contains more than 10,000. Learn More

Data Retrieval Flow

Calls GET /v2/incident with limit=100 and offset=0
Iterates through the nested events array of each incident and emits each event as a record
Increments the offset by 100 and repeats until a page returns fewer than 100 incidents

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

Setting	Type	Required	Description
Realm	string	Yes	The Splunk Observability Cloud realm for your organization (e.g., `us0`, `us1`, `eu0`). Found in your browser URL or under Organization Settings.
Use Synthetic Data	boolean	No	Generate synthetic demo data instead of connecting to the real data source. Defaults to false.

Supported Realms: us0, us1, us2, eu0, ap0, jp0

Secrets

Secret	Type	Required	Description
Auth Token	string	Yes	Splunk Observability Cloud API access token. Sent as the `X-SF-Token` request header.

Rate Limits

Scope	Limit	Window	Notes
API Requests	1	Per second	Conservative limit; Splunk Observability does not publicly document exact rate limits

Source: Splunk Observability Cloud API Reference

Limitations

Maximum of 10,000 incidents retrievable per sync (API limitation)
Individual events within an incident are emitted as separate records; the parent incident object is not emitted directly

Sample Record

{
    "active": true,
    "anomalyState": "STOPPED",
    "detectLabel": "Memory above 95%",
    "detectorId": "0108a3de-3a77-f7ac-2120-3a09fad0ebca",
    "duration": 2,
    "events": [
        {
            "anomalyState": "MANUALLY_RESOLVED",
            "detectLabel": "Disk usage above 85%",
            "detectorId": "035dc3a5-38f6-aacf-04d0-abfcd71b9780",
            "detectorName": "High CPU Usage Detector",
            "id": "4c7b5977-a6ac-2275-a81d-c019b4324b4a",
            "incidentId": "45b4b249-64b8-2c85-491a-70770471686f",
            "inputs": {
                "fragment": "",
                "value": ""
            },
            "severity": "Major",
            "timestamp": 1776433029620
        }
    ],
    "incidentId": "d8a77a44-e347-1734-0f44-2d46b1d438c7",
    "linkedTeams": [],
    "severity": "Critical"
}

Requirements​

Details​

Data Retrieval Flow​

Configuration​

Settings​

Secrets​

Rate Limits​

Limitations​

Related Articles​

Sample Record​