How to find incidents with a particular key present in context ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to find incidents with a particular key present in context ?

L1 Bithead

whenever there is an email thread involved in the incident,  a field in the context is created as EmailThreads: [{email1 values}, {email 2 values}]

I want to find all the incidents which have this email thread involved.


L3 Networker

To find all incidents that have a value assigned to EmailThreads, you can use this filter: 


This shows all incidents where the EmailThreads fields is not empty. This relies on the machine name of the field so if it is not emailthreads you will need to adjust it. Hope this helps!

L1 Bithead


This is my context I have ExtractedFields as a dictionary with several values in it.


When i do -ExtractedFields: "" its not showing the incident.


In that screenshot, ExtractedFields is in the context of the incident but is not being used as a field in the incident. Only incident fields are indexed and are filterable since the amount of data in context can be overwhelming. Only the subset of data under incident can be used to filter. In its current state you can't filter based on ExtractedFields, you would need to create it as an incident field first, then it would be filterable.

L1 Bithead

But its only getting created in the context and not in the incident.
There is already automation in place that created this in the context and if i create a custom field as well it won't create a duplicate entry in the incident right ?


It would duplicate the item in context to an incident field. Which automation are you using?

You can use the mapping options in the task configuration in the playbook editor or a separate setIncident task to write the data to a custom field on the incident.

The one in incident context subset will be called "incident.ExtractedFields" in case you want to keep the original name.

  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!