{"id":5605,"date":"2026-03-26T14:38:03","date_gmt":"2026-03-26T09:08:03","guid":{"rendered":"https:\/\/blog.spike.sh\/?p=5605"},"modified":"2026-03-27T15:09:19","modified_gmt":"2026-03-27T09:39:19","slug":"alert-routing-based-on-incident-payload","status":"publish","type":"post","link":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/","title":{"rendered":"How to route incidents based on what their payload says"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Every incident arrives with a payload, and that payload usually tells you far more than whether something broke. It points to which service is affected and how serious the issue looks. It also carries context about which customers are on the receiving end of that failure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The service name, <a href=\"https:\/\/spike.sh\/glossary\/severity\/\">severity<\/a>, customer context \u2014 all of it can feed directly into routing decisions. This guide explores how to read those parts of the payload and use them to route incidents automatically. You will find suggestions on what to look for in a payload and how to turn those signals into practical decisions around <a href=\"https:\/\/spike.sh\/glossary\/triage\/\">triage<\/a>, loading <a href=\"https:\/\/spike.sh\/blog\/what-is-an-escalation-policy\/\">escalation policies<\/a>, and <a href=\"https:\/\/spike.sh\/glossary\/noise-reduction\/\">noise reduction<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Table of contents<\/strong><\/p>\n\n\n\n<nav aria-label=\"Table of Contents\" class=\"wp-block-table-of-contents\"><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#what-s-in-an-incident-payload\">What&#8217;s in an incident payload<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#what-to-look-for-in-an-incident-payload\">What to look for in an incident payload<\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#service-and-environment-names\">Service and environment names<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#keywords-that-signal-severity\">Keywords that signal severity<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#numeric-metric-values\">Numeric metric values<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#business-context\">Business context<\/a><\/li><\/ol><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#when-the-incident-payload-isn-t-readable-yet\">When the incident payload isn&#8217;t readable yet<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#acting-on-what-the-incident-payload-says\">Acting on what the incident payload says<\/a><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#triage-severity-priority-and-ownership\">Triage: severity, priority, and ownership<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#route-load-the-right-escalation-policy\">Route: load the right escalation policy<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#noise-reduction\">Noise reduction<\/a><\/li><\/ol><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#faqs\">FAQs<\/a><\/li><\/ol><\/nav>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 id=\"what-s-in-an-incident-payload\" class=\"wp-block-heading\">What&#8217;s in an incident payload<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The incident payload has two parts your routing rules can act on: the incident title and the incident details.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The title usually names the service or system affected. Something like &#8220;payment-processor: connection timeout&#8221; tells you which service is in trouble. The details carry more context. You&#8217;ll find metric values and error codes there. Region names and customer identifiers sometimes appear too, along with stack traces and anything else your monitoring tool chooses to send.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Together they give routing rules something specific to match on. The more structured and readable that payload is, the more precise your rules can be.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 id=\"what-to-look-for-in-an-incident-payload\" class=\"wp-block-heading\">What to look for in an incident payload<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Not everything in a payload is worth routing on. A few classes of signals are usually the most useful.<\/p>\n\n\n\n<h3 id=\"service-and-environment-names\" class=\"wp-block-heading\">Service and environment names<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Service names in the title are usually the most reliable routing signal. Identifiers like service names and API names rarely change, so rules that match on them stay reliable over time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Environment context matters too. An incident title containing &#8220;prod&#8221; carries different weight than one containing &#8220;staging&#8221;. A rule that matches on environment name can load a completely different escalation policy without any manual action.<\/p>\n\n\n<div class=\"is-style-no-highlight wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;prod&quot;<\/div><div class=\"cm-line\">     AND title contains &quot;checkout-api&quot;<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN load \u2192 checkout critical escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;staging&quot;<\/div><div class=\"cm-line\">     AND title contains &quot;checkout-api&quot;<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN auto-resolve<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<h3 id=\"keywords-that-signal-severity\" class=\"wp-block-heading\">Keywords that signal severity<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Certain words in the details consistently point to high-severity situations. These are worth keeping an eye on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;timeout&#8221;<\/li>\n\n\n\n<li>&#8220;unreachable&#8221;<\/li>\n\n\n\n<li>&#8220;crash&#8221;<\/li>\n\n\n\n<li>&#8220;failed&#8221;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Words like &#8220;fraud&#8221; or &#8220;breach&#8221; often carry security implications that warrant a separate escalation path entirely.<\/p>\n\n\n<div class=\"is-style-no-highlight wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   Incident details [key: &quot;message&quot;] contains &quot;fraud&quot;<\/div><div class=\"cm-line\">     OR Incident details [key: &quot;message&quot;] contains &quot;unauthorized access&quot;<\/div><div class=\"cm-line\">     OR Incident details [key: &quot;message&quot;] contains &quot;breach&quot;<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN mark severity as SEV-1<\/div><div class=\"cm-line\">     AND load \u2192 security escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"635\" data-attachment-id=\"5637\" data-permalink=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/screenshot-2026-03-27-at-2-58-20-pm\/\" data-orig-file=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-2.58.20-PM.png\" data-orig-size=\"1030,639\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot 2026-03-27 at 2.58.20\u202fPM\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-2.58.20-PM-1024x635.png\" src=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-2.58.20-PM-1024x635.png\" alt=\"Alert Routing rule created on Spike\" class=\"wp-image-5637\" srcset=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-2.58.20-PM-1024x635.png 1024w, https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-2.58.20-PM-300x186.png 300w, https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-2.58.20-PM-768x476.png 768w, https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-2.58.20-PM.png 1030w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Alert Routing rule created on <a href=\"https:\/\/spike.sh\" type=\"link\" id=\"spike.sh\">Spike<\/a><\/figcaption><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">The <code>key<\/code> name here is\u00a0<code>message<\/code>\u00a0because that is what most monitoring tools use for the main error or event description. Your payload may use a different key. Inspecting a sample payload from your integration is the quickest way to confirm the right key name before writing the rule.<\/p>\n<\/blockquote>\n\n\n\n<h3 id=\"numeric-metric-values\" class=\"wp-block-heading\">Numeric metric values<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>When the payload carries metric values, comparators give you more precision than keyword matching alone.<\/strong> A rule that checks whether <code>p99_latency_ms > 2000<\/code> is more reliable than one matching on a phrase that might change when your monitoring tool updates.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;api-gateway&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;p99_latency_ms&quot;] &gt; 2000<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN mark severity as SEV-1<\/div><div class=\"cm-line\">     AND mark priority as P1<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;api-gateway&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;p99_latency_ms&quot;] &gt; 800<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;p99_latency_ms&quot;] &lt;= 2000<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN mark severity as SEV-2<\/div><div class=\"cm-line\">     AND mark priority as P2<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<h3 id=\"business-context\" class=\"wp-block-heading\">Business context<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The payload often carries information about who is affected, not just what broke. A customer plan field or region identifier can signal priority just as clearly as the error type itself.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A fintech team might find that any incident mentioning an enterprise customer name in the payload is a priority situation, regardless of which service it affects.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   Incident details [key: &quot;plan&quot;] contains &quot;enterprise&quot;<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN mark priority as P1<\/div><div class=\"cm-line\">     AND load \u2192 enterprise accounts escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">It often helps to think about your payload in terms of business impact rather than purely technical severity.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong><a href=\"http:\/\/spike.sh\">Spike<\/a> has a library of ready-to-use\u00a0<a href=\"https:\/\/spike.sh\/templates\/alert-rule-templates\">alert routing rule templates<\/a>\u00a0built around common payload patterns. They are a good starting point if you want something working quickly before you fine-tune rules for your own setup.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 id=\"when-the-incident-payload-isn-t-readable-yet\" class=\"wp-block-heading\">When the incident payload isn&#8217;t readable yet<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Raw error codes create a specific problem for routing rules. A title like <code>211007<\/code> or <code>TypeError: Cannot read properties of undefined<\/code> gives a rule nothing reliable to match on. You can write a rule around <code>211007<\/code> but that only works if you already know what the code means. Anyone reading the incident later probably won&#8217;t.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>This is where <a href=\"https:\/\/docs.spike.sh\/alerts\/title-remapper\">Spike\u2019s Title Remapper<\/a> is worth setting up before you write payload-based rules.<\/strong> It works by taking a small template written in HandlebarsJS syntax and rewriting incident titles using fields from the payload itself. The setup requires a bit of configuration. You pick the integration, inspect the payload it sends, and write a template that pulls the fields you care about into a readable title.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The result is worth the effort. After setup, <code>211007<\/code> can become &#8220;Destination not reachable&#8221;. A generic <code>TypeError<\/code> can become &#8220;checkout-api: TypeError: Cannot read properties of undefined&#8221;. The title now carries the service name and a human-readable description rather than a code you have to decode each time an incident triggers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once your titles are structured, routing rules become much more straightforward to write and maintain. A rule matching on &#8220;checkout-api&#8221; routes to the checkout team. A rule matching on &#8220;Destination not reachable&#8221; routes to the infrastructure team. The rule knows what to do without anyone having to interpret the raw payload first.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 id=\"acting-on-what-the-incident-payload-says\" class=\"wp-block-heading\">Acting on what the incident payload says<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Once you can read the payload reliably, three kinds of actions become possible: triage, routing, and noise reduction.<\/strong> Each one serves a different purpose and they often work together in a single rule.<\/p>\n\n\n\n<h3 id=\"triage-severity-priority-and-ownership\" class=\"wp-block-heading\">Triage: severity, priority, and ownership<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Triage is about answering three questions before a responder ever touches the incident:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What is the severity?<\/li>\n\n\n\n<li>What is the priority?<\/li>\n\n\n\n<li>Who should own it?<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Some monitoring tools include severity and priority directly in the payload. When that is the case, routing rules can read those values and act on them straight away. When the payload does not carry that information, rules can set severity and priority based on other signals in the title or details.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The details section usually carries enough context to make that call. A database running out of connections in production is probably SEV-1 P1. The same issue in a staging environment might be SEV-3 P3.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;db-primary&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;message&quot;] contains &quot;max_connections exceeded&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;env&quot;] contains &quot;prod&quot;<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN mark severity as SEV-1<\/div><div class=\"cm-line\">     AND mark priority as P1<\/div><div class=\"cm-line\">     AND load \u2192 database on-call escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;db-primary&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;message&quot;] contains &quot;max_connections exceeded&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;env&quot;] contains &quot;staging&quot;<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN mark severity as SEV-3<\/div><div class=\"cm-line\">     AND mark priority as P3<\/div><div class=\"cm-line\">     AND auto-acknowledge<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">For ownership, the service name in the title is usually the clearest signal. A rule routing incidents with &#8220;auth-service&#8221; in the title to the auth team&#8217;s escalation policy handles ownership automatically. Rules get more precise when you combine the service name with error type and customer context from the details.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;auth-service&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;message&quot;] contains &quot;token validation failed&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;plan&quot;] contains &quot;enterprise&quot;<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN mark severity as SEV-1<\/div><div class=\"cm-line\">     AND mark priority as P1<\/div><div class=\"cm-line\">     AND load \u2192 auth team critical escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1022\" height=\"476\" data-attachment-id=\"5639\" data-permalink=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/screenshot-2026-03-27-at-3-04-20-pm\/\" data-orig-file=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.04.20-PM.png\" data-orig-size=\"1022,476\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot 2026-03-27 at 3.04.20\u202fPM\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.04.20-PM.png\" src=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.04.20-PM.png\" alt=\"Alert Routing rule created on Spike\" class=\"wp-image-5639\" srcset=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.04.20-PM.png 1022w, https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.04.20-PM-300x140.png 300w, https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.04.20-PM-768x358.png 768w\" sizes=\"auto, (max-width: 1022px) 100vw, 1022px\" \/><figcaption class=\"wp-element-caption\">Alert Routing rule created on <a href=\"https:\/\/spike.sh\" type=\"link\" id=\"spike.sh\">Spike<\/a><\/figcaption><\/figure>\n\n\n\n<h3 id=\"route-load-the-right-escalation-policy\" class=\"wp-block-heading\">Route: load the right escalation policy<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Routing comes down to one action: loading the right escalation policy. Triage rules set the severity and priority. Routing then acts on those values.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A good place to start is two policies. One for <a href=\"https:\/\/spike.sh\/blog\/escalation-policy-for-critical-incidents\/\">critical incidents<\/a> with phone call alerts and short wait times, and a <a href=\"https:\/\/spike.sh\/blog\/escalation-policy-for-low-priority-incidents\/\">default policy<\/a> for everything else.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   severity is SEV-1<\/div><div class=\"cm-line\">     OR priority is P1<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN load \u2192 critical escalation policy  <\/div><div class=\"cm-line\">(phone call, 5-minute wait time)<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">As incident patterns get clearer, routing by service area usually gives you more control than routing by severity alone. It also means the right team gets paged directly rather than everything funnelling into one critical policy.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;payments-processor&quot;<\/div><div class=\"cm-line\">     OR title contains &quot;billing-service&quot;<\/div><div class=\"cm-line\">     OR title contains &quot;stripe-webhook&quot;<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN load \u2192 payments on-call escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;k8s&quot;<\/div><div class=\"cm-line\">     OR title contains &quot;node&quot;<\/div><div class=\"cm-line\">     OR title contains &quot;pod&quot;<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN load \u2192 infrastructure on-call escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<h3 id=\"noise-reduction\" class=\"wp-block-heading\">Noise reduction<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Not every incident that triggers needs a human to act on it. Payload conditions in the title and details are usually the most direct way to catch these cases. There are four actions worth knowing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Auto-acknowledge:<\/strong> Stops the escalation policy from running. Good for known low-priority signals your team tracks but does not need to act on right away<\/li>\n\n\n\n<li><strong>Auto-resolve:<\/strong> Closes the incident immediately. Works well for signals that always self-correct<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/spike.sh\/blog\/introducing-resolved-by-timer\/\">Resolve by timer<\/a>:<\/strong> Waits for a set period and resolves if nothing changes. Useful for incidents that often clear up on their own<\/li>\n\n\n\n<li><strong>Do not create incident:<\/strong> Suppresses the incident before it enters the queue. Worth using carefully and only for signals you are completely confident are irrelevant<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Grouping multiple known low-signal patterns into one rule is usually cleaner than a separate rule for each one.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;integration-test&quot;<\/div><div class=\"cm-line\">     OR title contains &quot;health-check-ping&quot;<\/div><div class=\"cm-line\">     OR title starts with &quot;ALARM: CPU over 25% on dev-&quot;<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN do not create incident<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1023\" height=\"614\" data-attachment-id=\"5642\" data-permalink=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/screenshot-2026-03-27-at-3-08-05-pm\/\" data-orig-file=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.08.05-PM.png\" data-orig-size=\"1023,614\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot 2026-03-27 at 3.08.05\u202fPM\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.08.05-PM.png\" src=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.08.05-PM.png\" alt=\"Alert Routing rule created on Spike\" class=\"wp-image-5642\" srcset=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.08.05-PM.png 1023w, https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.08.05-PM-300x180.png 300w, https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-27-at-3.08.05-PM-768x461.png 768w\" sizes=\"auto, (max-width: 1023px) 100vw, 1023px\" \/><figcaption class=\"wp-element-caption\">Alert Routing rule created on <a href=\"https:\/\/spike.sh\" type=\"link\" id=\"spike.sh\">Spike<\/a><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For incidents worth seeing but not worth escalating, auto-resolve with a notification keeps visibility without the noise.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;staging&quot;<\/div><div class=\"cm-line\">     AND Incident details [key: &quot;message&quot;] contains &quot;memory warning&quot;<\/div><div class=\"cm-line\"><\/div><div class=\"cm-line\">THEN resolve incident and send notification<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Frequency-based conditions work well alongside payload conditions. A single HTTP 503 from a search service is probably a blip. Fifteen of them within ten minutes is a pattern worth escalating.<\/p>\n\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;search-service&quot;<\/div><div class=\"cm-line\">     AND incident triggers &gt; 5 times within 15 minutes<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN mark severity as SEV-1<\/div><div class=\"cm-line\">     AND load \u2192 search team escalation policy<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n<div class=\"wp-block-code\">\n\t<div class=\"cm-editor\">\n\t\t<div class=\"cm-scroller\">\n\t\t\t\n<pre>\n<code><div class=\"cm-line\">IF   title contains &quot;search-service&quot;<\/div><div class=\"cm-line\">     AND incident triggers &lt;= 5 times within 15 minutes<\/div><div class=\"cm-line\">     <\/div><div class=\"cm-line\">THEN auto-resolve<\/div><\/code><\/pre>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\">Payload-based routing is one of those things that starts simple and gets more useful over time. A handful of rules covering your most critical services is probably enough to get started. As you learn more about your incident patterns, the rules get sharper and the setup gradually reflects how your team actually responds in practice.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The goal is not a perfect ruleset on day one. It is to remove the small decisions your team makes repeatedly and make them automatic.<\/strong> Which team should see this? How urgent is it? Does this need attention at all? Over time, answering those questions automatically adds up to faster responses and less mental load for the people on call.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you are ready to set up payload-based routing rules,\u00a0<a href=\"https:\/\/spike.sh\/\">Spike<\/a>\u00a0is a good place to start.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-ee856660 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-midnight-gradient-background has-background wp-element-button\" href=\"https:\/\/app.spike.sh\/signup\" style=\"border-top-left-radius:9px;border-top-right-radius:9px;border-bottom-left-radius:9px;border-bottom-right-radius:9px\">Get started with Spike<\/a><\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 id=\"faqs\" class=\"wp-block-heading\">FAQs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How do routing rules handle a malformed or empty payload?<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A rule that checks for a specific field or keyword will simply not match if the payload is malformed or missing that field. The incident falls through to the default escalation policy. It is worth watching which incidents consistently land there with no rule matches. That pattern often means an integration&#8217;s payload format has changed after a tool upgrade and your rules are silently no longer matching.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How do you handle flapping incidents where the same incident keeps opening and closing rapidly?<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Frequency conditions are the most useful tool here. A rule that only escalates after an incident triggers more than a set number of times within a short window filters out the noise from flapping without missing a genuinely sustained problem. <a href=\"https:\/\/docs.spike.sh\/incidents\/resolve-timer\">Resolve by timer<\/a> can also help by giving the incident time to self-correct before any escalation fires.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How do global routing rules interact with team-level routing rules when you have multiple teams on the same account?<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Global rules typically run first and can classify or suppress an incident before it reaches team-level rules. This is useful for organisation-wide noise reduction. Team-level rules then handle the more specific routing decisions within each team&#8217;s own services. The risk is that a global rule inadvertently suppresses or misclassifies an incident before the team-level rule has a chance to act on it, so it is worth being deliberate about which decisions belong at which level.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Can routing rules trigger outbound webhooks or external actions?<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Yes, routing rules in <a href=\"http:\/\/spike.sh\">Spike<\/a> can trigger outbound webhooks as an action. That makes it possible to wire up automated remediation alongside routing. An incident could page the on-call team and simultaneously trigger a webhook that attempts a server restart. The escalation policy wait time acts as a buffer, so if the automated action resolves the issue first, the page never fires.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For more complex action sequences like creating a JIRA ticket and updating a status page in a specific order, <a href=\"https:\/\/spike.sh\/playbooks\">Spike&#8217;s Playbooks<\/a> are worth exploring. They support chained actions that run in the exact sequence you define.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Every incident payload carries signals worth acting on. This guide covers how to read those signals and use them to set severity, load the right escalation policy, and reduce noise automatically.<\/p>\n","protected":false},"author":263547072,"featured_media":5614,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","_lmt_disableupdate":"","_lmt_disable":"","_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":true,"token":"eyJpbWciOiJodHRwczpcL1wvYmxvZy5zcGlrZS5zaFwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAyNlwvMDNcL09wc0dlbmllLVNodXRkb3duXy1FdmVyeXRoaW5nLVlvdS1OZWVkLVRvLUtub3ctNC0xMDI0eDU1NS5wbmciLCJ0eHQiOiJIb3cgdG8gcm91dGUgaW5jaWRlbnRzIGJhc2VkIG9uIHdoYXQgdGhlaXIgcGF5bG9hZCBzYXlzIiwidGVtcGxhdGUiOiJoaWdod2F5IiwiZm9udCI6IiIsImJsb2dfaWQiOjIzMzEzODkwMH0.2Pvs220D5vYZZ-jT_1C0uslf6mXqWBo0DmLGb-AkIeUMQ"},"version":2},"_wpas_customize_per_network":false,"jetpack_post_was_ever_published":false},"categories":[1467],"tags":[],"class_list":["post-5605","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to route incidents based on what their payload says<\/title>\n<meta name=\"description\" content=\"Not every incident needs the same response. Learn how to route incidents automatically based on what their payload says.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to route incidents based on what their payload says\" \/>\n<meta property=\"og:description\" content=\"Not every incident needs the same response. Learn how to route incidents automatically based on what their payload says.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/\" \/>\n<meta property=\"og:site_name\" content=\"Spike&#039;s blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-26T09:08:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-27T09:39:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2080\" \/>\n\t<meta property=\"og:image:height\" content=\"1128\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sreekar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sreekar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/\"},\"author\":{\"name\":\"Sreekar\",\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/#\\\/schema\\\/person\\\/eb31f40342cbe6a94ef67a1c0bf20923\"},\"headline\":\"How to route incidents based on what their payload says\",\"datePublished\":\"2026-03-26T09:08:03+00:00\",\"dateModified\":\"2026-03-27T09:39:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/\"},\"wordCount\":1835,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.spike.sh\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png\",\"articleSection\":[\"Guides\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/\",\"url\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/\",\"name\":\"How to route incidents based on what their payload says\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.spike.sh\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png\",\"datePublished\":\"2026-03-26T09:08:03+00:00\",\"dateModified\":\"2026-03-27T09:39:19+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/#\\\/schema\\\/person\\\/eb31f40342cbe6a94ef67a1c0bf20923\"},\"description\":\"Not every incident needs the same response. Learn how to route incidents automatically based on what their payload says.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.spike.sh\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png\",\"contentUrl\":\"https:\\\/\\\/blog.spike.sh\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png\",\"width\":2080,\"height\":1128},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/alert-routing-based-on-incident-payload\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.spike.sh\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to route incidents based on what their payload says\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/#website\",\"url\":\"https:\\\/\\\/blog.spike.sh\\\/\",\"name\":\"Spike&#039;s blog\",\"description\":\"Learnings and opinions in a changing world\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.spike.sh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.spike.sh\\\/#\\\/schema\\\/person\\\/eb31f40342cbe6a94ef67a1c0bf20923\",\"name\":\"Sreekar\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cb2a2f53f3fd9e9619b7d3aaca20588e6101b5d239f52e0137823bd5d6cd0941?s=96&d=robohash&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cb2a2f53f3fd9e9619b7d3aaca20588e6101b5d239f52e0137823bd5d6cd0941?s=96&d=robohash&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cb2a2f53f3fd9e9619b7d3aaca20588e6101b5d239f52e0137823bd5d6cd0941?s=96&d=robohash&r=g\",\"caption\":\"Sreekar\"},\"url\":\"https:\\\/\\\/blog.spike.sh\\\/author\\\/sreekar98\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to route incidents based on what their payload says","description":"Not every incident needs the same response. Learn how to route incidents automatically based on what their payload says.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/","og_locale":"en_GB","og_type":"article","og_title":"How to route incidents based on what their payload says","og_description":"Not every incident needs the same response. Learn how to route incidents automatically based on what their payload says.","og_url":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/","og_site_name":"Spike&#039;s blog","article_published_time":"2026-03-26T09:08:03+00:00","article_modified_time":"2026-03-27T09:39:19+00:00","og_image":[{"width":2080,"height":1128,"url":"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png","type":"image\/png"}],"author":"Sreekar","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sreekar","Estimated reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#article","isPartOf":{"@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/"},"author":{"name":"Sreekar","@id":"https:\/\/blog.spike.sh\/#\/schema\/person\/eb31f40342cbe6a94ef67a1c0bf20923"},"headline":"How to route incidents based on what their payload says","datePublished":"2026-03-26T09:08:03+00:00","dateModified":"2026-03-27T09:39:19+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/"},"wordCount":1835,"commentCount":0,"image":{"@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png","articleSection":["Guides"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/","url":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/","name":"How to route incidents based on what their payload says","isPartOf":{"@id":"https:\/\/blog.spike.sh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#primaryimage"},"image":{"@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png","datePublished":"2026-03-26T09:08:03+00:00","dateModified":"2026-03-27T09:39:19+00:00","author":{"@id":"https:\/\/blog.spike.sh\/#\/schema\/person\/eb31f40342cbe6a94ef67a1c0bf20923"},"description":"Not every incident needs the same response. Learn how to route incidents automatically based on what their payload says.","breadcrumb":{"@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#primaryimage","url":"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png","contentUrl":"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png","width":2080,"height":1128},{"@type":"BreadcrumbList","@id":"https:\/\/blog.spike.sh\/alert-routing-based-on-incident-payload\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.spike.sh\/"},{"@type":"ListItem","position":2,"name":"How to route incidents based on what their payload says"}]},{"@type":"WebSite","@id":"https:\/\/blog.spike.sh\/#website","url":"https:\/\/blog.spike.sh\/","name":"Spike&#039;s blog","description":"Learnings and opinions in a changing world","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.spike.sh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/blog.spike.sh\/#\/schema\/person\/eb31f40342cbe6a94ef67a1c0bf20923","name":"Sreekar","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/cb2a2f53f3fd9e9619b7d3aaca20588e6101b5d239f52e0137823bd5d6cd0941?s=96&d=robohash&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cb2a2f53f3fd9e9619b7d3aaca20588e6101b5d239f52e0137823bd5d6cd0941?s=96&d=robohash&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cb2a2f53f3fd9e9619b7d3aaca20588e6101b5d239f52e0137823bd5d6cd0941?s=96&d=robohash&r=g","caption":"Sreekar"},"url":"https:\/\/blog.spike.sh\/author\/sreekar98\/"}]}},"modified_by":"Sreekar","jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-4.png","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfMe4Q-1sp","jetpack-related-posts":[{"id":5449,"url":"https:\/\/blog.spike.sh\/how-to-set-up-incident-alert-routing-rules-effectively\/","url_meta":{"origin":5605,"position":0},"title":"How to set up Incident Alert Routing rules effectively","author":"Sreekar","date":"11th March, 2026","format":false,"excerpt":"A well set-up alert routing system means your team only sees what actually needs attention. This guide covers the three conditions that drive an effective routing setup and how to use each one.","rel":"","context":"In &quot;Guides&quot;","block_context":{"text":"Guides","link":"https:\/\/blog.spike.sh\/category\/guides\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-2.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-2.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-2.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-2.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-2.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-2.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":5652,"url":"https:\/\/blog.spike.sh\/alert-routing-setup-that-never-misses-critical-incidents\/","url_meta":{"origin":5605,"position":1},"title":"Building an Alert Routing setup that never misses a critical incident","author":"Sreekar","date":"29th March, 2026","format":false,"excerpt":"Critical incidents need to reach the right person the moment they trigger. This guide covers how to set up an alert routing system that make sure they always do.","rel":"","context":"In &quot;Guides&quot;","block_context":{"text":"Guides","link":"https:\/\/blog.spike.sh\/category\/guides\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-5.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-5.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-5.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-5.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-5.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-5.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":5690,"url":"https:\/\/blog.spike.sh\/severity-and-priority-based-routing\/","url_meta":{"origin":5605,"position":2},"title":"Routing incidents the way their severity and priority demand","author":"Sreekar","date":"29th March, 2026","format":false,"excerpt":"Should this incident get a phone call or a Slack message? Severity and priority answer that question. This guide shows how to build routing rules around both.","rel":"","context":"In &quot;Guides&quot;","block_context":{"text":"Guides","link":"https:\/\/blog.spike.sh\/category\/guides\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-7.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-7.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-7.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-7.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-7.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-7.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":5468,"url":"https:\/\/blog.spike.sh\/turning-team-knowledge-into-alert-routing-rules\/","url_meta":{"origin":5605,"position":3},"title":"Turning team knowledge into Alert Routing rules","author":"Sreekar","date":"12th March, 2026","format":false,"excerpt":"Your team knows incidents inside out. This guide walks you through four ways to build Alert Routing rules from that knowledge.","rel":"","context":"In &quot;Guides&quot;","block_context":{"text":"Guides","link":"https:\/\/blog.spike.sh\/category\/guides\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/03\/OpsGenie-Shutdown_-Everything-You-Need-To-Know-1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":5234,"url":"https:\/\/blog.spike.sh\/compass-for-setting-up-escalation-policy\/","url_meta":{"origin":5605,"position":4},"title":"A compass for setting up your escalation policy","author":"Sreekar","date":"26th February, 2026","format":false,"excerpt":"There's no single way to set up an escalation policy. This guide walks through five approaches and helps you figure out which combination fits your team.","rel":"","context":"In &quot;Guides&quot;","block_context":{"text":"Guides","link":"https:\/\/blog.spike.sh\/category\/guides\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/02\/Basics-of-Incident-Management-1-3.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/02\/Basics-of-Incident-Management-1-3.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/02\/Basics-of-Incident-Management-1-3.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/02\/Basics-of-Incident-Management-1-3.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/02\/Basics-of-Incident-Management-1-3.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2026\/02\/Basics-of-Incident-Management-1-3.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":321,"url":"https:\/\/blog.spike.sh\/powerful-incident-management-platform\/","url_meta":{"origin":5605,"position":5},"title":"Our Journey to Become Powerful Incident Management Platform","author":"Kaushik","date":"19th September, 2022","format":false,"excerpt":"We spoke with our users. Understood the problems and started on a long journey to fix them. Here's where we are so far.","rel":"","context":"In &quot;Announcement&quot;","block_context":{"text":"Announcement","link":"https:\/\/blog.spike.sh\/category\/announcement\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2022\/09\/feature-image.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2022\/09\/feature-image.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2022\/09\/feature-image.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2022\/09\/feature-image.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2022\/09\/feature-image.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.spike.sh\/wp-content\/uploads\/2022\/09\/feature-image.png?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/posts\/5605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/users\/263547072"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/comments?post=5605"}],"version-history":[{"count":24,"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/posts\/5605\/revisions"}],"predecessor-version":[{"id":5644,"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/posts\/5605\/revisions\/5644"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/media\/5614"}],"wp:attachment":[{"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/media?parent=5605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/categories?post=5605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.spike.sh\/wp-json\/wp\/v2\/tags?post=5605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}