You are browsing a read-only backup copy of Wikitech. The live site can be found at

Splunk On-Call: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
(Created page with "Splunk On-Call (formerly [ VictorOps]) is the paging/notification/engagement solution used by SRE, WMCS and others (since June 2020). == How to == === Set up as a new user === You have received an invitation from Splunk On-Call. At the invitation stage you will be asked for a few information: your VO username, password and “displayed name”. Additionally a phone number for SMSes, although that can be safely skipped and can be added later. === L...")
(No difference)

Revision as of 07:10, 17 May 2022

Splunk On-Call (formerly VictorOps) is the paging/notification/engagement solution used by SRE, WMCS and others (since June 2020).

How to

Set up as a new user

You have received an invitation from Splunk On-Call. At the invitation stage you will be asked for a few information: your VO username, password and “displayed name”. Additionally a phone number for SMSes, although that can be safely skipped and can be added later.

Logging in with Google SSO

Sign out and select “sign in via SSO” on the login page.

  • Next, you will be prompted to enter your Org Slug, enter ‘wikimedia'
  • From this page you will be redirected to sign in using your Google credentials.
  • After entering Google credentials, you will be asked to enter your current Splunk On-Call (VictorOps) username/password. Note: You will only need to enter your Splunk On-Call username and password once to link the account with SSO, then it will not be asked for again.

Additional information about Splunk On-Call SSO can be found at

Set up personal paging policies

Each user can configure their preferred notification methods by clicking the username on top right and “your profile”. The “primary paging policy” will default to the email you used at registration time, and optionally the phone number if provided.

Make sure you hear the notifications even if your phone is in do not disturb mode


Team specific details

Please review the team specific details and setup steps in their respective sections below, and perform those which apply to you.

VO Administration

Invite a new user

At user onboarding time, you (an admin on VO) will receive a request to invite a new user (usually via phab task).

  1. Navigate to and hit "invite user", using the user's full email address for invitation.
  2. After the invitation has been sent, the user needs to be added to a team. Therefore navigate to and pick a team, then invite the newly-created user to the team.
  3. Give the user "Team Admin" privileges for relevant teams. To do this hit the pencil button for the user's row and hit confirm.

Removing a user

To remove a user, first remove them from any rotations or escalation policies they may be a part of. This typically can be done by removing them from any teams they have been added to.

note: If the above step is not done you may see an error to the effect of "We were unable to delete the user, please try again or contact support"

SRE Team Usage

Adding yourself to the batphone

The SRE "all hands on deck" model is referred to as "batphone" and its schedule can be found under Teams -> SRE -> On-Call Schedule. During onboarding please follow the steps below to add yourself to the batphone:

Note: if you run into any permission errors in the process, please confirm with a VO admin that you have "team admin" permission.

  1. Navigate to SRE rotations
  2. For the "batphone" rotation, expand by clicking the caret on the right, select "add a shift" (bottom left) and pick "partial day" from the dropdown
  3. In the next form, "shift name" is your Full name (one shift per person)
  4. Click "monday through friday" and select all days of the week. Pick the desired hours (e.g. based on Icinga "awake hours"), note that these times are relative to "time zone above" in the form.
  5. Click "save shift"
  6. You’ll be shown the rotation with the new empty shift added. Click the leftmost icon to "manage members" for the shift and add your username.
  7. Done!

More information can be found at the VictorOps knowledge base.

Business Hours Pager Shift

Business hours paging is configured under Teams -> SRE -> Rotations.

There are two "Business hours" rotations defined, one for each region (EMEA, and AMER) with two "pools" per region. These pools (region-day-pool1 and region-day-pool2) contain the same people within each region, however their ordering is staggered in order to automatically rotate through the roster evenly.

Note: There is no notion of primary or secondary between region-day-pool1 and region-day-pool2, they are both treated with equal priority. Pages are routed to all pools simultaneously.

Viewing the business hours pager schedule:

The easiest way to browse the business hours pager schedule for upcoming shifts is via the Splunk On-Call web interface. Visit and expand the "SRE Business Hours (Escalation)" by clicking the down arrow to the right.

Starting your shift:

  1. Open the Splunk on-call app on your mobile device and ensure your authentication is active, this will speed up acknowledgement of alerts.
  2. Ensure the time zone and business hours for the pool you are representing this week reflects your current local time zone and hours. Under Teams -> SRE -> Rotations expand your business hours region, then identify the pool which reflects your pager shift for the upcoming week (your name will appear in the time bar) and click the pencil to edit the shift
    • Screen Shot 2022-05-06 at 12.17.41 PM.png
  3. Within the edit window double check that the time zone and hours reflect the business hours for your location, specifically the "Time Zone" and "Each user is on duty" fields. Adjust as necessary, then click "save shift"
    • Screen Shot 2022-05-06 at 12.18.08 PM.png

Escalating a page

If you receive a page and need help, do not hesitate to escalate it to the batphone.

In VictorOps / Splunk on-call this type of escalation is done with the "add responders" feature.

  1. In the VictorOps / Splunk on-call interface, navigate to the incident (alert) that you wish to escalate.
  2. Find the "Responders" section, and click "add responder" (or the + icon on mobile)
  3. From "Escalation Policies" choose "Batphone" from under the "SRE" heading, and click next.
  4. Review for accuracy and press save.

The system will now trigger the batphone paging policy, paging the broader SRE team for assistance.

Scheduling an override (out of office, on vacation, etc)

If you will be unavailable during a scheduled pager shift, here's what to do:

  1. Schedule an override, either from the app (calendar tab) or SRE scheduled overrides (or your team's scheduled overrides)
  2. Once the override is set, navigate to scheduled overrides link above and expand your newly added override, you will see a breakdown of the pager rotations and escalations needing coverage.
  3. Populate the user field to reflect who will be taking on the affected pager shifts:
    • SRE Business hours shifts:
      • Choose the person who will be taking the shift for you. Note: it is preferred to arrange coverage ahead of time when possible, however leaving this field blank will trigger an "unassigned overrides" notification to VO admins prompting managers to fill in coverage.
    • SRE Batphone
      • If you will be unavailable (out of office, on vacation, etc.) choose "devnull" as the overriding person for the batphone shift, all alerts to that contact are effectively blackholed.
      • If you will be available, but are arranging alternate coverage for the business hours pager, choose yourself in order to continue receiving batphone alerts.

WMCS Usage

The Cloud Services team uses a separate set of rotations and gets paged in somewhat different ways due to the size of the group and tech involved. The focus is on ensuring alerts reach the most prepared people to resolve them at times that are least disruptive to daily life where possible. This was deemed necessary partly because Cloud Services has a lot of systems that merit paging, those systems should only alert the WMCS team, and some of the alerts are fairly easy to trip and hard to disable during changes. There are three "rotations" defined for each team member:

  • Working hours: This is the engineer's primary working schedule on weekdays. This is when most of our pages come in due to higher rate of changes on the systems, and this ensures that people who are working can take care of things without disturbing engineers who are not working in their own timezone.
  • Awake hours: 6am to 10pm in the local timezone.
  • All hours: 24x7

The "Working hours" rotation will page immediately to ensure that those who are on duty and most ready to help with things are informed of the issue. If no one has acknowledged an incident for 10 minutes, the alert is escalated to the "awake hours" rotations. This does imply there is a 10 minute delay for paging on weekends, but emails go out instantly. If an alert is still unacknowledged for 15 minutes, the "all hours" escalation is triggered, which will page the entire team. Because email alerts go out right away, people already at a computer can intercept and help out more quickly. This makes sure that someone will always be paged, one way or another, but it allows us to simulate some of the best parts of a "follow the sun" model of support without the need to actually have people everywhere.

The devnull user should work for WMCS overrides/vacations as well.

How we use it

Codesearch: [vV]ictor[oO]ps