I found a similar closed issue titled "[🐛 Bug]: Filter by enriched field not always work](#4170)" which was resolved by a pull request that enhanced date validation with regex patterns for ISO and datetime ^[1]. However, this may not directly address your current problem with filtering by the 'incident' field.

Regarding your issue, the filtering mechanism for 'incident.id' might be affected by recent changes in the Keep platform. The migration script dated 2024-07-25 introduced new fields to the 'incident' table, which could impact how incidents are filtered based on these attributes ^[2]. Additionally, the codebase includes specific database queries related to filtering alerts by 'incident' fields, structured using SQLAlchemy. These queries join tables to include incident data and apply filters based on tenant ID and timestamp thresholds ^[3].

The 'incident' field is populated with a valid ID when certain conditions are met, such as when the same_incident_in_the_past_id or merged_into_incident_id fields are set with a valid UUID. If these fields are not set, they remain null ^[4].

To filter by a specific incident ID in CEL queries, ensure the format incident.id == "UUID" is used, where the UUID is written without hyphens ^[5]. This might help resolve the issue of filtering for 'None' values not returning expected results.

To continue talking to Dosu, mention @dosu.

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}