Small tip for Exim filters when dealing with e-mail alerts. This is part of my current .filter file:

# Exim filter
# vim: ts=4 et
# Matches: SYSTEM Resolved ... Notification for Service
if $h_subject: matches "\\N^(\\S+)\\s+(\\S+).*Notification for Service\\N" then
    unseen save "mail/ALERTS"
    # Only notify if system name given in $1 and status is changing
    if $2 is "WIP" or $2 is "Resolved" then
        mail to notification@example.com
             from $reply_address
             subject $h_subject:
             text ": $message_body"
             log .alerts/alerts.log
             once .alerts/suncp.$1.$2.db
             once_repeat 3h
    endif
endif

First off, all alerts get saved into a different mailbox (as well my inbox). Using Thunderbird and the Mailbox Alert extension on my work computer, I can distinguish between normal e-mails and incident alerts.

Next, the subject line is examined for particular keywords. The incoming messages have the subject:

SYSTEM Resolved ... Notification for Service

Where the first word is the system hostname and the second word is the incident status. The line below creates a new e-mail that is sent to an e-mail to SMS service basically relaying the message.

As there can be many updates to an on-going ticket, I've used the vacation responder options "once" and "once_repeat" to limit the notifications to once every 3 hours, per system and per status. This allows me to hopefully receive notifications just on the initial alert and when it's resolved. This is done with a different vacation database file (specified with "once") per combination of system and status, stored in ~/.alerts/ and named with the $1 and $2 variables. These contain the system name and alert status that came out of the "matches" regular expression on the subject line.