Formatting Incidents

PagerDuty Common Event Format (PD-CEF)

PagerDuty's new PagerDuty Common Event Format (PD-CEF) is standardizing the way we deliver and display events, alerts, and incidents. This structured format will allow you to correlate similar items across integrations and better understand the events from your environment. PD-CEF is currently available for Splunk, AWS CloudWatch, DataDog, Nagios, Sensu, and Zabbix integrations to represent events in one common, easy to read format.

PD-CEF details display at the top of alert and incident detail pages. They express common operations event concepts in a normalized, readable way.

Within the alerts table, the PD-CEF fields Severity, Summary, Source, Class, Component, and Group can be viewed in relation to your alerts.

PD-CEF Fields

PD-CEF details map to the following fields. The table below outlines the name, type, and description of each value, as well as an example value for each.

Name
Type
Example Value
Usage

Summary

String

"PING OK - Packet loss = 0%, RTA = 1.41 ms"w
"Host 'acme-andromeda-sv1-c40 :: 179.21.24.50' is DOWN"

A high-level, text summary message of the event. Will be used to construct an alert's description.

Source

String

"prod05.theseus.acme-widgets.com"

"171.26.23.22"

"aws:elasticache:us-east-1:852511987:cluster/api-stats-prod-003"

"9c09acd49a25"

Specific human-readable unique identifier, such as a hostname, for the system having the problem.

Severity

Enum {Info, Warning, Error, Critical}

Info, Warning, Error, Critical

How impacted the affected system is. Displayed to users in lists and influences the priority of any created incidents.

Timestamp

Timestamp

2015-07-17T08:42:58.315+0000

When the upstream system detected / created the event. This is useful if a system batches or holds events before sending them to PagerDuty.

Class

String

"High CPU"

"Latency"

"500 Error"

The class/type of the event.

Component

String

"keepalive"

"webping"

"mysql"

"wqueue"

"LOAD_AVERAGE"

The part or component of the affected system that is broken.

Group

String

["production-app-stack"]

"prod-datapipe"

"www"

"web_stack"

A cluster or grouping of sources. For example, sources “prod-datapipe-02” and “prod-datapipe-03” might both be part of “prod-datapipe”

PD-CEF fields as they appear on an individual alert

The Events API v2

The introduction of our new Events API offers an easier way to leverage PD CEF fields in your alerts. Monitoring partners can now directly send in the PD-CEF format, giving you the benefit of the format without needing to manually convert your events. Custom monitoring can also leverage this format, to take advantage of the new PD-CEF display and workflow features in PagerDuty.

Review our developer docs for more information about the Events API v2 and how to use it.

Q&A:

Which integrations are supported by PD-CEF?

PD-CEF is currently available for Splunk, AWS CloudWatch, DataDog, Nagios, Sensu and Zabbix integrations. More are on the way!

What can I do with PD-CEF?

In addition to viewing alert and incident data in a cleaner, more normalized way, you can also use PD-CEF to dynamically suppress non-actionable alerts using Event Rules.

What's next?

This new event format will allow you to do much more with your events and integrations in the future. Please note included integrations and functionality may change going forward. We are actively working to migrate all of our integrations to PD-CEF and welcome your feedback!

Formatting Incidents