Common Event Format (PD-CEF)

Overview of the PagerDuty Common Event Format that is used to correlate similar items across integrations

The PagerDuty Common Event Format (PD-CEF) is a standardized alert format that allows PagerDuty to correlate similar items across integrations and better understand the events from your environment. PD-CEF also allows you to view alert and incident data in a cleaner, more normalized way. You can also use PD-CEF to dynamically suppress non-actionable alerts with Event Orchestration and Event Rules.

PD-CEF details display at the top of alert and incident detail pages. They express common event concepts in a normalized, readable way.

PD-CEF Fields

The table below outlines the name, type and description of each PD-CEF field, as well as an example value for each.

Name

Type

Example Value

Usage

Summary

String

"PING OK - Packet loss = 0%, RTA = 1.41 ms"w
"Host 'acme-andromeda-sv1-c40 :: 179.21.24.50' is DOWN"

A high-level, text summary message of the event. Will be used to construct an alert's summary.

Source

String

"prod05.theseus.acme-widgets.com"

"171.26.23.22"

"aws:elasticache:us-east-1:852511987:cluster/api-stats-prod-003"

"9c09acd49a25"

Specific human-readable unique identifier, such as a hostname, for the system having the problem.

Severity

Enum {Info, Warning, Error, Critical}

Info, Warning, Error, Critical

Indicates the severity of the impact to the affected system.

Timestamp

Timestamp

2015-07-17T08:42:58.315+0000

When the upstream system detected / created the event. This is useful if a system batches or holds events before sending them to PagerDuty.

Class

String

"High CPU"

"Latency"

"500 Error"

The class/type of the event.

Component

String

"keepalive"

"webping"

"mysql"

"wqueue"

"LOAD_AVERAGE"

The part or component of the affected system that is broken.

Group

String

["production-app-stack"]

"prod-datapipe"

"www"

"web_stack"

A cluster or grouping of sources. For example, sources “prod-datapipe-02” and “prod-datapipe-03” might both be part of “prod-datapipe”

Custom Details

Object

{"ping time": "1500ms", "load avg": 0.75 }

Free-form details from the event.

PD-CEF Fields on an Alert

Below is an example of what PD-CEF information on an alert might look like in the web app:

22542254

PD-CEF fields on an alert

PD-CEF in the Alerts Table

The alerts table highlights PD-CEF fields in your alerts: Severity, Summary, Source, Class, Component, and Group. To customize the fields shown on the Alerts table, navigate to Incidents Alerts and click Customize Columns on the right side.

Events API v2

The Events API v2 offers an easier way to leverage PD-CEF fields in your alerts. Monitoring partners can now directly send events in the PD-CEF format, giving you the benefit of the format without the need to manually convert your events. Custom monitoring can also leverage this format, to take advantage of the PD-CEF display and workflow features in PagerDuty.

Review our developer docs for more information about the Events API v2 and how to use it.

PD-CEF is currently available for many integrations, including the following:

  • AWS Cloudwatch
  • Azure
  • Datadog
  • Github
  • Logic Monitor
  • Microsoft OMS
  • Nagios
  • New Relic
  • Pingdom
  • PRTG
  • Sensu
  • Slack
  • Splunk
  • Wormly
  • Zabbix

Did this page help you?