Common Event Format (PD-CEF)

The PagerDuty Common Event Format (PD-CEF) standardized alert format that allows us to correlate similar items across integrations and better understand the events from your environment, and you to view alert and incident data in a cleaner, more normalized way. You can also use PD-CEF to dynamically suppress non-actionable alerts using Event Rules.

PD-CEF is currently available for Splunk, AWS CloudWatch, DataDog, Nagios, Sensu, and Zabbix integrations to represent events in one common, easy to read format.

PD-CEF details display at the top of alert and incident detail pages. They express common operations event concepts in a normalized, readable way.

Within the alerts table, the PD-CEF fields Severity, Summary, Source, Class, Component, and Group can be viewed in relation to your alerts.

PD-CEF Fields

PD-CEF details map to the following fields. The table below outlines the name, type, and description of each value, as well as an example value for each.

Name
Type
Example Value
Usage

Summary

String

"PING OK - Packet loss = 0%, RTA = 1.41 ms"w
"Host 'acme-andromeda-sv1-c40 :: 179.21.24.50' is DOWN"

A high-level, text summary message of the event. Will be used to construct an alert's description.

Source

String

"prod05.theseus.acme-widgets.com"

"171.26.23.22"

"aws:elasticache:us-east-1:852511987:cluster/api-stats-prod-003"

"9c09acd49a25"

Specific human-readable unique identifier, such as a hostname, for the system having the problem.

Severity

Enum {Info, Warning, Error, Critical}

Info, Warning, Error, Critical

How impacted the affected system is. Displayed to users in lists and influences the priority of any created incidents.

Timestamp

Timestamp

2015-07-17T08:42:58.315+0000

When the upstream system detected / created the event. This is useful if a system batches or holds events before sending them to PagerDuty.

Class

String

"High CPU"

"Latency"

"500 Error"

The class/type of the event.

Component

String

"keepalive"

"webping"

"mysql"

"wqueue"

"LOAD_AVERAGE"

The part or component of the affected system that is broken.

Group

String

["production-app-stack"]

"prod-datapipe"

"www"

"web_stack"

A cluster or grouping of sources. For example, sources “prod-datapipe-02” and “prod-datapipe-03” might both be part of “prod-datapipe”

PD-CEF fields as they appear on an individual alert

Events API v2

The introduction of our new Events API offers an easier way to leverage PD CEF fields in your alerts. Monitoring partners can now directly send in the PD-CEF format, giving you the benefit of the format without needing to manually convert your events. Custom monitoring can also leverage this format, to take advantage of the new PD-CEF display and workflow features in PagerDuty.

Review our developer docs for more information about the Events API v2 and how to use it.

Common Event Format (PD-CEF)