Common Event Format (PD-CEF)
Overview of the PagerDuty Common Event Format that is used to correlate similar items across integrations
The PagerDuty Common Event Format (PD-CEF) is a standardized alert format that allows PagerDuty to correlate similar items across integrations and better understand the events from your environment. PD-CEF also allows you to view alert and incident data in a cleaner, more normalized way. You can also use PD-CEF to dynamically suppress non-actionable alerts with Event Orchestration.
PD-CEF details display at the top of alert and incident detail pages. They express common event concepts in a normalized, readable way.
PD-CEF Fields
The table below outlines the name, type and description of each PD-CEF field, as well as an example value for each.
Name | Type | Example Value | Usage |
---|---|---|---|
Summary | String | "PING OK - Packet loss = 0%, RTA = 1.41 ms"w "Host 'acme-andromeda-sv1-c40 :: 179.21.24.50' is DOWN" | A high-level, text summary message of the event. Will be used to construct an alert's summary. |
Source | String | "prod05.theseus.acme-widgets.com" "171.26.23.22" "aws:elasticache:us-east-1:852511987:cluster/api-stats-prod-003" "9c09acd49a25" | Specific human-readable unique identifier, such as a hostname, for the system having the problem. |
Severity | Enum {Info, Warning, Error, Critical} | Info, Warning, Error, Critical | Indicates the severity of the impact to the affected system. |
Timestamp | Timestamp | 2015-07-17T08:42:58.315+0000 | When the upstream system detected / created the event. This is useful if a system batches or holds events before sending them to PagerDuty. |
Class | String | "High CPU" "Latency" "500 Error" | The class/type of the event. |
Component | String | "keepalive" "webping" "mysql" "wqueue" "LOAD_AVERAGE" | The part or component of the affected system that is broken. |
Group | String | ["production-app-stack"] "prod-datapipe" "www" "web_stack" | A cluster or grouping of sources. For example, sources “prod-datapipe-02” and “prod-datapipe-03” might both be part of “prod-datapipe” |
Custom Details | Object | {"ping time": "1500ms", "load avg": 0.75 } | Free-form details from the event. |
PD-CEF Fields on an Alert
Below is an example of what PD-CEF information on an alert might look like in the web app:
PD-CEF in the Alerts Table
The alerts table highlights PD-CEF fields in your alerts: Severity, Summary, Source, Class, Component, and Group. To customize the fields shown on the Alerts table, navigate to Incidents Alerts and click Customize Columns on the right side.
Events API v2
The Events API v2 offers an easier way to leverage PD-CEF fields in your alerts. Monitoring partners can now directly send events in the PD-CEF format, giving you the benefit of the format without the need to manually convert your events. Custom monitoring can also leverage this format, to take advantage of the PD-CEF display and workflow features in PagerDuty.
Review our developer docs for more information about the Events API v2 and how to use it.
PD-CEF is currently available for many integrations, including the following:
- AWS Cloudwatch
- Azure
- Datadog
- Github
- Logic Monitor
- Microsoft OMS
- Nagios
- New Relic
- Pingdom
- PRTG
- Sensu
- Slack
- Splunk
- Wormly
- Zabbix
Updated 6 months ago