Skip to content

Commit

Permalink
Add severity mapping from unified model to HEC (#1866)
Browse files Browse the repository at this point in the history
Co-authored-by: Tigran Najaryan <[email protected]>
Co-authored-by: Bogdan Drutu <[email protected]>
Co-authored-by: Armin Ruech <[email protected]>
  • Loading branch information
4 people authored Aug 26, 2021
1 parent c5bd549 commit 60d089d
Showing 1 changed file with 31 additions and 0 deletions.
31 changes: 31 additions & 0 deletions specification/logs/data-model.md
Original file line number Diff line number Diff line change
Expand Up @@ -668,6 +668,8 @@ Rest of SDIDs -> Attributes["syslog.*"]</td>

### Splunk HEC

We apply this mapping from HEC to the unified model:

<table>
<tr>
<td>Field</td>
Expand Down Expand Up @@ -719,6 +721,35 @@ Rest of SDIDs -> Attributes["syslog.*"]</td>
</tr>
</table>

When mapping from the unified model to HEC, we apply this additional mapping:

<table>
<tr>
<td>Unified model element</td>
<td>Type</td>
<td>Description</td>
<td>Maps to HEC</td>
</tr>
<tr>
<td>SeverityText</td>
<td>string</td>
<td>The severity of the event as a human-readable string.</td>
<td>fields['otel.log.severity.text']</td>
</tr>
<tr>
<td>SeverityNumber</td>
<td>string</td>
<td>The severity of the event as a number.</td>
<td>fields['otel.log.severity.number']</td>
</tr>
<tr>
<td>Name</td>
<td>string</td>
<td>Short event identifier that does not contain varying parts.</td>
<td>fields['otel.log.name']</td>
</tr>
</table>

### Log4j

<table>
Expand Down

0 comments on commit 60d089d

Please sign in to comment.