What's the best way to set a severity in a custom transform?

I’ve just written my first event transformer, and I feel like I must be missing something.

My transformer is designed to read messages from AWS EventBridge aka CloudWatch Events (which are not handled properly by the existing CloudWatch integration - I’ll make another post about that).

I could not find in any of the docs (mainly here and here) anything about setting the severity, and my service, when configured to set priority dynamically, was making every event a P1.

I found a tutorial that uses emitCEFEvents instead of emitGenericEvents, which seems to let you specify severity, but I couldn’t get it to work, and when I went looking for documentation all I found was a forum post by someone (unsuccessfully?) seeking same.

The workaround I ended up with was having my transformer set a details.severity property and then write service rules that look for custom_details.severity and then set priority accordingly.

Surely there’s a better way, or am I just coming at this all wrong? I’m still pretty new to pagerduty, so anything’s possible. Thanks to anyone who can help!

Hey Brad,

Alerts in PagerDuty can be generated with a severity field. These severity values can be directly provided from the triggering monitoring tool, or set using event rules.

Currently you can use the Severity field to determine the urgency using Event Rules. The Incident’s urgency is what determines the method of notification as you have notification rules based on High or Low Urgency rules.

Cheers,

So just to be sure I’m clear, you cannot set or change the severity field in the transformer, so if the triggering tool does not provide a severity (EventBridge does not seem to), an event rule is your only other option. Is that right?

If the triggering tool used a different field name, or a different set of terms than info, warn, etc, would a rule be your only fix in that case too?

You can change, add, modify anything you’d like in a transformer. Some of the confusion may be from the Event API v1 format which does not support severity. In this case, you’ll want to write event transformer in Event API v2 format and return the “emitCEFEvents” allowing a fully configured best practice Event API v2 / PD-CEF formatted event.

I’d also encourage you to create a new “Application Event Transformer” via the “Developer Mode” for your use internally at your company (or optionally contribute it to the community). This will allow you to reuse your transformer via the drop down integration option on any service in PagerDuty. If you create traditional “Custom Event Transformers” you’ll have to repeat that process on each and every PagerDuty service.

Also, keep in mind that any transformer you create will not work with our rulesets feature. You’ll have to create service level event rules as needed for changing severity, setting priority, adding a note, etc. on each service.

Feel free to reach out to me direct if you’d like me to review your transformer or need additional help!

Doug

1 Like

Below is the custom transformer code which works with emitCEFEvents() and AWS CloudWatch - I verified that it works.

Kludges:

  1. emitCEFEvents() doesn’t seem to be documented. Questions about it are answered with “please contact support” or “it’s already answered in your private support ticket”. Strange.
  2. The AWS CloudWatch integration which is built-in to PagerDuty is strange: it swallows alarm name, and it posts an ugly JSON as an event description. Which is weird: I expected the default integration to be polished and opinionated, but it doesn’s seem like it is.

Here is the code:

var body = JSON.parse(PD.inputRequest.rawBody)
var matches = body.AlarmArn.match(/:cloudwatch:([^:]+)/);
var url =
  "https://console.aws.amazon.com/cloudwatch/home?region=" + matches[1] +
  "#c=CloudWatch&s=Alarms&alarm=" + encodeURIComponent(body.AlarmName);
var description = "(warning) " + body.AlarmName;
var details = body.NewStateReason + (body.AlarmDescription ? "\n\n" + body.AlarmDescription : "");
var cef_event = {
  severity: "warning",
  event_type: "cef",
  event_action: body.NewStateValue == "OK" ? PD.Resolve : PD.Trigger,
  summary: description,
  description: description,
  message: details,
  details: details,
  source_origin: body.AlarmArn,
  dedup_key: body.AlarmArn,
  service_group: "CloudWatch",
  client_url: url,
  client: "View in AWS Console"
};
PD.emitCEFEvents([cef_event]);
2 Likes