Event payload that is sent from IBM Cloud Logs to IBM Cloud Event Notifications

Successful events that are generated by IBM Cloud Logs contain various fields that help you to identify the source and details of an event.

Events that are generated by the IBM Cloud Logs service contain only metadata properties, such as names or identifiers of resources. Sensitive data, for example API keys or passwords, are not included in generated events.

The properties that are sent to Event Notifications vary depending on the event type and subtype. For example, if a StandardMoreThanAlertEvent:AlertTriggered event takes place in an instance, IBM Cloud Logs sends a notification payload to Event Notifications that is similar to the following example.

Payload

{
   "data": {
      "alert_definition": {
         "alert_type": "StandardMoreThanAlertEvent",
         "condition": {
            "MoreThan": {
               "condition_threshold": 1,
               "condition_timeframe": 1
            }
         },
         "description": "",
         "id": "<alert_id>",
         "meta_labels": {
                "env": "prod"
            },
         "name": "<alert_name>",
         "query_statement": "_exists_:level",
         "severity": "ERROR"
      },
      "latest_event_timestamp": 0000000000000,
      "links": {
         "edit_alert": "https://dashboard.eu-gb.logs.cloud.ibm.com/<instance_id>/#/alerts/<alert_id>",
         "view_alert": "https://dashboard.eu-gb.logs.cloud.ibm.com/<instance_id>/#/insights?id=c9fe7539-e901-4745-b3ad-29ca0ae987a0"
      },
      "log_example": {"msg":"Test Log"},
      "log_example_truncated": true,
      "meta_labels_truncated": false,
      "status": "triggered"
   },
   "datacontenttype": "application/json",
   "ibmendefaultlong": "Triggered: 2024-01-01T00:00:00Z",
   "ibmendefaultshort": "ERROR - new_groupBy",
   "ibmenseverity": "info",
   "ibmensourceid": "crn:v1:bluemix:public:logs:<region>:a/<account_id>:<instance_id>::",
   "id": "997355d5-4542-47fd-9868-84cf5df71e1b_c9fe7539-e901-4745-b3ad-29ca0ae987a0",
   "notification_id": "923873c0-2b42-4d4c-a9a0-c69339b16717",
   "source": "crn:v1:bluemix:public:logs:<region>:a/<account_id>:<instance_id>::",
   "specversion": "1.0",
   "time": "2024-01-01T00:00:00.000000Z",
   "type": "com.ibm.cloud.logs.<event_type>:<event_subtype>"
}

Review following table for more information about event notification properties.

Properties in an event notification payload
Property	Description
`alert_definition`	`alert_type`: The type of alert that triggered a notification. `condition`: Alerts configuration about when alerts can be triggered. `description`: The description of the alert. `id`: The id of the triggered alert. `name`: The name of the given alert. `query_statement`: The search query of the given alert. `severity`: The severity level of the given alert.
`latest_event_timestamp`	The date and time the event was generated.
`links`	`edit_alert`: Link to the page to modify configurations of the alert. `view_alert`: Link to the page to check alert details.
`status`	The status of the given alert.
`ibmendefaultshort`	The name of the given alert.
`ibmendefaultlong`	The combination of the action, triggerered or resolved, and the name of the alert.
`ibmenseverity`	The severity of the alert.
`ibmensourceid`	The Cloud Resource Name (CRN) that uniquely identifies your IBM Cloud Logs service instance.
`id`	The identifier provided by IBM Cloud Logs that would identify the event in IBM Cloud Logs
`notification_id`	The identifier created by Event Notifications.
`source`	The Cloud Resource Name (CRN) that uniquely identifies your IBM Cloud Logs service instance.
`time`	The time when an alert notification is triggerered.
`type`	The combination of the type of event that triggered a notification and thesubtype that corresponds with the type of event that triggered a notification.

Data Size

In an event, the following lengths apply:

Data size
Field Name	Maximum number of characters
data.log_example	1000
data.alert_definition.meta_labels	400
data.alert_definition.name	100
data.alert_definition.description	100
data.alert_definition.query_statement	100

Each field in the payload has a specific size. If any field exceeds its maximum number of characters, the payload will be truncated.

Consider the following information:

If a string field exceeds its maximum number of characters, it will be truncated, and an ellipsis (...) will be appended to indicate that the content has been cut off.
Meta labels will be included up to the limit.
Meta label keys and values will count toward the limit.
If the log_example field exceeds its maximum number of characters, it will be converted to a string containing part of the log data followed by an ellipsis (...) to indicate truncation.
The following additional fields are added to the data to indicate when a sample or labels are truncated:

log_example_truncated: This field will be added to the payload to indicate that an example log entry was truncated.

meta_labels_truncated: This field will be added to indicate that metadata labels were truncated.

Special characters in custom template values

If you are using a value in a custom template that includes a period (.) in the name, you need to enclose the value in square brackets ([ ]).

For example, if the value you want to include in your notification is kubernetes.cluster_name, you need to include the value similar to this:

"CloudLogs_Shared_Summary": "{{data.log_example.[kubernetes.cluster_name]}}"