Support additional PD-CEF fields and optionally send templated details as Struct/JSON #44
Description
This is a single issue, but contains two parts:
- A request to add support for the remaining PD-CEF fields of:
- Timestamp
- Class
- Group
- A request to support processing the details template as json so we can send structured data through to Pagerduty. At the moment the options are:
- Send through the full event JSON. This is a lot of unnecessary data and the deep nesting of fields (when using labels and annotations) makes it hard to read some fields on Pagerduty
- Use a template to select required fields. Which unfortunately sends through the data as a string with no structure on the Pagerduty side which means you can't really use custom details in event rules
I'm hoping 1 is pretty uncontroversial and can be done. I would prefer it if these work similarly to summary and use a template.
I could accept 2 not happening if 1 goes ahead, but it really would be nice to have the option of templating structured data one-way or another.
In accordance with the contributing guidelines I'm opening an issue to discuss first, but I have made initial code changes on this branch. The changes can be seen on this compare view
I have tried to separate the commits to cover both requests:
- These two commits for adding the additional PD-CEF fields.
- This commit which adds a
--send-details-as-jsonflag to process the template as json.
There is undoubtably a better way of doing 2 than what I've done - and I definitely welcome feedback and guidance. What I've done is pretty simplistic: When I realised that using the template returned a string I just used a json.Unmarshal to parse that string as a Struct/JSON. It "works", but maybe a real solution lies deeper in the templating stuff?