[ { "Deploy": { "Bitbucket": { "Scope": "_sourceCategory = Labs/bitbucket deploymentEnvironment pipe_result_link deploy_status commit_link", "Parse": "json field=_raw "deploymentEnvironment", "repoFullName", "pipe_result_link", "deploy_status", "commit", "event_date", "prDestinationBranch", "repoOwner", "buildNumber" as environment_name, repository_name, link, status, commit_id, datetime, target_branch, user, title | commit_id as trace_id | "n/a" as team | "n/a" as service | concat("build number ", title, ". Commit link ", link) as message | parseDate(datetime, "yyyy-MM-dd HH:mm:ss","etc/utc") as datetime_epoch | if (status matches "0", "Success", "Failed") as status | "deploy" as event_type " }, "Jenkins": { "Scope": "_sourceCategory=Labs/Jenkins/deploy_event trace_id", "Parse": "json "event_type", "team", "service", "trace_id", "user", "link", "title", "timeStamp", "message", "env_name", "result", "target_branch", "repository_name", "commit_id" as event_type, team, service, trace_id, user, link, title, datetime, message, environment_name, status, target_branch, repository_name, commit_id | toLong(datetime) as datetime_epoch | "deploy" as event_type " }, "CircleCI":{ "Scope" : "_sourcecategory=circleci/job-collector", "Parse" : "json "workflows.job_name" as job_type |where toLowerCase(job_type) matches ("*deploy*") |json "custom_data.env","custom_data.team","custom_data.service","workflows.job_id","user.login","build_url","start_time","branch","outcome","reponame","vcs_revision","job_name","messages","build_num" as environment_name,team,service,trace_id,user,link,datetime,target_branch,job_status,repository_name,commit_id,job_name,message,job_num nodrop | if(job_status == "success", "Success", "Failed") as status | toLong(parseDate(datetime, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'","etc/utc")) as datetime_epoch | concat(job_type, " # ",job_num) as title |"deploy" as event_type" }, "Gitlab": { "Scope": "_sourceCategory="sumo/gitlab" and %"x-gitlab-event"="Deployment Hook"", "Parse": "json "deployment_id","status","status_changed_at","environment","deployable_url","user.name","commit_url","project.name","project.default_branch","project.path_with_namespace" as deployment_id,status,datetime,environment_name,link,user ,commit_link,service,target_branch,team nodrop | parse regex field=team "(?.+)\/.+" |concat("deployment # ",deployment_id) as title |concat("deploying to ",environment_name," deployment # ",deployment_id) as message | parse regex field=commit_link "\/commit\/(?[^\"]+)" | commit_id as trace_id | service as repository_name | parseDate(datetime, "yyyy-MM-dd HH:mm:ss ZZZZ","etc/utc") as datetime_epoch | toLong(datetime_epoch) as datetime_epoch | if(status matches "success","Success",if(status matches "failed","Failed",status)) as status | "deploy" as event_type " } } }, { "Pull Request": { "Github": { "Scope": "_sourceCategory = github/content %"x-github-event"=pull_request", "Parse": "json "action", "pull_request.title", "pull_request.created_at", "pull_request.merged_at" ,"repository.name" ,"pull_request.merged", "pull_request.html_url", "pull_request.merge_commit_sha", "pull_request.base.ref" , "pull_request.user.login", "pull_request.labels[0].name", "pull_request.requested_reviewers[*].login","pull_request.head.sha","pull_request.updated_at" as action, title, dateTime, closeddate ,repository_name, merge, link, commit_id, target_branch ,user, service, reviewers, head_commit_id, updated_dateTime nodrop | where action in ("closed", "opened") | parseDate(dateTime, "yyyy-MM-dd'T'HH:mm:ss", "etc/utc") as dateTime_epoch | parseDate(updated_dateTime, "yyyy-MM-dd'T'HH:mm:ss", "etc/utc") as updateddatetime_epoch | if(action matches "closed" and merge matches "true", "merged", if(action matches "closed" and merge matches "false", "declined", if (action matches "opened", "created", "other" ))) as status | if (status="merged", parseDate(closeddate, "yyyy-MM-dd'T'HH:mm:ss", "etc/utc") , 000000000 ) as closeddate_epoch | toLong(closeddate_epoch) | "n/a" as team | "pull_request" as event_type " }, "Bitbucket": { "Scope": "_sourceCategory=Labs/bitbucket %"x-event-key"=pullrequest:*", "Parse": "json "pullrequest.title", "pullrequest.destination.repository.full_name", "pullrequest.destination.branch.name", "pullrequest.created_on", "pullrequest.author.display_name", "pullrequest.state", "pullrequest.links.html.href", "pullrequest.merge_commit.hash", "pullrequest.reviewers[*].display_name", "pullrequest.updated_on", "pullrequest.source.commit.hash" as title, repository_name, target_branch, dateTime, user, action, link, commit_id, reviewers, updated_date, head_commit_id nodrop | parseDate(dateTime, "yyyy-MM-dd'T'HH:mm:ss","etc/utc") as datetime_epoch | parseDate(updated_date, "yyyy-MM-dd'T'HH:mm:ss","etc/utc") as updateddatetime_epoch | parse regex field=%"x-event-key" ".+:(?.+)" | if (status matches "created", "created", if(status matches "fulfilled", "merged", if(status matches "rejected", "declined", "other"))) as status | if(status = "created", "n/a", updated_date) as closeddate | if(closeddate = "n/a", 0, parseDate(closeddate, "yyyy-MM-dd'T'HH:mm:ss","etc/utc")) as closeddate_epoch | toLong(closeddate_epoch) | "n/a" as service | "n/a" as team | "pull_request" as event_type " }, "Gitlab": { "Scope": "_sourceCategory="sumo/gitlab" %"x-gitlab-event"="Merge Request Hook" ", "Parse": " json "object_attributes.action","object_attributes.state" ,"object_attributes.title", "object_attributes.created_at","object_attributes.updated_at","user.name","project.name","object_attributes.target_branch" ,"object_attributes.url","assignees[*].name","object_attributes.merge_commit_sha","repository.name","project.path_with_namespace","object_attributes.last_commit.id" as action,status, title,createddatetime, updateddatetime_epoch,user,project_name,target_branch,link,reviewers,commit_id,repository_name,team, head_commit_id nodrop | parse regex field=team "(?.+)\/.+" | if (status matches "opened", "created", if(status matches "merged", "merged", if(status matches "closed", "declined", "other"))) as status | parseDate(createddatetime, "yyyy-MM-dd HH:mm:ss",”etc/utc”) as datetime_epoch | parseDate(updateddatetime_epoch, "yyyy-MM-dd HH:mm:ss",”etc/utc”) as updateddatetime_epoch |if(status in ("declined","merged") ,updateddatetime_epoch,000000000)as closeddate_epoch | project_name as service | toLong(datetime_epoch) | toLong(closeddate_epoch) | "pull_request" as event_type " } } }, { "Issues": { "Jira": { "Scope": "_sourceCategory = Labs/jira-cloud issue_*", "Parse": "json field=_raw "issue_event_type_name", "issue.self", "issue.key", "issue.fields.issuetype.name", "issue.fields.project.name", "issue.fields.status.statusCategory.name", "issue.fields.priority.name", "issue.fields.components" as issue_event_type, link, issue_key, issue_type, project_name, issue_status, priority, service nodrop | parse regex field=service "name\":\"(?.+?)\",\"" nodrop | "n/a" as team | json "issue.fields.resolutiondate", "issue.fields.created" as closedDate, dateTime | parseDate(dateTime, "yyyy-MM-dd'T'HH:mm:ss.SSSZ") as datetime_epoch | if (isNull(closeddate) , 00000000000, parseDate(closedDate, "yyyy-MM-dd'T'HH:mm:ss.SSSZ") ) as closeddate_epoch | toLong(closeddate_epoch) | "issue" as event_type " }, "Gitlab": { "Scope": "_sourceCategory="sumo/gitlab" and %"x-gitlab-event"="Issue Hook"", "Parse": "json "user.name","project.name","object_attributes.created_at","object_attributes.url","labels[*].title","object_attributes.state","object_attributes.severity","object_attributes.action","repository.name","assignees[*].name","object_attributes.id","object_attributes.closed_at","project.path_with_namespace" as user,project_name,dateTime,link,issue_type,issue_status,priority,issue_event_type,repository,assignees,issue_key,closedDate,team nodrop | parse regex field=team "(?.+)\/.+" | project_name as service | substring(issue_type,1,length(issue_type)-1) as issue_type |if (issue_type matches "*incident*","incident","issue") as issue_type | parseDate(datetime, "yyyy-MM-dd HH:mm:ss","etc/utc") as datetime_epoch | if (isNull(closeddate) , 00000000000, parseDate(closedDate, "yyyy-MM-dd HH:mm:ss","etc/utc")) as closeddate_epoch | if(issue_status matches "opened","To Do",if(issue_status matches "closed","Complete",issue_status)) as issue_status | toLong(datetime_epoch) as datetime_epoch | toLong(closeddate_epoch) as closeddate_epoch | "issue" as event_type " } } }, { "Build": { "Jenkins": { "Scope": "_sourceCategory=Labs/Jenkins/builds_event trace_id", "Parse": "json field=_raw "event_type" | json "event_type", "team", "service", "trace_id", "user", "link", "title", "timeStamp", "message", "env_name", "result", "target_branch", "repository_name", "commit_id" as event_type, team, service, trace_id, user, link, title, datetime, message, environment_name, status, target_branch, repository_name, commit_id nodrop | parse regex field=_sourceName "(?.+)#(?.+)" | toLong(datetime) as datetime_epoch | "build" as event_type " }, "Jenkins Pipeline Stages": { "Scope": "_sourceCategory=Labs/Jenkins/Pipeline Pipeline_Stages", "Parse": "json "name", "number" as pipeline_name, pipeline_number | json "stages" as StagesPipeline | "pipeline" as event_type " }, "Bitbucket": { "Scope": "_sourceCategory = Labs/bitbucket %"x-event-key"=repo:commit_status_* ("SUCCESSFUL" OR "FAILED")", "Parse": "json "commit_status.state", "commit_status.commit.message", "commit_status.name", "actor.display_name", "repository.full_name", "commit_status.refname", "commit_status.url", "commit_status.created_on", "commit_status.commit.hash", "commit_status.repository.name" as status, message, title, user, repository_name, target_branch, link, datetime, commit_id, service | commit_id as trace_id | "n/a" as team | parse regex field= datetime "(?\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d)" nodrop | parseDate(datetime_epoch, "yyyy-MM-dd'T'HH:mm:ss","etc/utc") as datetime_epoch | where status in ("SUCCESSFUL", "FAILED") | "build" as event_type " }, "CircleCI":{ "Scope" : "_sourcecategory=circleci/job-collector", "Parse" : "| json "workflows.job_name" as job_type |where toLowerCase(job_type) matches ("*build*") |json "custom_data.env","custom_data.team","custom_data.service","workflows.job_id","user.login","build_url","start_time","branch","outcome","reponame","vcs_revision","job_name","build_num","messages" as environment_name,team,service,trace_id,user,link,datetime,target_branch,job_status,repository_name,commit_id,job_name,build_number,message nodrop | if(job_status == "success", "Success", "Failed") as status | toLong(parseDate(datetime, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'")) as datetime_epoch | concat(job_type, " # ",build_number) as title |"build" as event_type" }, "Gitlab": { "Scope": "_sourceCategory="sumo/gitlab" and %"x-gitlab-event"="Job Hook" ", "Parse": "json "project_name","build_name","build_status" ,"build_stage","user.name","repository.name","commit.message" , "repository.homepage","commit.sha","build_created_at","environment.name","ref ","pipeline_id" as project_name , build_name ,status,build_stage,user, repository_name,message , homepage,commit_id,datetime,environment_name,target_branch,pipeline_id nodrop | where build_name matches "*build*" | parse regex field=project_name "\/(?[^\"]+)" | split homepage delim='/' extract 4 as team | project_name as service | commit_id as trace_id |concat("build ",build_name," ",status) as message |concat("pipeline # ",pipeline_id) as title | concat(homepage,"/-/jobs/",trace_id) as link | parseDate(datetime, "yyyy-MM-dd HH:mm:ss","etc/utc") as datetime_epoch | toLong(datetime_epoch) as datetime_epoch | if(status matches "success","Success",if(status matches "failed","Failed",status)) as status | if(isEmpty(environment_name),"n/a",environment_name) as environment_name | "build" as event_type " } } }, { "Alert": { "Opsgenie": { "Scope": "_sourcecategory=Labs/Opsgenie_alerts ("Close" or "Create")", "Parse": "json "alert.createdAt", "alert.updatedAt", "action", "alert.team", "alert.priority", "alert.source", "alert.alertId" as dateTime, closeddate, alert_type, team, priority, service, alert_id nodrop | where alert_type in ("Close", "Create") | toLong(closeddate/1000) as closeddate_epoch | toLong(datetime*1000) as datetime_epoch | if (priority matches "p1", "high", if(priority matches "p2", "medium", if(priority matches "p3", "medium", if(priority matches "p4", "low", if(priority matches "p5", "low", "other"))))) as priority | if (alert_type matches "*Create", "alert_created", if(alert_type matches "*Close", "alert_closed", "other") ) as event_type " }, "PagerDutyV2": { "Scope": "_sourcecategory=Labs/pagerduty_v2 ("incident.trigger" or "incident.resolve" )", "Parse": "parse regex "(?\{\"event\":\"incident\..+?\}(?=,\{\"event\":\"incident\..+|\]\}$))" |json field=event "event", "created_on", "incident" as alert_type, dateTime, incident |json field=incident "id", "service.name" , "urgency", "teams[0].summary", "html_url" as alert_id, service, priority, team, link |json field=incident "created_at" as closeddate nodrop | where alert_type in ("incident.trigger", "incident.resolve") | parseDate(dateTime, "yyyy-MM-dd'T'HH:mm:ss'Z'") as dateTime_epoch | parseDate(closeddate, "yyyy-MM-dd'T'HH:mm:ss'Z'") as closeddate_epoch | if (alert_type matches "*trigger", "alert_created", if(alert_type matches "*resolve", "alert_closed", "other") ) as event_type " } "PagerDutyV3":{ "Scope": "_sourceCategory=Labs/pagerduty_v3 ("incident.triggered" or "incident.resolved")", "Parse": "json "event.event_type","event.data","event.occurred_at" as alert_type,incident,closeddate nodrop | json field=incident "id", "service.summary" , "urgency", "teams[*].summary", "html_url","created_at" as alert_id, service, priority, team, link,dateTime nodrop | where alert_type in ("incident.triggered", "incident.resolved") | parseDate(closeddate, "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'","etc/utc") as closeddate_epoch | parse regex field=dateTime "(?.{19})" | parseDate(dateTime,"yyyy-MM-dd'T'HH:mm:ss","etc/utc") as dateTime_epoch | if (alert_type matches "*triggered", "alert_created", if(alert_type matches "*resolved", "alert_closed", "other") ) as event_type" } } }, { "Push" : { "Bitbucket" : { "Scope": "_sourceCategory="Labs/bitbucket" %"x-event-key" = "repo:push"", "Parse": "json "push.changes[0].commits[1].hash" as head_commit_id | json "push.changes[0].commits[1].date" as head_commit_datetime | json "push.changes[0].commits[1].message" as head_commit_message | parseDate(head_commit_datetime, "yyyy-MM-dd'T'HH:mm:ss","etc/utc") as head_commit_epoch | json "push.changes[0].commits[(@.length-1)].hash" as base_commit_id | json "push.changes[0].commits[(@.length-1)].date" as base_commit_datetime | json "push.changes[0].commits[(@.length-1)].message" as base_commit_message | parseDate(base_commit_datetime, "yyyy-MM-dd'T'HH:mm:ss","etc/utc") as base_commit_epoch | json "actor.display_name","repository.name" as user,repository_name | "n/a" as service | "n/a" as team | "push" as event_type " }, "Github" : { "Scope": "_sourceCategory = github/content %"x-github-event" = "push"", "Parse": " json "commits[(@.length-2)].id" as head_commit_id | json "commits[(@.length-2)].timestamp" as head_commit_datetime | json "commits[(@.length-2)].message" as head_commit_message | parseDate(head_commit_datetime, "yyyy-MM-dd'T'HH:mm:ssXXX","etc/utc") as head_commit_epoch | json "commits[0].id" as base_commit_id | json "commits[0].timestamp" as base_commit_datetime | json "commits[0].message" as base_commit_message | parseDate(base_commit_datetime, "yyyy-MM-dd'T'HH:mm:ssXXX","etc/utc") as base_commit_epoch | json "repository.full_name","sender.login" as repository_name,user | if (isEmpty(service), "n/a",service) as service | "n/a" as team | "push" as event_type " } "Gitlab" : { "Scope": "_sourceCategory="sumo/gitlab" %"x-gitlab-event" = "Push Hook"", "Parse": " json "commits[(@.length-2)].id" as head_commit_id | json "commits[(@.length-2)].timestamp" as head_commit_datetime | json "commits[(@.length-2)].message" as head_commit_message | parseDate(head_commit_datetime, "yyyy-MM-dd'T'HH:mm:ss","etc/utc") as head_commit_epoch | json "commits[0].id" as base_commit_id | json "commits[0].timestamp" as base_commit_datetime | json "commits[0].message" as base_commit_message | parseDate(base_commit_datetime, "yyyy-MM-dd'T'HH:mm:ss","etc/utc") as base_commit_epoch | json "repository.name","user_name" as repository_name,user | "push" as event_type " } } } ]