From d395d2c3aed224aff8d99e8d7ebeb80f40b243ac Mon Sep 17 00:00:00 2001
From: Warren <5959690+wrn14897@users.noreply.github.com>
Date: Thu, 28 Dec 2023 21:39:27 -0800
Subject: [PATCH 1/2] feat: transform k8s event semantic conventions

---
 docker/ingestor/core.toml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/docker/ingestor/core.toml b/docker/ingestor/core.toml
index cfa9362c6..4860c82c8 100644
--- a/docker/ingestor/core.toml
+++ b/docker/ingestor/core.toml
@@ -411,6 +411,34 @@ if .hdx_platform == "vector-internal" {
         .b = merge(.b, structured, deep: true) ?? .b
       }
 
+      # extract k8s event metadata
+      if .b.object.apiVersion == "events.k8s.io/v1" && .b.object.kind == "Event" {
+        # set severity
+        if is_nullish(.b.level) && (.b.object.type == "Warning" || .b.object.type == "Normal") {
+          .b.level = .b.object.type
+        }
+        # transform the attributes so that the log events use the k8s.* semantic conventions 
+        # ref: https://docs.honeycomb.io/integrations/kubernetes/kubernetes-events/
+        if .b.object.regarding.kind == "Pod" {
+          .b."k8s.pod.name" = .b.object.regarding.name
+          .b."k8s.pod.uid" = .b.object.regarding.uid
+          .b."k8s.namespace.name" = .b.object.regarding.namespace
+        } else if .b.object.regarding.kind == "Node" {
+          .b."k8s.node.name" = .b.object.regarding.name
+          .b."k8s.node.uid" = .b.object.regarding.uid
+        } else if .b.object.regarding.kind == "Job" {
+          .b."k8s.job.name" = .b.object.regarding.name
+          .b."k8s.job.uid" = .b.object.regarding.uid
+          .b."k8s.namespace.name" = .b.object.regarding.namespace
+        } else if .b.object.regarding.kind == "CronJob" {
+          .b."k8s.cronjob.name" = .b.object.regarding.name
+          .b."k8s.cronjob.uid" = .b.object.regarding.uid
+          .b."k8s.namespace.name" = .b.object.regarding.namespace
+        }
+        # set main message
+        .b._hdx_body = .b.object.note
+      }
+
       # set severity after merging structured message (to avoid conflict)
       .st = downcase(.b.level) ?? null
 

From d2df5126c06fcb85b6d7ea68ea24f804e4c56648 Mon Sep 17 00:00:00 2001
From: Warren <5959690+wrn14897@users.noreply.github.com>
Date: Thu, 28 Dec 2023 21:49:35 -0800
Subject: [PATCH 2/2] docs: add changeset

---
 .changeset/metal-jokes-run.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 .changeset/metal-jokes-run.md

diff --git a/.changeset/metal-jokes-run.md b/.changeset/metal-jokes-run.md
new file mode 100644
index 000000000..ba8a34716
--- /dev/null
+++ b/.changeset/metal-jokes-run.md
@@ -0,0 +1,6 @@
+---
+'@hyperdx/api': patch
+'@hyperdx/app': patch
+---
+
+feat: transform k8s event semantic conventions