Added an observability metric event to the discovery category.#1442
Open
hmadison wants to merge 9 commits into
Open
Added an observability metric event to the discovery category.#1442hmadison wants to merge 9 commits into
hmadison wants to merge 9 commits into
Conversation
hmadison
requested review from
Aniak5,
davemcatcisco,
floydtree,
jonrau-at-queryai,
mikeradka,
pagbabian-splunk and
zschmerber
as code owners
hmadison
force-pushed
the
hm-ap/observability-metric
branch
from
9faa57d to
16d4607
Compare
mikeradka
requested changes
Jun 10, 2025
hmadison
force-pushed
the
hm-ap/observability-metric
branch
2 times, most recently
from
d63312c to
e014841
Compare
hmadison
force-pushed
the
hm-ap/observability-metric
branch
from
9cdc0cd to
83234cf
Compare
hmadison
force-pushed
the
hm-ap/observability-metric
branch
from
f00b129 to
25ba4b6
Compare
Contributor
|
@hmadison Is this PR worth pursuing at this time? |
Contributor
Author
|
@mikeradka I still would like to see this merged in. |
hmadison
force-pushed
the
hm-ap/observability-metric
branch
from
e0d3681 to
fdf5b83
Compare
Contributor
Author
|
This is waiting on clarity around OpenTelemetry and OCSF's boundaries (cc @pagbabian-splunk). |
Contributor
Got it - yes, although since things have been moving so slowly on that front, if we want to finish this one that's ok by me if it is serving a use case. We can talk a bit more about it at tomorrow's weekly meeting if we have time (it is a 1.8 PR so we should). |
hmadison
commented
Dec 9, 2025
zschmerber
previously approved these changes
Dec 16, 2025
pagbabian-splunk
previously approved these changes
Jan 5, 2026
Contributor
pagbabian-splunk
left a comment
pagbabian-splunk
left a comment
There was a problem hiding this comment.
See minor description suggestion.
| "name": "observability_metric_report", | ||
| "attributes": { | ||
| "observed_entity": { | ||
| "description": "The entity which produced the metric(s) were collected from. This collection process can happen either via a push from the entity to a third party service or a third party service performing an activity to interface with the entity and extract the metrics of interest.", |
Contributor
There was a problem hiding this comment.
Small grammar improvement: "The entity which produced the collected metric(s)."
hmadison
dismissed stale reviews from pagbabian-splunk and zschmerber
via
e8c146b
Signed-off-by: Mike Radka (Splunk) <91983279+mikeradka@users.noreply.github.com>
pagbabian-splunk
removed
the
v1.8.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue:
Resolves #1421 / Pairing with @pladamgregory.
Description of changes:
This adds an event type which is captures metrics which were collected from a target entity. The goal of this class is capture relevant metrics, such as throughput metrics from netflow collectors, failed login attempt counts, or other "time series" style data which can be used to power heuristic based detections or otherwise aid in investigations.
Delete once you have confirmed the following:
Unreleasedsection in the CHANGELOG.md file?