From 60d089d2e914a5752807b3fb1c351084763f72e1 Mon Sep 17 00:00:00 2001
From: Antoine Toulme <antoine@toulme.name>
Date: Thu, 26 Aug 2021 01:46:21 -0700
Subject: [PATCH] Add severity mapping from unified model to HEC (#1866)

Co-authored-by: Tigran Najaryan <4194920+tigrannajaryan@users.noreply.github.com>
Co-authored-by: Bogdan Drutu <bogdandrutu@gmail.com>
Co-authored-by: Armin Ruech <armin.ruech@dynatrace.com>
---
 specification/logs/data-model.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/specification/logs/data-model.md b/specification/logs/data-model.md
index 82ae2703282..b2df17d5864 100644
--- a/specification/logs/data-model.md
+++ b/specification/logs/data-model.md
@@ -668,6 +668,8 @@ Rest of SDIDs -> Attributes["syslog.*"]</td>
 
 ### Splunk HEC
 
+We apply this mapping from HEC to the unified model:
+
 <table>
   <tr>
     <td>Field</td>
@@ -719,6 +721,35 @@ Rest of SDIDs -> Attributes["syslog.*"]</td>
   </tr>
 </table>
 
+When mapping from the unified model to HEC, we apply this additional mapping:
+
+<table>
+  <tr>
+    <td>Unified model element</td>
+    <td>Type</td>
+    <td>Description</td>
+    <td>Maps to HEC</td>
+  </tr>
+  <tr>
+    <td>SeverityText</td>
+    <td>string</td>
+    <td>The severity of the event as a human-readable string.</td>
+    <td>fields['otel.log.severity.text']</td>
+  </tr>
+    <tr>
+    <td>SeverityNumber</td>
+    <td>string</td>
+    <td>The severity of the event as a number.</td>
+    <td>fields['otel.log.severity.number']</td>
+  </tr>
+  <tr>
+    <td>Name</td>
+    <td>string</td>
+    <td>Short event identifier that does not contain varying parts.</td>
+    <td>fields['otel.log.name']</td>
+  </tr>
+</table>
+
 ### Log4j
 
 <table>