[Logs] Update Logpush dataset field definitions (2026-06-26)

[soheiokamoto]

Summary

Automated sync of Logpush dataset field definitions from data/entities.

New datasets

• Firewall events: A new dataset with fields including AISecurityInjectionScore, AISecurityPIICategories, AISecurityTokenCount, AISecurityUnsafeTopicCategories, Action, ClientASN, ClientASNDescription, ClientCountry, ClientIP, ClientIPClass, ClientRefererHost, ClientRefererPath, ClientRefererQuery, ClientRefererScheme, ClientRequestHost, ClientRequestMethod, ClientRequestPath, ClientRequestProtocol, ClientRequestQuery, ClientRequestScheme, ClientRequestUserAgent, ContentScanObjResults, ContentScanObjSizes, ContentScanObjTypes, Datetime, Description, EdgeColoCode, EdgeResponseStatus, FirewallForAIInjectionScore, FirewallForAIPIICategories, FirewallForAITokenCount, FirewallForAIUnsafeTopicCategories, FraudUserID, Kind, LeakedCredentialCheckResult, MatchIndex, Metadata, OriginResponseStatus, OriginatorRayID, RayID, Ref, RuleID, Source, and ZoneName.
• WebSocket Analytics: A new dataset with fields including BytesReceivedClient, BytesReceivedOrigin, BytesSentClient, BytesSentOrigin, ClientASN, ClientIP, ClientRequestHost, ClientRequestPath, ClientRequestUserAgent, ColoCode, ConnectionCloseReason, ConnectionCloseSource, ConnectionID, ConnectionTransportCloseCode, EdgeEndTimestamp, EdgeStartTimestamp, and RayID.
• WebSocket Analytics: A new dataset with fields including BytesReceivedClient, BytesReceivedOrigin, BytesSentClient, BytesSentOrigin, ClientASN, ClientIP, ClientRequestHost, ClientRequestPath, ClientRequestUserAgent, ColoCode, ConnectionCloseReason, ConnectionCloseSource, ConnectionID, ConnectionTransportCloseCode, EdgeEndTimestamp, EdgeStartTimestamp, and RayID.

Updated fields in existing datasets

• Email Security Alerts (added): BCC, DKIMResult, DMARCPolicy, DMARCResult, and SPFResult.
• Gateway DNS (added): AppliedMaxTTL and UpstreamRecordTTLs.
• Firewall events (added): ZoneName.
• HTTP requests (added): CacheLockWaitedMs.

Files changed

• src/content/docs/logs/logpush/logpush-job/datasets/account/ — dataset pages
• src/content/docs/logs/logpush/logpush-job/datasets/zone/ — dataset pages
• src/content/changelog/logs/2026-06-26-log-fields-updated.mdx — changelog

Documentation checklist

• Changelog entry added
• Content generated by code generator (DO NOT EDIT manually)

[soheiokamoto]

/bonk please review this automated sync of Logpush dataset field definitions.

Focus on the following:

1. Changelog quality — is the entry clear, accurate, and useful to end users?

2. Field description quality — are the descriptions accurate, clear, and complete?

3. Manual edits at risk of being overwritten — are there any field descriptions that appear
   to have been manually edited directly in cloudflare-docs (e.g. contain context or guidance
   not present in the machine-generated description format)? If so, flag them so the author can
   preserve those edits in the internal source YAML.

[cloudflare-docs-bot]

Review

⚠️ 2 warnings found in commit 92d3746.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

Warnings (2)

File	Issue
changelog/logs/2026-06-26-log-fields-updated.mdx line 13	Duplicate dataset entry — The \*\*WebSocket Analytics\*\* new-dataset bullet is an exact duplicate of the previous line, listing the same fields twice. Fix: Remove the duplicated WebSocket Analytics bullet.
changelog/logs/2026-06-26-log-fields-updated.mdx line 19	Contradictory dataset classification — Firewall events is listed as a new dataset (which already includes ZoneName), and then immediately listed again as an existing dataset with ZoneName added. A dataset cannot be both new and existing in the same change entry, and the field is already part of the new dataset list. Fix: Either remove Firewall events from the new datasets section or remove the ZoneName entry from the updated-fields section, depending on whether the dataset is genuinely new or newly updated.

Style Guide Review

✅ No style-guide issues found.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command	Description
/review	Runs a review now. Incremental if a prior review exists, full if not.
/full-review	Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit	Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/changelog/	@cloudflare/pm-changelogs, @cloudflare/product-owners
/src/content/docs/logs/	@soheiokamoto, @angelampcosta, @rianvdm, @dcpena, @cloudflare/product-owners

[ask-bonk]

Here is my review of the PR changes, targeting PR #31719.

---

Review: Logpush dataset field definitions sync (2026-06-26)

1. Changelog quality

Overall: Good structure, but there are two bugs that should be fixed before merge.

Issue	Severity	Details
Duplicate WebSocket Analytics entry	🔴 Must fix	Lines 12–13 in 2026-06-26-log-fields-updated.mdx list WebSocket Analytics twice with identical field lists. This is inherited from the PR body, but it will confuse readers. Remove the duplicate line.
Ambiguous "Firewall events" references	🟡 Should fix	The changelog lists Firewall events under both "New datasets" (line 11) and "Updated fields in existing datasets" (line 19, adding ZoneName). Readers won't know that the first refers to the account-level dataset (new) and the second to the zone-level dataset (updated). Clarify by adding "(account)" and "(zone)" labels, e.g. "Firewall events (account)" and "Firewall events (zone)".
Title length	🟡 Minor	The title is very long. Consider trimming to something like "New and updated Logpush datasets".

Accurate elements:

• The date is correct (2026-06-26).
• All added/updated fields are documented.
• The link to the main Logpush datasets page at the end is helpful.

---

2. Field description quality

New dataset: account/firewall_events

• Descriptions are generally accurate and follow the established format.
• Minor grammatical issues (present in both account and zone versions):
  • ClientRefererQuery: "The referer query-string was requested by the visitor." → should be "The referer query string requested by the visitor."
  • ClientRequestQuery: "The query-string was requested by the visitor." → should be "The query string requested by the visitor."
  • ClientASNDescription: "The ASN of the visitor as string." → Should be "The ASN description of the visitor." or "The AS description of the visitor." since "ASN" already means "Autonomous System Number".
• FraudUserID: "A unique identifier generated by the Fraud Detection system for each user, generated during any action..." — redundant wording. Consider "generated during any action..." or "created during any action..."

New dataset: websocket_analytics (account & zone)

• Descriptions are clear and technically accurate.
• ConnectionTransportCloseCode is particularly well-explained.
• Account and zone versions are identical, which is correct.

Updated fields in existing datasets

• BCC, DKIMResult, DMARCPolicy, DMARCResult, SPFResult (Email Security Alerts): Accurate and consistent with sibling fields like CC and From.
• AppliedMaxTTL & UpstreamRecordTTLs (Gateway DNS): Clear, with good examples.
• ZoneName (zone Firewall events): Consistent with other ZoneName descriptions.
• CacheLockWaitedMs (HTTP requests): Clear and concise.

---

3. Manual edits at risk of being overwritten

Because these files carry the # Code generator. DO NOT EDIT. header, any content not sourced from the internal generator YAML is at risk of being lost in future syncs. I flag the following descriptions in pre-existing files that contain rich context, markdown links, or extended explanations that may have been manually added or enriched directly in cloudflare-docs:

File: zone/http_requests.md
The following fields contain content that goes well beyond a plain generated description. If these enhancements are not present in the internal source YAML, they will be destroyed in a future full-regeneration sync:

Field	Risky content
CacheCacheStatus	Contains a prose explanation of what "dynamic" means and a link to /cache/concepts/cache-responses/.
OriginResponseBytes	Contains a deprecation/workaround note and a link to /logs/faq/common-calculations/#how-can-i-calculate-bytes-served-by-the-origin-from-cloudflare-logs.
ClientRequestSource	Contains a link to /logs/reference/clientrequestsource/.
LeakedCredentialCheckResult	Contains a link to /waf/detections/leaked-credentials/.
WorkerWallTimeUs	Contains an unusually detailed technical explanation referencing waitUntil() API behavior.
OriginResponseStatus	Contains a caveat about Workers subrequests returning 0.
EdgeServerIP	Contains explicit documentation of empty-string behavior.
OriginResponseDurationMs	Contains a "replaces OriginResponseTime" note.

Recommendation: Verify that the internal source YAML in data/entities contains these descriptions verbatim. If they were edited in cloudflare-docs after generation, port them back to the internal YAML now so they survive future syncs.

---

Summary

• ✅ Approve with suggestions. The automated data itself looks correct.
• 🔴 Blocker: Fix the duplicate WebSocket Analytics line in the changelog.
• 🟡 Strongly recommended: Disambiguate account vs. zone Firewall events in the changelog.
• 🟡 Strongly recommended: Port the enriched descriptions in zone/http_requests.md to the internal source YAML if they aren't already there.

github run

[github-actions]

Preview URL: https://92d3746d.preview.developers.cloudflare.com
Preview Branch URL: https://sync-log-fields-2026-06-26.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/changelog/post/2026-06-26-log-fields-updated/	https://sync-log-fields-2026-06-26.preview.developers.cloudflare.com/changelog/post/2026-06-26-log-fields-updated/