Field Transformation

Most recent version: v0.3.3

See the changelog of this Action type .

Overview

The Field Transformation action acts as a container that enables users to perform a wide range of operations on data, including encoding and decoding various types of encryption, format conversion, file compression and decompression, data structure analysis, and much more. The results are stored in new events fields.

In order to configure this action, you must first link it to a Listener or other Action. Go to Building a Pipeline to learn how to link.

AI Action Assistant

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in this article.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find Field Transformation in the Actions tab (under the Transformation group) and drag it onto the canvas.

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Parameter

Description

Field to transform*

Choose a field from the linked Listener/Action to transform in your Action using the drop-down.

Add as many fields as required using the Add New Field button.

Operations*

Please bear in mind that the options available in this window will depend on the field to transform.

Add as many Operations as required using Add Operation. You can also use the arrow keys on your keyboard to navigate up and down the list.

If you have added more than one operation, you can reorder them by dragging and dropping them into position.

Test your operation

Before saving your action, you can test it to see the outcome.

Type a message in the Input field and see it transformed in the Output field after passing through the selected operation(s).

Output field*

Give a name to the transformed field and click Save to complete.

Click Save to complete the process.

Example

Here is an example of a data set on the Bytes in/out from IP addresses.

We can use the field transformation operations to reduce the quantity of data sent.

We have a Syslog Listener, connected to a Parser.

Click if you need help configuring the Parser

Configure the parser as follows:

Paste input:

518;650;192.168.70.224;60045;192.168.70.210;3871;server.example.com

This is the data in its raw format.

Select Manual in the parser drop-down, go to code mode using the button on the right, and paste this log:

{fieldName1:csv(separator=";", indices=[0:string(alias="BYTES_IN"),1:string(alias="BYTES_OUT"),2:string(alias="SOURCE_IP_ADDRESS"),3:string(alias="SOURCE_PORT"),4:string(alias="DESTINATION_IP_ADDRESS"),5:string(alias="DESTINATION_PORT"),6:string(alias="DESTINATION_HOST")], totalColumns=7)}

You have manually parsed the raw data into separate fields. This is reflected in the output field.

Link the Parser to the Field Transformation action and open its configuration.

We will use the To IP Hex and CRC32 operations.

Input

Output

DESTINATION_IP_ADDRESS: 192.168.70.210518

DestinationIPAddressHex: c0.a8.46.d2.224

DESTINATION_HOST: server.example.com

DestinationHostCRC32:

0876633F