Field Transformation

Current version v0.2.2

The Field Transformation action acts as a container that enables users to perform a wide range of operations on data, including encoding and decoding various types of encryption, format conversion, file compression and decompression, data structure analysis, and much more. The results are stored in new events fields.

Find it in the Actions tab and drag it onto the canvas to use it.

To open the configuration, click the Action in the canvas and select Configuration.

In order to configure this action, you must first link it to a Listener or other Action. Go to Building a Pipeline to learn how to link.

Field to transform

Choose a field from the linked Listener/Action to transform in your Action using the drop-down.

Add as many fields as required using the Add New Field button.

Operations

See a comprehensive list of all the available operations for this Action.

Field Transformation Operations

Please bear in mind that the options available in this window will depend on the field to transform.

Add as many Operations as required using Add Operation.

You can also use the arrow keys on your keyboard to navigate up and down the list.

If you have added more than one operation, you can reorder them by dragging and dropping them into position.

Test your operation

Before saving your action, you can test it to see the outcome.

Type a message in the Input field and see it transformed in the Output field after passing through the selected operation(s).

Output field

Give a name to the transformed field and click Save to complete.

Example

Here is an example of a data set on the Bytes in/out from IP addresses.

We can use the field transformation operations to reduce the quantity of data sent.

We have a Syslog Listener, connected to a Parser.

Click if you need help configuring the Parser

Configure the parser as follows:

Paste input:

518;650;192.168.70.224;60045;192.168.70.210;3871;server.example.com

This is the data in its raw format.

Select Manual in the parser drop-down, go to code mode using the button on the right, and paste this log:

{fieldName1:csv(separator=";", indices=[0:string(alias="BYTES_IN"),1:string(alias="BYTES_OUT"),2:string(alias="SOURCE_IP_ADDRESS"),3:string(alias="SOURCE_PORT"),4:string(alias="DESTINATION_IP_ADDRESS"),5:string(alias="DESTINATION_PORT"),6:string(alias="DESTINATION_HOST")], totalColumns=7)}

You have manually parsed the raw data into separate fields. This is reflected in the output field.

Link the Parser to the Field Transformation action and open its configuration.

We will use the To IP Hex and CRC32 operations.

Input	Output
DESTINATION_IP_ADDRESS: 192.168.70.210518	DestinationIPAddressHex: c0.a8.46.d2.224
DESTINATION_HOST: server.example.com	DestinationHostCRC32: 0876633F

Destination IP to Hex

Transform the Destination IP to hexadecimal to reduce the number of characters.

Original IP	Hexadecimal
192.168.70.210518	c0.a8.46.d2.224

• Field>Parser: DESTINATION_IP_ADDRESS

• Operation: To IP Hex

• Output Field: DestinationIPAddessHex

Add a new field for Destination Host to CRC32

Codify the Destination Host as crc32 to transform the machine name into 8 characters.

Original	CRC32
server.example.com	0876633F

• Field>Parser: DESTINATION_HOST

• Operation: Crc32

• Output field: DestinationHostCrc32

See all previous versions of this action.