Event Workflow Actions
You can include any of the following actions in an event workflow. Each action updates one event and then passes it to the next action.
Workflow trigger — Every workflow starts with a trigger, which defines the events that trigger the workflow.
Split action — Split one field into substrings based on a character pattern and then copy the substrings to other fields.
Query Catalog action — Enrich your events by mapping data from a catalog to new events.
Parse FQDN action — Parse a field with an FQDN and then copy the hostname and domain name to other fields.
Match and Update action — Search for a set of strings in a set of fields, then update a field based on the results. This is useful for normalizing events with different formats.
Extract Substring action — Use a regex to extract strings from one field and then copy the strings to one or more fields.
Template Field Action — Update a field based on the values of other fields.