Event Workflow Actions

Workflow trigger — Every workflow starts with a trigger, which defines the events that trigger the workflow.

Drop Event action — Drop events that pass a previous filter in the workflow, such as a Time Filter.

Extract Substring action — Extract a string from an input field using a regex and then apply the result to one or more output fields.

Match and Update action — Search for a set of strings in a set of fields, then update a field based on the results. This is useful for normalizing events with different formats.

Query Catalog action — Enrich your events by mapping data from a catalog to new events.

Parse FQDN action — Parse a field with an FQDN and then copy the hostname and domain name to other fields.

Replace String action — Replace a field with a new string.

Set Service action — Update the service field if an event passes a previous filter.

Set Severity action — Update the severity field if an event passes a previous filter.

Split action — Split one field into substrings based on a character pattern and then copy the substrings to other fields.

Template Field Action — Update a field based on the values of other fields.

Time Filter Action —Filter events based on a specific time window or day of the week.