Skip to content

Event mapping and transforms

You can map or transform events to perform a wide range of operations, from altering the severity of certain events to altering nearly every field on an event, based on complex rules.

You cannot alter the following fields through event transformation. (This is because they are set after transformation has been performed.)

  • evid
  • firstTime
  • lastTime
  • count

The following illustration shows the path followed by an incoming event in the event mapping system.

The process begins with the "eventClass field exists" decision. This also is one of the more important differentiators in how you must handle a particular type of event.