transform
noun
A transformation of an event, configured through transforms.conf, usually in conjunction with a configuration in props.conf. Transforms are used in a number of situations:
- Field transforms are used for an advanced type of search-time field extraction where you want to one or a combination of the following:
- Use the same regular expression across multiple source types, sources or hosts.
- Perform special formatting on the extracted field values.
- Extract fields from the values of another key field.
- This particular transform type is treated as a knowledge object and can be created, edited, and have permissions set for it through manager.
- Transforms are always involved in the setup of custom index-time field extractions.
- You can create transforms that mask sensitive data in events, such as customer credit card numbers.
- Transforms are involved in the creation of lookups, as well as overrides of default host and source type values.
- You use transforms to route event data to alternate indexes and forward raw event data to third-party systems.
For more information
In the Knowledge Manager Manual:
- Use the Field transformations page in Manager
- Create and maintain search-time field extractions through configuration files
- Look up fields from external data sources
In the Getting Data In Manual:
- Configure index-time field extractions
- Extract fields from file headers at index time
- Override default host values based on event data
- Advanced source type overrides
In the Distributed Deployment Manual: