Mapping and Transformation

The event mapping and transformation system allows you to perform a wide range of operations, from altering the severity of certain events to altering nearly every field on an event, based on complex rules.

You cannot alter the following fields through event transformation. (This is because they are set after transformation has been performed.)

  • evid
  • firstTime
  • lastTime
  • count

The following illustration shows the path followed by an incoming event in the event mapping system.

Figure 101. Event Processing ../images/EventProcessing.png

The mapping and transformation process begins with the "eventClass field exists" decision. This also is one of the more important differentiators in how you must handle a particular type of event.