Normalizers¶
Normalizers transform field names and extract timestamps during log ingestion. They consolidate inconsistent naming conventions from different log sources into canonical field names.
Creating a Normalizer¶
Admins manage normalizers from Settings > Normalizers.
- Name and optional Description
- Transforms - ordered list of field name transformations
- Field mappings - map one or more source field names to a target name
- Timestamp fields - custom field names and their Go time format strings
Transforms¶
Transforms modify field names in order. The following are available:
| Transform | Example |
|---|---|
flatten |
user.profile.name → name |
snake_case |
UserID → user_id |
camelCase |
user_id → userId |
PascalCase |
user_id → UserId |
dedot |
user.profile.name → user_profile_name |
lowercase |
EventID → eventid |
uppercase |
event_id → EVENT_ID |
Order matters. Some transforms conflict (e.g., flatten and dedot cannot be combined).
Field Mappings¶
Map multiple source names to a single target:
| Sources | Target |
|---|---|
userId, user_id, uid |
user_id |
srcIP, src_ip, source_address |
src_ip |
This is useful when ingesting logs from different vendors that use different field names for the same concept.
Timestamp Fields¶
Define custom timestamp field names and their formats. During ingestion, Strix checks for timestamps in this order:
- Per-token timestamp fields (if configured on the ingest token)
- Normalizer timestamp fields
- Global timestamp settings
- Common field name fallbacks
Formats use Go time layout syntax (e.g., 2006-01-02T15:04:05Z07:00 for RFC3339).
Assigning Normalizers¶
Normalizers are assigned to ingest tokens, not applied globally. Each token can reference one normalizer. When logs arrive via that token, the normalizer is applied during parsing.
Alert feeds can also reference a normalizer. When a feed syncs detection rules, the normalizer is applied to field names in the imported alerts so they match your ingested data.
One normalizer can be marked as the default, which is used for internal log sources.
Warning
The default normalizer cannot be deleted.