Transform Data Action - Use Cases

the turbine transform data native action can create a myriad of transformations making changes to date and time in a playbook is often used, and this page provides use cases for different actions for transforming date and time using the transform data action jsonata https //docs jsonata org/date time functions is used for these actions get date and time if you configure the first row, click transform again , and select get date/time , there are new configuration options available get date/time configuration transform block options get date/time note when from is set to "current time", the in field is not required and will be hidden scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen 90 days before the first sighting with the transform data action, you can automate this task to get a date/time and subtract 90 days on the first row, select get date/time from the from drop down, select playbook data or current time if using playbook data, select the property containing the date/time in the in field configure the format and timezone as needed click transform again on the then row, select adjust date/time from the by drop down menu, select subtracting enter 90 in the amount field from the unit of measure drop down menu, select days adjust date and time common date and time data transformation methods are supported in playbooks, which can be run against playbook inputs, in scope action output properties, or static values, including to and from iso 8601 unix (seconds) unix (milliseconds) sql custom formatting https //moment github io/luxon/#/parsing?id=table of tokensxpath picture string format https //www w3 org/tr/xpath functions 31/#date picture string transform block options adjust date/time note adjust date/time operates on iso 8601 date/time values or unix epochs the result is always returned in iso 8601 format scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen 90 days before the first sighting with the transform data action, you can automate this task to get a date/time and subtract 90 days on the first row, select get date/time to obtain the initial timestamp click transform again on the then row, select adjust date/time from the by drop down menu, select subtracting enter 90 in the amount field from the unit of measure drop down menu, select days output the date/time adjusted by subtracting 90 days, returned in iso 8601 format set time zone after configuring the first row, click transform again , and select set time zone new fields and options are available on the then row set date/time configuration transform block options set time zone note set time zone adjusts the underlying date/time to reflect the new timezone if you need to add timezone information without changing the actual time, use append time zone instead scenario after identifying malicious urls, you want to scan your environment for any other iocs that may be in a specific time zone on the first row, select get date/time to obtain the initial timestamp click transform again on the then row, select set time zone from the time zone drop down menu, select the desired time zone (e g , america/chicago, utc, europe/london) output the date/time converted to the specified time zone in iso 8601 format convert date and time after configuring the first row, click transform again , and select convert date/time new fields and options are available on the then row convert date/time configuration transform block options convert date/time note convert date/time can convert between various date/time formats the input date/time must be in iso 8601 format or a unix epoch scenario after identifying malicious urls, you want to scan your environment for any other iocs that may have been seen starting on a particular month, date, and year before the first sighting on the first row, select get date/time to obtain the initial timestamp click transform again on the then row, select convert date/time from the to drop down, select custom in the custom format string field, enter the format pattern mm/dd/yyyy (for mm/dd/yyyy format) output the date/time converted to the custom format (e g , "08/26/2025") contains the contains transformation checks if a string contains at least one occurrence of a search term the transformation options are scenario after gathering information from different sources, you want to verify if a particular keyword (e g , "malicious") is present in a text field on the first drop down, select contains in the in field, select the playbook property containing the text in the string field, enter the keyword (e g , "malicious") in the with drop down, select no case sensitivity to perform a case insensitive search contains transformation configuration output returns true if "malicious" is found in the text (regardless of case), false otherwise replace the replace transformation finds occurrences of a search term in a string and replaces each occurrence with another string the transformation options are scenario you need to normalize ip addresses in logs by replacing occurrences of "192 168" with "10 0" on the first drop down, select replace in the in field, select the playbook property containing the text in the find field, enter "192 168" in the replace with field, enter "10 0" in the with drop down, select no case sensitivity to perform a case insensitive replacement replace transformation configuration output all occurrences of "192 168" (case insensitive) are replaced with "10 0" in the input string match the match transformation finds occurrences of a search term in a string and returns an array of all indices where the search term is located the transformation options are scenario to locate specific email addresses from text logs, match the pattern of an email address format on the first row, select match in the in field, select the text field containing the logs in the string field, enter the search term or pattern for exact string matching, enter the string directly (e g , "@example com") in the with drop down, select no case sensitivity to perform a case insensitive search note for regex pattern matching to extract email addresses, use the regex match transformation instead, which supports regular expression patterns match transformation configuration output returns an array of indices where the search term appears in the string (e g , \[25, 67, 142] ) from csv the from csv transformation parses a csv string into an array of objects (if headers are included) or an array of arrays the transformation options are scenario you have a csv string containing user information ("name, email, department") and want to parse it into separate fields on the first drop down, select from csv in the in field, choose the property containing the csv data (or enter the csv string directly) in the with header drop down, select yes if the first line contains column headers, or no if headers are not included from csv transformation configuration example input (with headers) output (with headers = yes) output (with headers = no) additional use cases parsing json strings when working with json data from record triggers, record searches, or http responses, the data often arrives as a string use parse json to convert it to a javascript object before extracting properties scenario extract user information from a json string returned by an api on the first row, select parse json in the in field, select the property containing the json string click transform again on the then row, select extract property provide a jsonata path to extract the desired field (e g , user email or $ data items\[0] name ) filtering arrays use filter or filter by to extract specific items from arrays based on criteria scenario filter an array of users to include only those with a specific status on the first row, select filter by provide the jsonata path to the property to filter on (e g , status ) enter the filter value (e g , "active" ) output an array containing only objects where the specified property matches the filter value combining data use prepend to combine arrays or prepend values to arrays scenario combine two arrays of iocs into a single array on the first row, select prepend provide the first array or value provide the second array or value to prepend output a new array containing the prepended values followed by the original values best practices start with get date/time when working with dates, always start with get date/time in the first row to establish a base timestamp chain transformations use then rows to chain multiple transformations together, building complex transformations from simple operations parse json first when working with json strings, always use parse json as the first transformation before extracting properties test incrementally test each transformation step to ensure accuracy before adding subsequent transformations use appropriate filters choose filter for simple value matching or filter by for filtering objects by property values related documentation for more information on available transformations, see using the transform data native action # for advanced transformation capabilities using jsonata expressions, see advanced transformations #