Apply a Python lambda function to a value.
Python lambda function as a string (e.g. "lambda x: x.get('name')").
Value to apply the lambda function to.
Examples Filter, transform, and compact - ref : normalize_hostname action : core.transform.apply args : value : ${{ TRIGGER.hostname }} python_lambda : "lambda value: value.strip().lower()" - ref : keep_open_findings action : core.transform.filter args : items : ${{ TRIGGER.findings }} python_lambda : "lambda finding: finding.get('status') == 'open'" - ref : finding_ids action : core.transform.map args : items : ${{ ACTIONS.keep_open_findings.result }} python_lambda : "lambda finding: finding.get('id')" - ref : compact_ids action : core.transform.drop_nulls args : items : ${{ ACTIONS.finding_ids.result }}
Filter a collection using a Python lambda function.
Filter condition as a Python lambda expression (e.g. "lambda x: x > 2").
Examples Filter, transform, and compact - ref : normalize_hostname action : core.transform.apply args : value : ${{ TRIGGER.hostname }} python_lambda : "lambda value: value.strip().lower()" - ref : keep_open_findings action : core.transform.filter args : items : ${{ TRIGGER.findings }} python_lambda : "lambda finding: finding.get('status') == 'open'" - ref : finding_ids action : core.transform.map args : items : ${{ ACTIONS.keep_open_findings.result }} python_lambda : "lambda finding: finding.get('id')" - ref : compact_ids action : core.transform.drop_nulls args : items : ${{ ACTIONS.finding_ids.result }}
Map a Python lambda function to each item in a list.
Items to map the lambda function to.
Python lambda function as a string (e.g. "lambda x: x.get('name')").
Examples Filter, transform, and compact - ref : normalize_hostname action : core.transform.apply args : value : ${{ TRIGGER.hostname }} python_lambda : "lambda value: value.strip().lower()" - ref : keep_open_findings action : core.transform.filter args : items : ${{ TRIGGER.findings }} python_lambda : "lambda finding: finding.get('status') == 'open'" - ref : finding_ids action : core.transform.map args : items : ${{ ACTIONS.keep_open_findings.result }} python_lambda : "lambda finding: finding.get('id')" - ref : compact_ids action : core.transform.drop_nulls args : items : ${{ ACTIONS.finding_ids.result }}
Remove null values from a list.
Examples Filter, transform, and compact - ref : normalize_hostname action : core.transform.apply args : value : ${{ TRIGGER.hostname }} python_lambda : "lambda value: value.strip().lower()" - ref : keep_open_findings action : core.transform.filter args : items : ${{ TRIGGER.findings }} python_lambda : "lambda finding: finding.get('status') == 'open'" - ref : finding_ids action : core.transform.map args : items : ${{ ACTIONS.keep_open_findings.result }} python_lambda : "lambda finding: finding.get('id')" - ref : compact_ids action : core.transform.drop_nulls args : items : ${{ ACTIONS.finding_ids.result }}
Filters items in a list based on whether they are in a collection.
Collection of hashable items to check against.
Python lambda applied to each item before checking membership (e.g. "lambda x: x.get('name')"). Similar to key in the Python sorted function. Default: null.
Examples Keep or exclude matching items - ref : keep_known_users action : core.transform.is_in args : items : ${{ TRIGGER.users }} collection : - alice@example.com - bob@example.com python_lambda : "lambda user: user.get('email')" - ref : remove_known_users action : core.transform.not_in args : items : ${{ TRIGGER.users }} collection : - alice@example.com - bob@example.com python_lambda : "lambda user: user.get('email')"
Filters items in a list based on whether they are not in a collection.
Collection of hashable items to check against.
Python lambda applied to each item before checking membership (e.g. "lambda x: x.get('name')"). Similar to key in the Python sorted function. Default: null.
Examples Keep or exclude matching items - ref : keep_known_users action : core.transform.is_in args : items : ${{ TRIGGER.users }} collection : - alice@example.com - bob@example.com python_lambda : "lambda user: user.get('email')" - ref : remove_known_users action : core.transform.not_in args : items : ${{ TRIGGER.users }} collection : - alice@example.com - bob@example.com python_lambda : "lambda user: user.get('email')"
Deduplicate a JSON object or a list of JSON objects given a list of keys. Returns a list of deduplicated JSON objects.
items
object | array[object]
required
JSON object or list of JSON objects to deduplicate.
List of JSONPath keys to deduplicate by. Supports dot notation for nested keys (e.g. ['user.id']).
Time to live for the deduplicated items in seconds. Defaults to 1 hour. Default: 3600.
Whether to persist deduplicated items across calls. If True, deduplicates across calls. If False, deduplicates within the current call only. Default: true.
Examples Deduplicate by a stable key - ref : deduplicate_findings action : core.transform.deduplicate args : items : ${{ TRIGGER.findings }} keys : - finding_id persist : true expire_seconds : 3600 - ref : finding_seen action : core.transform.is_duplicate args : item : ${{ TRIGGER.finding }} keys : - finding_id expire_seconds : 3600
Check if a JSON object was recently seen.
List of JSONPath keys to check.
Time to live for the deduplicated items in seconds. Defaults to 1 hour. Default: 3600.
Examples Deduplicate by a stable key - ref : deduplicate_findings action : core.transform.deduplicate args : items : ${{ TRIGGER.findings }} keys : - finding_id persist : true expire_seconds : 3600 - ref : finding_seen action : core.transform.is_duplicate args : item : ${{ TRIGGER.finding }} keys : - finding_id expire_seconds : 3600
Flatten a JSON object into a single level of fields.
Examples Flatten and query JSON - ref : flatten_alert action : core.transform.flatten_json args : json : ${{ TRIGGER.alert }} - ref : extract_fields action : core.transform.eval_jsonpaths args : json : ${{ TRIGGER.alert }} jsonpaths : user : $.actor.email source_ip : $.network.source.ip
FAQ
Why does inline lambda not work inside expressions?
Expressions support Tracecat literals, operators, and FN.* helper functions.
Python lambda functions are not part of the expression language, so they must be passed as strings to actions such as core.transform.apply, core.transform.filter, or core.transform.map. Use FN.* for short inline transforms, and use core.transform.* when you need Python-style per-item logic. - ref : extract_ids action : core.transform.map args : items : ${{ TRIGGER.findings }} python_lambda : "lambda finding: finding.get('id')"
How do I inspect the shape of API results before using map, filter, or for_each?
Add a small debug reshape step first.
This lets you confirm whether you have a list or object, inspect a count, and verify the field path you plan to iterate over. - ref : inspect_findings action : core.transform.reshape args : value : result_type : ${{ FN.typeof(ACTIONS.fetch_findings.result) }} findings_type : ${{ FN.typeof(ACTIONS.fetch_findings.result.findings) if ACTIONS.fetch_findings.result != None else None }} findings_count : ${{ FN.length(ACTIONS.fetch_findings.result.findings) if ACTIONS.fetch_findings.result != None else 0 }}
Eval multiple JSONPath expressions on an object.
JSON object to eval JSONPath expressions on.
JSONPath expressions to eval.
Examples Flatten and query JSON - ref : flatten_alert action : core.transform.flatten_json args : json : ${{ TRIGGER.alert }} - ref : extract_fields action : core.transform.eval_jsonpaths args : json : ${{ TRIGGER.alert }} jsonpaths : user : $.actor.email source_ip : $.network.source.ip
