You can use the SPL2 ocsf command in an Edge Processor or Ingest Processor pipeline to convert data to the Open Cybersecurity Schema Framework (OCSF) format. This command converts the _raw field of incoming events to the OCSF format.

For more information about converting data to OCSF format:

• In the Edge Processor solution, see Convert data to OCSF format using an Edge Processor in the Use Edge Processors manual.

• In the Ingest Processor solution, see Convert data to OCSF format using Ingest Processor in the Use Ingest Processors manual.