Transformations

Tenzir comes with the following transformation operators, in alphabetical order:

📄️ batch

The batch operator controls the batch size of events.

📄️ compress

Compresses a stream of bytes.

📄️ decapsulate

Decapsulates packet data at link, network, and transport layer.

📄️ decompress

Decompresses a stream of bytes.

📄️ drop

Drops fields from the input.

📄️ enumerate

Prepend a column with row numbers.

📄️ extend

Appends fields to events.

📄️ flatten

Flattens nested data.

📄️ hash

Computes a SHA256 hash digest of a given field.

📄️ head

Limits the input to the first N events.

📄️ measure

Replaces the input with metrics describing the input.

📄️ pass

Does nothing with the input.

📄️ pseudonymize

Pseudonymizes fields according to a given method.

📄️ put

Returns new events that only contain a set of specified fields.

📄️ rare

Shows the least common values. The dual to top.

📄️ read

The read operator converts raw bytes into events.

📄️ rename

Renames fields and types.

📄️ repeat

Repeats the input a number of times.

📄️ replace

Replaces the fields matching the given extractors with fixed values.

📄️ select

Selects fields from the input.

📄️ shell

Executes a system command and hooks its raw stdin and stdout into the pipeline.

📄️ sigma

Filter the input with Sigma rules and output matching events.

📄️ sort

Sorts events.

📄️ summarize

Groups events and applies aggregate functions on each group.

📄️ tail

Limits the input to the last N events.

📄️ taste

Limits the input to N events per unique schema.

📄️ top

Shows the most common values. The dual to rare.

📄️ unflatten

Unflattens data structures whose field names imply a nested structure.

📄️ unique

Removes adjacent duplicates.

📄️ where

Filters events according to an expression.

📄️ write

The write operator converts events into raw bytes.

📄️ yara

Executes YARA rules on byte streams.