Skip to main content
Version: Next


Delays events relative to a given start time, with an optional speedup.


delay [--start <time>] [--speed <factor>] <field>


The delay operator replays a dataflow according to a time field by introducing sleeping periods proportional to the inter-arrival times of the events.

With --speed, you can adjust the sleep time of the time series induced by field with a multiplicative factor. This has the effect of making the time series "faster" for values great than 1 and "slower" for values less than 1. Unless you provide a start time with --start, the operator will anchor the timestamps in field to begin with the current wall clock time, as if you provided --start now.

The diagram below illustrates the effect of applying delay to dataflow. If an event in the stream has a timestamp the precedes the previous event, delay emits it instanstly. Otherwise delay sleeps the amount of time to reach the next timestamp. As shown in the last illustration, the --speed factor has a scaling effect on the inter-arrival times.

The options --start and --speed work independently, i.e., you can use them separately or both together.

--start <time>

The timestamp to anchor the time values around.

Defaults to the first non-null timestamp in field.

--speed <speed>

A constant factor to be divided by the inter-arrival time. For example, 2.0 decreases the event gaps by a factor of two, resulting a twice as fast dataflow. A value of 0.1 creates dataflow that spans ten times the original time frame.

Defaults to 1.0.


The name of the field containing the timestamp values.


Replay the M57 Zeek logs with real-world inter-arrival times from the ts column. For example, if event i arrives at time t and i + 1 at time u, then the delay operator will wait time u - t after emitting event i before emitting event i + 1. If t > u then the operator immediately emits event *i

  • 1*.
from read zeek-tsv
| delay ts

Replay the M57 Zeek logs at 10 times the original speed. That is, wait (u - t) / 10 between event i and i + 1, assuming u > t.

from read zeek-tsv
| delay --speed 10 ts

Replay as above, but start delaying only after ts exceeds 2021-11-17T16:35 and emit all events prior to that timestamp immediately.

from read zeek-tsv
| delay --start "2021-11-17T16:35" --speed 10 ts

Adjust the timestamp to the present, and then start replaying in 2 hours from now:

from read zeek-tsv
| timeshift ts
| delay --start "in 2 hours" ts