Tenzir comes with the following transformation operators, in alphabetical order:
The batch operator controls the batch size of events.
Compresses a stream of bytes.
Decapsulates packet data at link, network, and transport layer.
Decompresses a stream of bytes.
Drops fields from the input.
Prepend a column with row numbers.
Appends fields to events.
Flattens nested data.
Computes a SHA256 hash digest of a given field.
Limits the input to the first N events.
Replaces the input with metrics describing the input.
Does nothing with the input.
Pseudonymizes fields according to a given method.
Returns new events that only contain a set of specified fields.
Shows the least common values. The dual to top.
The read operator converts raw bytes into events.
Renames fields and types.
Repeats the input a number of times.
Replaces the fields matching the given extractors with fixed values.
Selects fields from the input.
Executes a system command and hooks its raw stdin and stdout into the pipeline.
Filter the input with Sigma rules and output matching events.
Groups events and applies aggregate functions on each group.
Limits the input to the last N events.
Limits the input to N events per unique schema.
Shows the most common values. The dual to rare.
Unflattens data structures whose field names imply a nested structure.
Removes adjacent duplicates.
Filters events according to an expression.
The write operator converts events into raw bytes.