User-defined operator aliases make pipelines easier to use by enabling users to encapsulate pipelines into a new operator.
# Aggregate suricata.flow events with matching source and destination IP
where #schema == "suricata.flow"
summarize-flows operator can now be used in all pipeline
definitions. For example:
/* Write all summarized suricata.flow events to stdout as JSON */
from file path/to/eve.json read suricata
| write json
User-defined operators may not reference themselves, but may reference other user-defined operators. Attempting to use a recursively defined operator in a pipeline will fail with an error.
In addition to aliases, developers can add additional operators to Tenzir by
using the operator plugin API.
This allows for writing arbitrarily complex operators in C++ by developing
If you want to learn more about building your own operators, we recommend studying Tenzir's built-in operators, which are developed against the same API.