TQL

Build TQL pipelines with expert language guidance. Provides TQL language fundamentals, integrates with live Tenzir documentation, and guides you through creating parser packages and OCSF mappings.

Features

• 📝 Language Fundamentals: Core TQL concepts including types, statements, expressions, and program structure
• 📚 Documentation Lookup: Query live Tenzir documentation for operators, functions, and syntax via the docs:reader subagent
• 📦 Package Management: Create and test Tenzir packages with proper structure and iterative testing workflows
• 🔧 Parser Creation: Guided workflow for building parsing pipelines from raw log data
• 🛡️ OCSF Mapping: Transform parsed events into OCSF-compliant format with validation

Installation

Interactive

Use the plugin manager UI in Claude Code.

1. Run /plugin in Claude Code Enter
2. Go to Marketplaces Tab
3. Select + Add Marketplace Enter
4. Type tenzir/claude-plugins Enter
5. Install tql from the plugin list

Shell

Run the CLI command with your preferred scope.

# Install to user scope (default)
claude plugin install tql@tenzir

# Install to project scope (shared with team)
claude plugin install tql@tenzir --scope project

# Install to local scope (gitignored)
claude plugin install tql@tenzir --scope local

Settings

Add the marketplace and plugin to your settings file.

.claude/settings.json

{
  "extraKnownMarketplaces": {
    "tenzir": {
      "source": {
        "source": "github",
        "repo": "tenzir/claude-plugins"
      }
    }
  },
  "enabledPlugins": {
    "tql@tenzir": true
  }
}

Capabilities

Type	Name	Description
Skill	managing-packages	Create and manage Tenzir packages. Use during package development when creating parsers for log samples, adding user-defined operators, showcasing example pipelines, and writing integration tests.
Skill	writing-programs	Write TQL programs with documentation guidance. Use when writing TQL code, looking up operators or functions, asking about syntax, or building data pipelines.
Command	/tql:make_ocsf_mapping	Create on OCSF mapping inside a Tenzir package
Command	/tql:make_parser	Create a TQL parsing pipeline package from sample log data

Usage

tql:writing-programs skill

Activates when writing or debugging TQL programs. Loads TQL language fundamentals and best practices from the idiomatic TQL tutorial. Spawns the docs:reader subagent for real-time operator and function lookups.

When it activates:

• Writing TQL code or .tql files
• Asking about TQL syntax, operators, or functions
• Building or debugging data pipelines

Example prompts:

Write a pipeline that reads JSON from a file, filters events where
severity > 5, and writes to Parquet.

How do I aggregate network flows by source IP and count connections
per minute?

Parse CEF logs, extract the device vendor field, and enrich with
GeoIP data for source addresses.

What you get:

• Pipelines following TQL best practices (proper operator chaining, idiomatic patterns)
• Correct syntax for types, expressions, and statements
• Live documentation lookups when the skill needs operator details

Changelog

View the release history and recent changes.

View on GitHub

Browse the plugin source code and documentation.