Skip to content

Return data from a pipeline

POST
/serve

Returns events from an existing pipeline. The pipeline definition must include a serve operator. By default, the endpoint performs long polling (timeout: 5s) and returns events as soon as they are available (min_events: 1).

Authorizations

Section titled “Authorizations ”

Request Body required

Section titled “Request Body required ”

Body for the serve endpoint

object
serve_id
required

The id that was passed to the serve operator.

string
Example
query1
continuation_token

The continuation token that was returned with the last response. For the initial request this is null.

string
Example
340ce2j
max_events

The maximum number of events returned.

integer
default: 1024
Example
1024
min_events

Wait for this number of events before returning.

integer
default: 1
Example
1
timeout

The maximum amount of time spent on the request. Hitting the timeout is not an error. The timeout must not be greater than 10 seconds.

string
default: 5s
Example
200ms
schema

The output format in which schemas are represented. Must be one of “legacy”, “exact”, or “never”. Use “exact” to switch to a type representation matching Tenzir’s type system exactly, and “never” to omit schema schema definitions from the output entirely.

string
default: legacy
Example
exact

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Success.

object
next_continuation_token

A token to access the next pipeline data batch, null if the pipeline is completed.

string
Example
340ce2j
state

The state of the corresponding pipeline at the time of the request. One of running, completed, or failed.

string
Example
running
schemas

The schemas that the served events are based on.

Array<object>
object
schema_id

The unique schema identifier.

string
definition

The schema definition in JSON format.

object
Example
[
  {
    "schema_id": "c631d301e4b18f4",
    "definition": [
      {
        "name": "tenzir.summarize",
        "kind": "record",
        "type": "tenzir.summarize",
        "attributes": {},
        "path": [],
        "fields": [
          {
            "name": "severity",
            "kind": "string",
            "type": "string",
            "attributes": {},
            "path": [
              0
            ],
            "fields": []
          },
          {
            "name": "pipeline_id",
            "kind": "string",
            "type": "string",
            "attributes": {},
            "path": [
              1
            ],
            "fields": []
          }
        ]
      }
    ]
  }
]
events

The served events.

Array<object>
object
schema_id

The unique schema identifier.

string
data

The actual served data in JSON format.

object
Example
[
  {
    "schema_id": "c631d301e4b18f4",
    "data": {
      "timestamp": "2023-04-26T12:00:00Z",
      "schema": "zeek.conn",
      "schema_id": "ab2371bas235f1",
      "events": 50
    }
  },
  {
    "schema_id": "c631d301e4b18f4",
    "data": {
      "timestamp": "2023-04-26T12:05:00Z",
      "schema": "suricata.dns",
      "schema_id": "cd4771bas235f1",
      "events": 50
    }
  }
]

400

Section titled “400 ”

Invalid arguments.

object
error
required

The error message.

string
Example
Invalid arguments