Skip to content

Return data from multiple pipelines

POST
/serve-multi

Returns events from existing pipelines. The pipeline definitions must include a serve operator. By default, the endpoint performs long polling (timeout: 5s) and returns events as soon as they are available (min_events: 1).

Authorizations

Section titled “Authorizations ”

Request Body required

Section titled “Request Body required ”

Body for the serve-multi endpoint

object
requests
required
Array<object>
object
serve_id

The id that was passed to the serve operator.

string
Example
query1
continuation_token

The continuation token that was returned with the last response. For the initial request this is null.

string
Example
340ce2j
max_events

The maximum number of events returned. This is split evenly for all serve_ids. If necessary, it is rounded up.

integer
default: 1024
Example
1024
min_events

Wait for this number of events before returning. This is split evenly for all serve_ids. If necessary, it is rounded up.

integer
default: 1
Example
1
timeout

The maximum amount of time spent on the request. Hitting the timeout is not an error. The timeout must not be greater than 10 seconds.

string
default: 5s
Example
200ms
schema

The output format in which schemas are represented. Must be one of “legacy”, “exact”, or “never”. Use “exact” to switch to a type representation matching Tenzir’s type system exactly, and “never” to omit schema definitions from the output entirely.

string
default: legacy
Example
exact

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Success.

object
key
additional properties

The response is keyed by the serve-id

object
next_continuation_token

A token to access the next pipeline data batch, null if the pipeline is completed.

string
Example
340ce2j
state

The state of the corresponding pipeline at the time of the request. One of running, completed, or failed.

string
Example
running
schemas

The schemas that the served events are based on.

Array<object>
object
schema_id

The unique schema identifier.

string
definition

The schema definition in JSON format.

object
Example
[
  {
    "schema_id": "c631d301e4b18f4",
    "definition": [
      {
        "name": "tenzir.summarize",
        "kind": "record",
        "type": "tenzir.summarize",
        "attributes": {},
        "path": [],
        "fields": [
          {
            "name": "severity",
            "kind": "string",
            "type": "string",
            "attributes": {},
            "path": [
              0
            ],
            "fields": []
          },
          {
            "name": "pipeline_id",
            "kind": "string",
            "type": "string",
            "attributes": {},
            "path": [
              1
            ],
            "fields": []
          }
        ]
      }
    ]
  }
]
events

The served events.

Array<object>
object
schema_id

The unique schema identifier.

string
data

The actual served data in JSON format.

object
Example
[
  {
    "schema_id": "c631d301e4b18f4",
    "data": {
      "timestamp": "2023-04-26T12:00:00Z",
      "schema": "zeek.conn",
      "schema_id": "ab2371bas235f1",
      "events": 50
    }
  },
  {
    "schema_id": "c631d301e4b18f4",
    "data": {
      "timestamp": "2023-04-26T12:05:00Z",
      "schema": "suricata.dns",
      "schema_id": "cd4771bas235f1",
      "events": 50
    }
  }
]

400

Section titled “400 ”

Invalid arguments.

object
error
required

The error message.

string
Example
Invalid arguments