Operators

rare

Shows the least common values.

rare auth.token

reverse

Reverses the event order.

reverse

sort

Sorts events by the given expressions.

sort name, -abs(transaction)

summarize

Groups events and applies aggregate functions to each group.

summarize name, sum(amount)

top

Shows the most common values.

top user

chart_area

Plots events on an area chart.

chart_area …

chart_bar

Plots events on an bar chart.

chart_bar …

chart_line

Plots events on an line chart.

chart_line …

chart_pie

Plots events on an pie chart.

chart_pie …

publish

Publishes events to a channel with a topic.

publish "topic"

subscribe

Subscribes to events from a channel with a topic.

subscribe "topic"

context::create_bloom_filter

Creates a Bloom filter context.

context::create_bloom_filter "ctx", capacity=1Mi, fp_probability=0.01

context::create_geoip

Creates a GeoIP context.

context::create_geoip "ctx", db_path="GeoLite2-City.mmdb"

context::create_lookup_table

Creates a lookup table context.

context::create_lookup_table "ctx"

context::enrich

Enriches events with data from a context.

context::enrich "ctx", key=x

context::erase

Removes entries from a context.

context::erase "ctx", key=x

context::inspect

Resets a context.

context::inspect "ctx"

context::list

Lists all contexts.

context::list

context::load

Loads context state.

context::load "ctx"

context::lookup

Performs unified matching.

context::lookup "ctx", key=field

context::remove

Deletes a context.

context::remove "ctx"

context::reset

Resets a context.

context::reset "ctx"

context::save

Saves context state.

context::save "ctx"

context::update

Updates a context with new data.

context::update "ctx", key=x, value=y

sigma

Filter the input with Sigma rules and output matching events.

sigma "/tmp/rules/"

yara

Executes YARA rules on byte streams.

yara "/path/to/rules"

compress_brotli

Compresses a stream of bytes using Brotli compression.

compress_brotli, level=10

compress_bz2

Compresses a stream of bytes using bz2 compression.

compress_bz2, level=9

compress_gzip

Compresses a stream of bytes using gzip compression.

compress_gzip, level=8

compress_lz4

Compresses a stream of bytes using lz4 compression.

compress_lz4, level=7

compress_zstd

Compresses a stream of bytes using zstd compression.

compress_zstd, level=6

decompress_brotli

Decompresses a stream of bytes in the Brotli format.

decompress_brotli

decompress_bz2

Decompresses a stream of bytes in the Bzip2 format.

decompress_bz2

decompress_gzip

Decompresses a stream of bytes in the Gzip format.

decompress_gzip

decompress_lz4

Decompresses a stream of bytes in the Lz4 format.

decompress_lz4

decompress_zstd

Decompresses a stream of bytes in the Zstd format.

decompress_zstd

python

Executes Python code against each event of the input.

python "self.x = self.y"

shell

Executes a system command and hooks its stdin and stdout into the pipeline.

shell "echo hello"

assert

Drops events and emits a warning if the invariant is violated.

assert name.starts_with("John")

assert_throughput

Emits a warning if the pipeline does not have the expected throughput

assert_throughput 1000, within=1s

deduplicate

Removes duplicate events based on a common key.

deduplicate src_ip

head

Limits the input to the first n events.

head 20

sample

Dynamically samples events from a event stream.

sample 30s, max_samples=2k

slice

Keeps a range of events within the interval [begin, end) stepping by stride.

slice begin=10, end=30

tail

Limits the input to the last n events.

tail 20

taste

Limits the input to n events per unique schema.

taste 1

where

Keeps only events for which the given predicate is true.

where name.starts_with("John")

cron

Runs a pipeline periodically according to a cron expression.

cron "* */10 * * * MON-FRI" { from_http "https://example.org" }

delay

Delays events relative to a given start time, with an optional speedup.

delay ts, speed=2.5

discard

Discards all incoming events.

discard

each

Spawns a subpipeline for every incoming event, with the event bound to $this.

each { from $this }

every

Runs a pipeline periodically at a fixed interval.

every 10s { summarize sum(amount) }

fork

Executes a subpipeline with a copy of the input.

fork { publish "copy" }

group

Routes events with the same key through the same subpipeline.

group tenant { summarize count() }

load_balance

Routes the data to one of multiple subpipelines.

load_balance $over { publish $over }

parallel

Runs a subpipeline across multiple parallel workers.

parallel 4 { parsed = data.parse_json() }

pass

Does nothing with the input.

pass

repeat

Repeats the input a number of times.

repeat 100

throttle

Limits the bandwidth of a pipeline.

throttle 100M, within=1min

files

Shows file information for a given directory.

files "/var/log/", recurse=true

nics

Shows a snapshot of available network interfaces.

nics

processes

Shows a snapshot of running processes.

processes

sockets

Shows a snapshot of open sockets.

sockets

accept_elasticsearch

Accepts incoming Elasticsearch-compatible Bulk API requests and forwards them as events.

accept_elasticsearch "0.0.0.0:9200"

accept_http

Accepts incoming HTTP requests and forwards them as events.

accept_http "0.0.0.0:8080" { read_json }

accept_opensearch

Accepts incoming OpenSearch-compatible Bulk API requests and forwards them as events.

accept_opensearch "0.0.0.0:9200"

accept_tcp

Accepts incoming TCP or TLS connections and yields events.

accept_tcp "0.0.0.0:8090" { read_json }

accept_udp

Receives UDP datagrams and outputs structured events.

accept_udp "0.0.0.0:8090"

accept_zmq

Listens on a ZeroMQ endpoint and receives events.

accept_zmq "tcp://0.0.0.0:5555", prefix="alerts/" { read_json }

from_amazon_cloudwatch

Reads events from Amazon CloudWatch.

from_amazon_cloudwatch "/aws/lambda/api", mode="search"

from_amqp

Receives messages from an AMQP queue.

from_amqp "amqp://admin:pass@0.0.0.1:5672/vhost", queue="events"

from_azure_blob_storage

Reads one or multiple files from Azure Blob Storage.

from_azure_blob_storage "abfs://container/data/**.json"

from_file

Reads one or multiple files from a filesystem.

from_file "s3://data/**.json"

from_fluent_bit

Receives events via Fluent Bit.

from_fluent_bit "opentelemetry"

from_ftp

Downloads bytes via FTP and parses them with a subpipeline.

from_ftp "ftp.example.org/events.ndjson" { read_ndjson }

from_google_cloud_pubsub

Subscribes to a Google Cloud Pub/Sub subscription and yields events.

from_google_cloud_pubsub project_id="my-project", subscription_id="my-sub"

from_google_cloud_storage

Reads one or multiple files from Google Cloud Storage.

from_google_cloud_storage "gs://my-bucket/data/**.json"

from_http

Sends an HTTP/1.1 request and returns the response as events.

from_http "https://example.com/api/events.json"

from_kafka

Receives events from an Apache Kafka topic.

from_kafka "logs"

from_microsoft_graph

Reads events from a Microsoft Graph collection.

from_microsoft_graph "auditLogs/signIns", auth={…}

from_mysql

Reads events from a MySQL database.

from_mysql table="users", host="db.example.com", database="mydb"

from_nats

Consumes messages from a NATS JetStream subject.

from_nats "alerts"

from_nic

Captures packets from a network interface and outputs events.

from_nic "eth0"

from_s3

Reads one or multiple files from Amazon S3.

from_s3 "s3://my-bucket/data/**.json"

from_sentinelone_data_lake

Retrieves PowerQuery results from SentinelOne Singularity Data Lake.

from_sentinelone_data_lake "https://…", …

from_sqs

Receives messages from an Amazon SQS queue.

from_sqs "sqs://tenzir", poll_time=5s

from_stdin

Reads and parses events from standard input.

from_stdin { read_json }

from_tcp

Connects to a remote TCP or TLS endpoint and receives events.

from_tcp "example.org:4000" {
  read_json
}

from_velociraptor

Submits VQL to a Velociraptor server and returns the response as events.

from_velociraptor subscribe="Windows"

from_zmq

Connects to a remote ZeroMQ publisher and receives events.

from_zmq "tcp://collector.example.com:5555", prefix="alerts/" { read_json }

api

Use Tenzir's REST API directly from a pipeline.

api "/pipeline/list"

batch

The batch operator controls the batch size of events.

batch timeout=1s

buffer

An in-memory buffer to improve handling of data spikes in upstream operators.

buffer 10M, policy="drop"

cache

An in-memory cache shared between pipelines.

cache "w01wyhTZm3", ttl=10min

local

Forces a pipeline to run locally.

local { sort foo }

measure

Replaces the input with metrics describing the input.

measure

remote

Forces a pipeline to run remotely at a node.

remote { version }

strict

Treats all warnings as errors.

strict { assert false }

unordered

Removes ordering assumptions from a pipeline.

unordered { read_ndjson }

dns_lookup

Performs DNS lookups to resolve IP addresses to hostnames or hostnames to IP addresses.

dns_lookup ip_address, result=dns_info

drop

Removes fields from the event.

drop name, metadata.id

drop_null_fields

Removes fields containing null values from the event.

drop_null_fields name, metadata.id

enumerate

Add a field with the number of preceding events.

enumerate num

move

Moves values from one field to another, removing the original field.

move id=parsed_id, ctx.message=incoming.status

replace

Replaces all occurrences of a value with another value.

replace what=42, with=null

select

Selects some values and discards the rest.

select name, id=metadata.id

set

Assigns a value to a field, creating it if necessary.

name = "Tenzir"

timeshift

Adjusts timestamps relative to a given start time, with an optional speedup.

timeshift ts, start=2020-01-01

unroll

Returns a new event for each member of a list or a record in an event, duplicating the surrounding event.

unroll names

diagnostics

Retrieves diagnostic events from a Tenzir node.

diagnostics

metrics

Retrieves metrics events from a Tenzir node.

metrics "cpu"

openapi

Shows the node's OpenAPI specification.

openapi

plugins

Shows all available plugins and built-ins.

plugins

version

Shows the current version.

version

ocsf::apply

Casts incoming events to their OCSF type.

ocsf::apply

ocsf::cast

Casts incoming events to their OCSF type.

ocsf::cast

ocsf::derive

Automatically assigns enum strings from their integer counterparts and vice versa.

ocsf::derive

ocsf::trim

Drops fields from OCSF events to reduce their size.

ocsf::trim

serve_http

Starts an HTTP server and streams bytes produced by a nested pipeline to connected clients.

serve_http "0.0.0.0:8080" { write_ndjson }

serve_tcp

Listens for incoming TCP connections and sends events to all connected clients.

serve_tcp "0.0.0.0:8090" { write_json }

serve_zmq

Listens on a ZeroMQ endpoint and sends events.

serve_zmq "tcp://0.0.0.0:5555", encoding="json", prefix=f"{kind}/"

to_amazon_cloudwatch

Sends events to Amazon CloudWatch.

to_amazon_cloudwatch "/tenzir/events", stream="default"

to_amazon_security_lake

Sends OCSF events to Amazon Security Lake.

to_amazon_security_lake "s3://…"

to_amqp

Sends messages to an AMQP exchange.

to_amqp "amqp://admin:pass@0.0.0.1:5672/vhost"

to_azure_blob_storage

Writes events to one or multiple blobs in Azure Blob Storage.

to_azure_blob_storage "abfs://container/data/{uuid}.json" { write_ndjson }

to_azure_log_analytics

Sends events to the Microsoft Azure Logs Ingestion API.

to_azure_log_analytics tenant_id="...", workspace_id="..."

to_clickhouse

Sends events to a ClickHouse table.

to_clickhouse table="my_table"

to_elasticsearch

Sends events to an Elasticsearch-compatible Bulk API.

to_elasticsearch "localhost:9200", …

to_file

Writes events to one or multiple files on a filesystem.

to_file "/tmp/out.json" { write_ndjson }

to_fluent_bit

Sends events via Fluent Bit.

to_fluent_bit "elasticsearch" …

to_ftp

Prints events to bytes and uploads them via FTP.

to_ftp "ftp.example.org/events.ndjson" { write_ndjson }

to_google_cloud_logging

Sends events to Google Cloud Logging.

to_google_cloud_logging …

to_google_cloud_pubsub

Publishes events to a Google Cloud Pub/Sub topic.

to_google_cloud_pubsub project_id="my-project", topic_id="alerts", message=text

to_google_cloud_storage

Writes events to one or multiple objects in Google Cloud Storage.

to_google_cloud_storage "gs://my-bucket/data/{uuid}.json" { write_ndjson }

to_google_secops

Sends unstructured events to a Google SecOps Chronicle instance.

to_google_secops …

to_hive

Writes events to a URI using hive partitioning.

to_hive "s3://…", partition_by=[x]

to_http

Sends events as a single HTTP request to a webhook or API endpoint.

to_http "https://example.com/webhook" { write_ndjson }

to_kafka

Sends messages to an Apache Kafka topic.

to_kafka "topic"

to_nats

Publishes messages to a NATS JetStream subject.

to_nats "alerts"

to_opensearch

Sends events to an OpenSearch-compatible Bulk API.

to_opensearch "localhost:9200", …

to_s3

Writes events to one or multiple objects in Amazon S3.

to_s3 "s3://my-bucket/data/{uuid}.json" { write_ndjson }

to_sentinelone_data_lake

Sends security events to SentinelOne Singularity Data Lake via REST API.

to_sentinelone_data_lake "https://…", …

to_snowflake

Sends events to a Snowflake database.

to_snowflake account_identifier="…

to_splunk

Sends events to a Splunk HTTP Event Collector (HEC).

to_splunk "localhost:8088", …

to_sqs

Sends messages to an Amazon SQS queue.

to_sqs "sqs://tenzir"

to_stdout

Writes events to standard output.

to_stdout

to_tcp

Connects to a remote TCP or TLS endpoint and sends events.

to_tcp "collector.example.com:5044" { write_json }

to_udp

Sends one UDP datagram per input event.

to_udp "127.0.0.1:514"

to_zmq

Connects to a remote ZeroMQ subscriber endpoint and sends events.

to_zmq "tcp://collector.example.com:5555", encoding="json", prefix=f"{kind}/"

package::add

Installs a package.

package::add "suricata-ocsf"

package::list

Shows installed packages.

package::list

package::remove

Uninstalls a package.

package::remove "suricata-ocsf"

read_all

Parses an incoming bytes stream into a single event.

read_all binary=true

read_bitz

Parses bytes as BITZ format.

read_bitz

read_cef

Parses an incoming Common Event Format (CEF) stream into events.

read_cef

read_csv

Read CSV (Comma-Separated Values) from a byte stream.

read_csv null_value="-"

read_delimited

Parses an incoming bytes stream into events using a string as delimiter.

read_delimited "|"

read_delimited_regex

Parses an incoming bytes stream into events using a regular expression as delimiter.

read_delimited_regex r"\s+"

read_feather

Parses an incoming Feather byte stream into events.

read_feather

read_gelf

Parses an incoming GELF stream into events.

read_gelf

read_grok

Parses lines of input with a grok pattern.

read_grok "%{IP:client} %{WORD:action}"

read_json

Parses an incoming JSON stream into events.

read_json arrays_of_objects=true

read_kv

Read Key-Value pairs from a byte stream.

read_kv r"(\s+)[A-Z_]+:", r":\s*"

read_leef

Parses an incoming LEEF stream into events.

read_leef

read_lines

Parses an incoming bytes stream into events.

read_lines

read_ndjson

Parses an incoming NDJSON (newline-delimited JSON) stream into events.

read_ndjson

read_parquet

Reads events from a Parquet byte stream.

read_parquet

read_pcap

Reads raw network packets in PCAP file format.

read_pcap

read_ssv

Read SSV (Space-Separated Values) from a byte stream.

read_ssv header="name count"

read_suricata

Parses an incoming Suricata EVE JSON stream into events.

read_suricata

read_syslog

Parses an incoming Syslog stream into events.

read_syslog

read_tql

Parses an incoming byte stream of TQL-formatted records into events.

read_tql

read_tsv

Read TSV (Tab-Separated Values) from a byte stream.

read_tsv auto_expand=true

read_xsv

Read XSV from a byte stream.

read_xsv ";", ":", "N/A"

read_yaml

Parses an incoming YAML stream into events.

read_yaml

read_zeek_json

Parse an incoming Zeek JSON stream into events.

read_zeek_json

read_zeek_tsv

Parses an incoming Zeek TSV stream into events.

read_zeek_tsv

pipeline::activity

Summarizes the activity of pipelines.

pipeline::activity range=1d, interval=1h

pipeline::detach

Starts a pipeline in the node.

pipeline::detach { … }

pipeline::list

Shows managed pipelines.

pipeline::list

pipeline::run

Starts a pipeline in the node and waits for it to complete.

pipeline::run { … }

write_all

Concatenates one field from all input events into a byte stream.

write_all data

write_bitz

Writes events in BITZ format.

write_bitz

write_csv

Transforms event stream to CSV (Comma-Separated Values) byte stream.

write_csv

write_feather

Transforms the input event stream to Feather byte stream.

write_feather

write_json

Transforms the input event stream to a JSON byte stream.

write_json

write_kv

Writes events in a Key-Value format.

write_kv

write_lines

Writes events as key-value pairsthe values of an event.

write_lines

write_ndjson

Transforms the input event stream to a Newline-Delimited JSON byte stream.

write_ndjson

write_parquet

Transforms event stream to a Parquet byte stream.

write_parquet

write_pcap

Transforms event stream to PCAP byte stream.

write_pcap

write_ssv

Transforms event stream to SSV (Space-Separated Values) byte stream.

write_ssv

write_syslog

Writes events as syslog.

write_syslog

write_tql

Transforms the input event stream to a TQL notation byte stream.

write_tql

write_tsv

Transforms event stream to TSV (Tab-Separated Values) byte stream.

write_tsv

write_xsv

Transforms event stream to XSV byte stream.

write_xsv

write_yaml

Transforms the input event stream to YAML byte stream.

write_yaml

write_zeek_tsv

Transforms event stream into Zeek Tab-Separated Value byte stream.

write_zeek_tsv

export

Retrieves events from a Tenzir node.

export

fields

Retrieves all fields stored at a node.

fields

import

Imports events into a Tenzir node.

import

partitions

Retrieves metadata about events stored at a node.

partitions src_ip == 1.2.3.4

schemas

Retrieves all schemas for events stored at a node.

schemas