Routes events with the same key through the same subpipeline.
group over:expr { … }Description
Section titled “Description”The group operator evaluates over for every incoming event and creates one
subpipeline for every distinct key. Events with the same key are sent to the
same subpipeline. Inside the subpipeline, $group refers to the key for that
subpipeline.
The subpipeline receives grouped events as input. It either emits events—which
are forwarded as the operator’s output—or ends with a sink, in which case
group itself becomes a sink. The subpipeline must not produce bytes.
Use group when you need a full keyed subpipeline, such as a per-tenant sink or
a per-session stateful transformation. For grouped aggregations only, use
summarize instead.
over: expr
Section titled “over: expr”The expression that computes the group key for every incoming event.
The subpipeline to run for every distinct key. The subpipeline receives the matching events as input.
Inside the subpipeline, $group refers to the current key.
Examples
Section titled “Examples”Summarize each tenant independently
Section titled “Summarize each tenant independently”from {tenant: "alpha", bytes: 120}, {tenant: "beta", bytes: 90}, {tenant: "alpha", bytes: 80}group tenant { summarize events=count(), bytes=sum(bytes) tenant = $group}sort tenant{ events: 2, bytes: 200, tenant: "alpha",}{ events: 1, bytes: 90, tenant: "beta",}Write a file per tenant
Section titled “Write a file per tenant”from {tenant: "alpha", message: "login"}, {tenant: "beta", message: "scan"}, {tenant: "alpha", message: "logout"}group tenant { to_file f"/tmp/tenzir/{$group}.json" { write_ndjson }}