Operators
An operator is the execution building block of a pipeline.
There exist three primary types:
- Source: produces data
- Sink: consumes data
- Transformation: produces and consumes data
Every operator have an input type and output type:
Operators can be polymorphic in that they can have more than a single input
and output type. For example, head
accepts both bytes
and events
,
filtering either the first N bytes or events.
Additionally, user-defined operators add an alias for a pipeline to make it usable as an operator.
📄️ api
Use Tenzir's REST API directly from a pipeline.
📄️ apply
Include the pipeline defined in another file.
📄️ azure-log-analytics
Sends events via the Microsoft Azure Logs Ingestion API.
📄️ batch
The batch operator controls the batch size of events.
📄️ buffer
An in-memory buffer to improve handling of data spikes in upstream operators.
📄️ chart
Add metadata to a schema, necessary for rendering as a chart.
📄️ compress
Compresses a stream of bytes.
📄️ context
Manages a context.
📄️ decapsulate
Decapsulates packet data at link, network, and transport layer.
📄️ decompress
Decompresses a stream of bytes.
📄️ deduplicate
Removes duplicate events based on the values of one or more fields.
📄️ delay
Delays events relative to a given start time, with an optional speedup.
📄️ diagnostics
Retrieves diagnostic events from a Tenzir node.
📄️ discard
Discards all incoming events.
📄️ drop
Drops fields from the input.
📄️ enrich
Enriches events with a context.
📄️ enumerate
Prepend a column with row numbers.
📄️ export
Retrieves events from a Tenzir node. The dual to import.
📄️ extend
Appends fields to events.
📄️ files
Shows file information for a given directory.
📄️ flatten
Flattens nested data.
📄️ fluent-bit
Sends and receives events via Fluent Bit.
📄️ from
Produces events by combining a connector and a format.
📄️ hash
Computes a SHA256 hash digest of a given field.
📄️ head
Limits the input to the first N events.
📄️ import
Imports events into a Tenzir node. The dual to export.
📄️ load
The load operator acquires raw bytes from a connector.
📄️ lookup
Performs live filtering of the import feed using a context,
📄️ measure
Replaces the input with metrics describing the input.
📄️ metrics
Retrieves metrics events from a Tenzir node.
📄️ nics
Shows a snapshot of available network interfaces.
📄️ openapi
Shows the node's OpenAPI specification.
📄️ package
Manages the packages at a node.
📄️ parse
Applies a parser to the string stored in a given field.
📄️ partitions
Retrieves metadata about events stored at a node.
📄️ pass
Does nothing with the input.
Prints the specified record field as a string.
📄️ processes
Shows a snapshot of running processes.
📄️ pseudonymize
Pseudonymizes fields according to a given method.
📄️ publish
Publishes events to a channel with a topic. The dual to
📄️ put
Returns new events that only contain a set of specified fields.
📄️ python
Executes Python code against each event of the input.
📄️ rare
Shows the least common values. The dual to top.
📄️ read
The read operator converts raw bytes into events.
📄️ rename
Renames fields and types.
📄️ repeat
Repeats the input a number of times.
📄️ replace
Replaces the fields matching the given extractors with fixed values.
📄️ reverse
Reverses the event order.
📄️ save
The save operator saves bytes to a connector.
📄️ select
Selects fields from the input.
📄️ serve
Make events available under the [/serve REST API
📄️ set
Upserts fields in events.
📄️ shell
Executes a system command and hooks its stdin and stdout into the pipeline.
📄️ show
Returns information about a Tenzir node.
📄️ sigma
Filter the input with Sigma rules and output matching events.
📄️ slice
Keep a range events within the half-closed interval [begin, end).
📄️ sockets
Shows a snapshot of open sockets.
📄️ sort
Sorts events.
📄️ subscribe
Subscribes to events from a channel with a topic. The dual to
📄️ summarize
Groups events and applies aggregate functions on each group.
📄️ tail
Limits the input to the last N events.
📄️ taste
Limits the input to N events per unique schema.
📄️ throttle
Limits the bandwidth of a pipeline.
📄️ timeshift
Adjusts timestamps relative to a given start time, with an optional speedup.
📄️ to
Consumes events by combining a connector and a format.
📄️ top
Shows the most common values. The dual to rare.
📄️ unflatten
Unflattens data structures whose field names imply a nested structure.
📄️ unique
Removes adjacent duplicates.
📄️ unroll
Unrolls a list by producing multiple events, one for each item.
📄️ velociraptor
Submits VQL to a Velociraptor server and returns the response as events.
📄️ version
Shows the current version.
📄️ where
Filters events according to an expression.
📄️ write
The write operator converts events into raw bytes.
📄️ yara
Executes YARA rules on byte streams.
📄️ yield
Extracts nested records with the ability to unfold lists.