This guide shows you how to send data to various destinations using TQL output operators. You’ll learn about destination operators, file output patterns, and expression-based serialization.
Destination operators
Section titled “Destination operators”TQL provides to_* operators for sending events to various destinations. These
operators accept expressions for flexible serialization.
Message brokers
Section titled “Message brokers”Send events to message brokers like Kafka.
Send to Kafka with automatic JSON formatting:
subscribe "security-events"to_kafka "events"Specify explicit serialization with the message parameter:
subscribe "logs"to_kafka "events", message=this.print_json()The message parameter accepts any expression that evaluates to a string or
blob.
Analytics platforms
Section titled “Analytics platforms”Send data to platforms like Splunk, OpenSearch, and Elasticsearch.
Send to a Splunk HEC endpoint:
subscribe "logs"to_splunk "https://splunk.example.com:8088", hec_token=secret("SPLUNK_HEC_TOKEN")Send to OpenSearch with index routing:
subscribe "security"to_opensearch "https://opensearch.example.com:9200", action="index", index="security-events"Cloud services
Section titled “Cloud services”Route events to cloud destinations like Amazon SQS and Google Cloud Pub/Sub.
Send to SQS:
subscribe "notifications"to_sqs "https://sqs.us-east-1.amazonaws.com/123456789/queue"Send to Pub/Sub:
subscribe "events"to_gcp_pubsub "projects/my-project/topics/events"File output
Section titled “File output”For writing to files, use write_* operators followed by save_* operators.
This two-operator pattern separates serialization from storage.
Write JSON to a local file:
subscribe "logs"write_jsonsave_file "output.json"Write compressed Parquet:
exportwrite_parquetsave_file "archive.parquet.zst"Write JSON Lines to S3:
write_jsonsave_file "s3://bucket/logs/events.jsonl"Send NDJSON over TCP:
write_jsonsave_tcp "collector.example.com:5044"Expression-based serialization
Section titled “Expression-based serialization”Destination operators use expressions for flexible message formatting:
Serialize the entire event
Section titled “Serialize the entire event”Serialize as JSON (the default for most operators):
to_kafka "events", message=this.print_json()Serialize as compact JSON without nulls:
to_kafka "events", message=this.print_json(include_nulls=false)Serialize specific fields
Section titled “Serialize specific fields”Send only a specific field:
to_kafka "alerts", message=alert_messageCombine fields into a formatted string:
to_kafka "metrics", message=f"{host}: {metric_name}={value}"Dynamic routing
Section titled “Dynamic routing”Route events to different destinations based on content:
to_kafka f"events.{event_type}", message=this.print_json()