# Operators

Tenzir comes with a wide range of built-in pipeline operators.

## Analyze

### [rare](https://preview.docs.tenzir.com/375/375/reference/operators/rare.md)

Shows the least common values.

```tql
rare auth.token
```

### [reverse](https://preview.docs.tenzir.com/375/375/reference/operators/reverse.md)

Reverses the event order.

```tql
reverse
```

### [sort](https://preview.docs.tenzir.com/375/375/reference/operators/sort.md)

Sorts events by the given expressions.

```tql
sort name, -abs(transaction)
```

### [summarize](https://preview.docs.tenzir.com/375/375/reference/operators/summarize.md)

Groups events and applies aggregate functions to each group.

```tql
summarize name, sum(amount)
```

### [top](https://preview.docs.tenzir.com/375/375/reference/operators/top.md)

Shows the most common values.

```tql
top user
```

### [window](https://preview.docs.tenzir.com/375/375/reference/operators/window.md)

Groups events into event-time windows and runs a subpipeline per window.

```tql
window size=1h, on=ts { summarize count() }
```

## Charts

### [chart\_area](https://preview.docs.tenzir.com/375/375/reference/operators/chart_area.md)

Plots events on an area chart.

```tql
chart_area …
```

### [chart\_bar](https://preview.docs.tenzir.com/375/375/reference/operators/chart_bar.md)

Plots events on an bar chart.

```tql
chart_bar …
```

### [chart\_line](https://preview.docs.tenzir.com/375/375/reference/operators/chart_line.md)

Plots events on an line chart.

```tql
chart_line …
```

### [chart\_pie](https://preview.docs.tenzir.com/375/375/reference/operators/chart_pie.md)

Plots events on an pie chart.

```tql
chart_pie …
```

## Connecting Pipelines

### [publish](https://preview.docs.tenzir.com/375/375/reference/operators/publish.md)

Publishes events to a channel with a topic.

```tql
publish "topic"
```

### [subscribe](https://preview.docs.tenzir.com/375/375/reference/operators/subscribe.md)

Subscribes to events from a channel with a topic.

```tql
subscribe "topic"
```

## Contexts

### [context::create\_bloom\_filter](https://preview.docs.tenzir.com/375/375/reference/operators/context/create_bloom_filter.md)

Creates a Bloom filter context.

```tql
context::create_bloom_filter "ctx", capacity=1Mi, fp_probability=0.01
```

### [context::create\_geoip](https://preview.docs.tenzir.com/375/375/reference/operators/context/create_geoip.md)

Creates a GeoIP context.

```tql
context::create_geoip "ctx", db_path="GeoLite2-City.mmdb"
```

### [context::create\_lookup\_table](https://preview.docs.tenzir.com/375/375/reference/operators/context/create_lookup_table.md)

Creates a lookup table context.

```tql
context::create_lookup_table "ctx"
```

### [context::enrich](https://preview.docs.tenzir.com/375/375/reference/operators/context/enrich.md)

Enriches events with data from a context.

```tql
context::enrich "ctx", key=x
```

### [context::erase](https://preview.docs.tenzir.com/375/375/reference/operators/context/erase.md)

Removes entries from a context.

```tql
context::erase "ctx", key=x
```

### [context::inspect](https://preview.docs.tenzir.com/375/375/reference/operators/context/inspect.md)

Resets a context.

```tql
context::inspect "ctx"
```

### [context::list](https://preview.docs.tenzir.com/375/375/reference/operators/context/list.md)

Lists all contexts.

```tql
context::list
```

### [context::load](https://preview.docs.tenzir.com/375/375/reference/operators/context/load.md)

Loads context state.

```tql
context::load "ctx"
```

### [context::lookup](https://preview.docs.tenzir.com/375/375/reference/operators/context/lookup.md)

Performs unified matching.

```tql
context::lookup "ctx", key=field
```

### [context::remove](https://preview.docs.tenzir.com/375/375/reference/operators/context/remove.md)

Deletes a context.

```tql
context::remove "ctx"
```

### [context::reset](https://preview.docs.tenzir.com/375/375/reference/operators/context/reset.md)

Resets a context.

```tql
context::reset "ctx"
```

### [context::save](https://preview.docs.tenzir.com/375/375/reference/operators/context/save.md)

Saves context state.

```tql
context::save "ctx"
```

### [context::update](https://preview.docs.tenzir.com/375/375/reference/operators/context/update.md)

Updates a context with new data.

```tql
context::update "ctx", key=x, value=y
```

## Detection

### [sigma](https://preview.docs.tenzir.com/375/375/reference/operators/sigma.md)

Filter the input with Sigma rules and output matching events.

```tql
sigma "/tmp/rules/"
```

### [yara](https://preview.docs.tenzir.com/375/375/reference/operators/yara.md)

Executes YARA rules on byte streams.

```tql
yara "/path/to/rules"
```

## Encode & Decode

### [compress\_brotli](https://preview.docs.tenzir.com/375/375/reference/operators/compress_brotli.md)

Compresses a stream of bytes using Brotli compression.

```tql
compress_brotli, level=10
```

### [compress\_bz2](https://preview.docs.tenzir.com/375/375/reference/operators/compress_bz2.md)

Compresses a stream of bytes using bz2 compression.

```tql
compress_bz2, level=9
```

### [compress\_gzip](https://preview.docs.tenzir.com/375/375/reference/operators/compress_gzip.md)

Compresses a stream of bytes using gzip compression.

```tql
compress_gzip, level=8
```

### [compress\_lz4](https://preview.docs.tenzir.com/375/375/reference/operators/compress_lz4.md)

Compresses a stream of bytes using lz4 compression.

```tql
compress_lz4, level=7
```

### [compress\_zstd](https://preview.docs.tenzir.com/375/375/reference/operators/compress_zstd.md)

Compresses a stream of bytes using zstd compression.

```tql
compress_zstd, level=6
```

### [decompress\_brotli](https://preview.docs.tenzir.com/375/375/reference/operators/decompress_brotli.md)

Decompresses a stream of bytes in the Brotli format.

```tql
decompress_brotli
```

### [decompress\_bz2](https://preview.docs.tenzir.com/375/375/reference/operators/decompress_bz2.md)

Decompresses a stream of bytes in the Bzip2 format.

```tql
decompress_bz2
```

### [decompress\_gzip](https://preview.docs.tenzir.com/375/375/reference/operators/decompress_gzip.md)

Decompresses a stream of bytes in the Gzip format.

```tql
decompress_gzip
```

### [decompress\_lz4](https://preview.docs.tenzir.com/375/375/reference/operators/decompress_lz4.md)

Decompresses a stream of bytes in the Lz4 format.

```tql
decompress_lz4
```

### [decompress\_zstd](https://preview.docs.tenzir.com/375/375/reference/operators/decompress_zstd.md)

Decompresses a stream of bytes in the Zstd format.

```tql
decompress_zstd
```

## Escape Hatches

### [python](https://preview.docs.tenzir.com/375/375/reference/operators/python.md)

Executes Python code against each event of the input.

```tql
python "self.x = self.y"
```

### [shell](https://preview.docs.tenzir.com/375/375/reference/operators/shell.md)

Executes a system command and hooks its stdin and stdout into the pipeline.

```tql
shell "echo hello"
```

## Filter

### [assert](https://preview.docs.tenzir.com/375/375/reference/operators/assert.md)

Drops events and emits a warning if the invariant is violated.

```tql
assert name.starts_with("John")
```

### [assert\_throughput](https://preview.docs.tenzir.com/375/375/reference/operators/assert_throughput.md)

Emits a warning if the pipeline does not have the expected throughput

```tql
assert_throughput 1000, within=1s
```

### [deduplicate](https://preview.docs.tenzir.com/375/375/reference/operators/deduplicate.md)

Removes duplicate events based on a common key.

```tql
deduplicate src_ip
```

### [head](https://preview.docs.tenzir.com/375/375/reference/operators/head.md)

Limits the input to the first `n` events.

```tql
head 20
```

### [sample](https://preview.docs.tenzir.com/375/375/reference/operators/sample.md)

Dynamically samples events from a event stream.

```tql
sample 30s, max_samples=2k
```

### [slice](https://preview.docs.tenzir.com/375/375/reference/operators/slice.md)

Keeps a range of events within the interval `[begin, end)` stepping by `stride`.

```tql
slice begin=10, end=30
```

### [tail](https://preview.docs.tenzir.com/375/375/reference/operators/tail.md)

Limits the input to the last `n` events.

```tql
tail 20
```

### [taste](https://preview.docs.tenzir.com/375/375/reference/operators/taste.md)

Limits the input to `n` events per unique schema.

```tql
taste 1
```

### [where](https://preview.docs.tenzir.com/375/375/reference/operators/where.md)

Keeps only events for which the given predicate is true.

```tql
where name.starts_with("John")
```

## Flow Control

### [cron](https://preview.docs.tenzir.com/375/375/reference/operators/cron.md)

Runs a pipeline periodically according to a cron expression.

```tql
cron "* */10 * * * MON-FRI" { from_http "https://example.org" }
```

### [delay](https://preview.docs.tenzir.com/375/375/reference/operators/delay.md)

Delays events relative to a given start time, with an optional speedup.

```tql
delay ts, speed=2.5
```

### [discard](https://preview.docs.tenzir.com/375/375/reference/operators/discard.md)

Discards all incoming events.

```tql
discard
```

### [each](https://preview.docs.tenzir.com/375/375/reference/operators/each.md)

Spawns a subpipeline for every incoming event, with the event bound to `$this`.

```tql
each { from $this }
```

### [every](https://preview.docs.tenzir.com/375/375/reference/operators/every.md)

Runs a pipeline periodically at a fixed interval.

```tql
every 10s { summarize sum(amount) }
```

### [fork](https://preview.docs.tenzir.com/375/375/reference/operators/fork.md)

Executes a subpipeline with a copy of the input.

```tql
fork { publish "copy" }
```

### [group](https://preview.docs.tenzir.com/375/375/reference/operators/group.md)

Routes events with the same key through the same subpipeline.

```tql
group tenant { summarize count() }
```

### [load\_balance](https://preview.docs.tenzir.com/375/375/reference/operators/load_balance.md)

Routes the data to one of multiple subpipelines.

```tql
load_balance $over { publish $over }
```

### [parallel](https://preview.docs.tenzir.com/375/375/reference/operators/parallel.md)

Runs a subpipeline across multiple parallel workers.

```tql
parallel 4 { parsed = data.parse_json() }
```

### [pass](https://preview.docs.tenzir.com/375/375/reference/operators/pass.md)

Does nothing with the input.

```tql
pass
```

### [repeat](https://preview.docs.tenzir.com/375/375/reference/operators/repeat.md)

Repeats the input a number of times.

```tql
repeat 100
```

### [throttle](https://preview.docs.tenzir.com/375/375/reference/operators/throttle.md)

Limits the bandwidth of a pipeline.

```tql
throttle 100M, within=1min
```

## Host Inspection

### [files](https://preview.docs.tenzir.com/375/375/reference/operators/files.md)

Shows file information for a given directory.

```tql
files "/var/log/", recurse=true
```

### [nics](https://preview.docs.tenzir.com/375/375/reference/operators/nics.md)

Shows a snapshot of available network interfaces.

```tql
nics
```

### [processes](https://preview.docs.tenzir.com/375/375/reference/operators/processes.md)

Shows a snapshot of running processes.

```tql
processes
```

### [sockets](https://preview.docs.tenzir.com/375/375/reference/operators/sockets.md)

Shows a snapshot of open sockets.

```tql
sockets
```

## Inputs

### [accept\_elasticsearch](https://preview.docs.tenzir.com/375/375/reference/operators/accept_elasticsearch.md)

Accepts incoming Elasticsearch-compatible Bulk API requests and forwards them as events.

```tql
accept_elasticsearch "0.0.0.0:9200"
```

### [accept\_http](https://preview.docs.tenzir.com/375/375/reference/operators/accept_http.md)

Accepts incoming HTTP requests and forwards them as events.

```tql
accept_http "0.0.0.0:8080" { read_json }
```

### [accept\_opensearch](https://preview.docs.tenzir.com/375/375/reference/operators/accept_opensearch.md)

Accepts incoming OpenSearch-compatible Bulk API requests and forwards them as events.

```tql
accept_opensearch "0.0.0.0:9200"
```

### [accept\_tcp](https://preview.docs.tenzir.com/375/375/reference/operators/accept_tcp.md)

Accepts incoming TCP or TLS connections and yields events.

```tql
accept_tcp "0.0.0.0:8090" { read_json }
```

### [accept\_udp](https://preview.docs.tenzir.com/375/375/reference/operators/accept_udp.md)

Receives UDP datagrams and outputs structured events.

```tql
accept_udp "0.0.0.0:8090"
```

### [accept\_unix\_socket](https://preview.docs.tenzir.com/375/375/reference/operators/accept_unix_socket.md)

Accepts incoming Unix domain socket connections and yields events.

```tql
accept_unix_socket "/run/collector.sock" { read_json }
```

### [accept\_zmq](https://preview.docs.tenzir.com/375/375/reference/operators/accept_zmq.md)

Listens on a ZeroMQ endpoint and receives events.

```tql
accept_zmq "tcp://0.0.0.0:5555", prefix="alerts/" { read_json }
```

### [from\_amazon\_cloudwatch](https://preview.docs.tenzir.com/375/375/reference/operators/from_amazon_cloudwatch.md)

Reads events from Amazon CloudWatch.

```tql
from_amazon_cloudwatch "/aws/lambda/api", mode="search"
```

### [from\_amazon\_sqs](https://preview.docs.tenzir.com/375/375/reference/operators/from_amazon_sqs.md)

Receives messages from an Amazon SQS queue.

```tql
from_amazon_sqs "sqs://tenzir", poll_time=5s
```

### [from\_amqp](https://preview.docs.tenzir.com/375/375/reference/operators/from_amqp.md)

Receives messages from an AMQP queue.

```tql
from_amqp "amqp://admin:pass@0.0.0.1:5672/vhost", queue="events"
```

### [from\_azure\_blob\_storage](https://preview.docs.tenzir.com/375/375/reference/operators/from_azure_blob_storage.md)

Reads one or multiple files from Azure Blob Storage.

```tql
from_azure_blob_storage "abfs://container/data/**.json"
```

### [from\_file](https://preview.docs.tenzir.com/375/375/reference/operators/from_file.md)

Reads one or multiple files from a filesystem.

```tql
from_file "s3://data/**.json"
```

### [from\_fluent\_bit](https://preview.docs.tenzir.com/375/375/reference/operators/from_fluent_bit.md)

Receives events via Fluent Bit.

```tql
from_fluent_bit "opentelemetry"
```

### [from\_ftp](https://preview.docs.tenzir.com/375/375/reference/operators/from_ftp.md)

Downloads bytes via FTP and parses them with a subpipeline.

```tql
from_ftp "ftp.example.org/events.ndjson" { read_ndjson }
```

### [from\_google\_cloud\_pubsub](https://preview.docs.tenzir.com/375/375/reference/operators/from_google_cloud_pubsub.md)

Subscribes to a Google Cloud Pub/Sub subscription and yields events.

```tql
from_google_cloud_pubsub project_id="my-project", subscription_id="my-sub"
```

### [from\_google\_cloud\_storage](https://preview.docs.tenzir.com/375/375/reference/operators/from_google_cloud_storage.md)

Reads one or multiple files from Google Cloud Storage.

```tql
from_google_cloud_storage "gs://my-bucket/data/**.json"
```

### [from\_http](https://preview.docs.tenzir.com/375/375/reference/operators/from_http.md)

Sends an HTTP/1.1 request and returns the response as events.

```tql
from_http "https://example.com/api/events.json"
```

### [from\_kafka](https://preview.docs.tenzir.com/375/375/reference/operators/from_kafka.md)

Receives events from an Apache Kafka topic.

```tql
from_kafka "logs"
```

### [from\_microsoft\_graph](https://preview.docs.tenzir.com/375/375/reference/operators/from_microsoft_graph.md)

Reads events from a Microsoft Graph collection.

```tql
from_microsoft_graph "auditLogs/signIns", auth={…}
```

### [from\_microsoft\_sql](https://preview.docs.tenzir.com/375/375/reference/operators/from_microsoft_sql.md)

Reads events from Microsoft SQL Server or Azure SQL Database.

```tql
from_microsoft_sql table="dbo.events", host="sql.example.com", database="security", tls=true
```

### [from\_mysql](https://preview.docs.tenzir.com/375/375/reference/operators/from_mysql.md)

Reads events from a MySQL database.

```tql
from_mysql table="users", host="db.example.com", database="mydb"
```

### [from\_nats](https://preview.docs.tenzir.com/375/375/reference/operators/from_nats.md)

Consumes messages from a NATS JetStream subject.

```tql
from_nats "alerts"
```

### [from\_nic](https://preview.docs.tenzir.com/375/375/reference/operators/from_nic.md)

Captures packets from a network interface and outputs events.

```tql
from_nic "eth0"
```

### [from\_s3](https://preview.docs.tenzir.com/375/375/reference/operators/from_s3.md)

Reads one or multiple files from Amazon S3.

```tql
from_s3 "s3://my-bucket/data/**.json"
```

### [from\_sentinelone\_data\_lake](https://preview.docs.tenzir.com/375/375/reference/operators/from_sentinelone_data_lake.md)

Retrieves PowerQuery results from SentinelOne Singularity Data Lake.

```tql
from_sentinelone_data_lake "https://…", …
```

### [from\_stdin](https://preview.docs.tenzir.com/375/375/reference/operators/from_stdin.md)

Reads and parses events from standard input.

```tql
from_stdin { read_json }
```

### [from\_tcp](https://preview.docs.tenzir.com/375/375/reference/operators/from_tcp.md)

Connects to a remote TCP or TLS endpoint and receives events.

```tql
from_tcp "example.org:4000" {
  read_json
}
```

### [from\_unix\_socket](https://preview.docs.tenzir.com/375/375/reference/operators/from_unix_socket.md)

Connects to a Unix domain socket and receives events.

```tql
from_unix_socket "/run/collector.sock" {
  read_json
}
```

### [from\_velociraptor](https://preview.docs.tenzir.com/375/375/reference/operators/from_velociraptor.md)

Submits VQL to a Velociraptor server and returns the response as events.

```tql
from_velociraptor subscribe="Windows"
```

### [from\_zmq](https://preview.docs.tenzir.com/375/375/reference/operators/from_zmq.md)

Connects to a remote ZeroMQ publisher and receives events.

```tql
from_zmq "tcp://collector.example.com:5555", prefix="alerts/" { read_json }
```

## Internals

### [api](https://preview.docs.tenzir.com/375/375/reference/operators/api.md)

Use Tenzir's REST API directly from a pipeline.

```tql
api "/pipeline/list"
```

### [batch](https://preview.docs.tenzir.com/375/375/reference/operators/batch.md)

The `batch` operator controls the batch size of events.

```tql
batch timeout=1s
```

### [buffer](https://preview.docs.tenzir.com/375/375/reference/operators/buffer.md)

An in-memory buffer to improve handling of data spikes in upstream operators.

```tql
buffer 10M, policy="drop"
```

### [cache](https://preview.docs.tenzir.com/375/375/reference/operators/cache.md)

An in-memory cache shared between pipelines.

```tql
cache "w01wyhTZm3", ttl=10min
```

### [local](https://preview.docs.tenzir.com/375/375/reference/operators/local.md)

Forces a pipeline to run locally.

```tql
local { sort foo }
```

### [measure](https://preview.docs.tenzir.com/375/375/reference/operators/measure.md)

Replaces the input with metrics describing the input.

```tql
measure
```

### [remote](https://preview.docs.tenzir.com/375/375/reference/operators/remote.md)

Forces a pipeline to run remotely at a node.

```tql
remote { version }
```

### [strict](https://preview.docs.tenzir.com/375/375/reference/operators/strict.md)

Treats all warnings as errors.

```tql
strict { assert false }
```

### [unordered](https://preview.docs.tenzir.com/375/375/reference/operators/unordered.md)

Removes ordering assumptions from a pipeline.

```tql
unordered { read_ndjson }
```

## Modify

### [dns\_lookup](https://preview.docs.tenzir.com/375/375/reference/operators/dns_lookup.md)

Performs DNS lookups to resolve IP addresses to hostnames or hostnames to IP addresses.

```tql
dns_lookup ip_address, result=dns_info
```

### [drop](https://preview.docs.tenzir.com/375/375/reference/operators/drop.md)

Removes fields from the event.

```tql
drop name, metadata.id
```

### [drop\_null\_fields](https://preview.docs.tenzir.com/375/375/reference/operators/drop_null_fields.md)

Removes fields containing null values from the event.

```tql
drop_null_fields name, metadata.id
```

### [enumerate](https://preview.docs.tenzir.com/375/375/reference/operators/enumerate.md)

Add a field with the number of preceding events.

```tql
enumerate num
```

### [move](https://preview.docs.tenzir.com/375/375/reference/operators/move.md)

Moves values from one field to another, removing the original field.

```tql
move id=parsed_id, ctx.message=incoming.status
```

### [replace](https://preview.docs.tenzir.com/375/375/reference/operators/replace.md)

Replaces all occurrences of a value with another value.

```tql
replace what=42, with=null
```

### [select](https://preview.docs.tenzir.com/375/375/reference/operators/select.md)

Selects some values and discards the rest.

```tql
select name, id=metadata.id
```

### [set](https://preview.docs.tenzir.com/375/375/reference/operators/set.md)

Assigns a value to a field, creating it if necessary.

```tql
name = "Tenzir"
```

### [timeshift](https://preview.docs.tenzir.com/375/375/reference/operators/timeshift.md)

Adjusts timestamps relative to a given start time, with an optional speedup.

```tql
timeshift ts, start=2020-01-01
```

### [unroll](https://preview.docs.tenzir.com/375/375/reference/operators/unroll.md)

Returns a new event for each member of a list or a record in an event, duplicating the surrounding event.

```tql
unroll names
```

## Node

### [diagnostics](https://preview.docs.tenzir.com/375/375/reference/operators/diagnostics.md)

Retrieves diagnostic events from a Tenzir node.

```tql
diagnostics
```

### [metrics](https://preview.docs.tenzir.com/375/375/reference/operators/metrics.md)

Retrieves metrics events from a Tenzir node.

```tql
metrics "cpu"
```

### [openapi](https://preview.docs.tenzir.com/375/375/reference/operators/openapi.md)

Shows the node's OpenAPI specification.

```tql
openapi
```

### [plugins](https://preview.docs.tenzir.com/375/375/reference/operators/plugins.md)

Shows all available plugins and built-ins.

```tql
plugins
```

### [version](https://preview.docs.tenzir.com/375/375/reference/operators/version.md)

Shows the current version.

```tql
version
```

## OCSF

### [ocsf::apply](https://preview.docs.tenzir.com/375/375/reference/operators/ocsf/apply.md)

Casts incoming events to their OCSF type.

```tql
ocsf::apply
```

### [ocsf::cast](https://preview.docs.tenzir.com/375/375/reference/operators/ocsf/cast.md)

Casts incoming events to their OCSF type.

```tql
ocsf::cast
```

### [ocsf::derive](https://preview.docs.tenzir.com/375/375/reference/operators/ocsf/derive.md)

Automatically assigns enum strings from their integer counterparts and vice versa.

```tql
ocsf::derive
```

### [ocsf::trim](https://preview.docs.tenzir.com/375/375/reference/operators/ocsf/trim.md)

Drops fields from OCSF events to reduce their size.

```tql
ocsf::trim
```

## Outputs

### [serve\_http](https://preview.docs.tenzir.com/375/375/reference/operators/serve_http.md)

Starts an HTTP server and streams bytes produced by a nested pipeline to connected clients.

```tql
serve_http "0.0.0.0:8080" { write_ndjson }
```

### [serve\_tcp](https://preview.docs.tenzir.com/375/375/reference/operators/serve_tcp.md)

Listens for incoming TCP connections and sends events to all connected clients.

```tql
serve_tcp "0.0.0.0:8090" { write_json }
```

### [serve\_zmq](https://preview.docs.tenzir.com/375/375/reference/operators/serve_zmq.md)

Listens on a ZeroMQ endpoint and sends events.

```tql
serve_zmq "tcp://0.0.0.0:5555", encoding="json", prefix=f"{kind}/"
```

### [to\_amazon\_cloudwatch](https://preview.docs.tenzir.com/375/375/reference/operators/to_amazon_cloudwatch.md)

Sends events to Amazon CloudWatch.

```tql
to_amazon_cloudwatch "/tenzir/events", stream="default"
```

### [to\_amazon\_security\_lake](https://preview.docs.tenzir.com/375/375/reference/operators/to_amazon_security_lake.md)

Sends OCSF events to Amazon Security Lake.

```tql
to_amazon_security_lake "s3://…"
```

### [to\_amazon\_sqs](https://preview.docs.tenzir.com/375/375/reference/operators/to_amazon_sqs.md)

Sends messages to an Amazon SQS queue.

```tql
to_amazon_sqs "sqs://tenzir"
```

### [to\_amqp](https://preview.docs.tenzir.com/375/375/reference/operators/to_amqp.md)

Sends messages to an AMQP exchange.

```tql
to_amqp "amqp://admin:pass@0.0.0.1:5672/vhost"
```

### [to\_azure\_blob\_storage](https://preview.docs.tenzir.com/375/375/reference/operators/to_azure_blob_storage.md)

Writes events to one or multiple blobs in Azure Blob Storage.

```tql
to_azure_blob_storage "abfs://container/data/{uuid}.json" { write_ndjson }
```

### [to\_azure\_log\_analytics](https://preview.docs.tenzir.com/375/375/reference/operators/to_azure_log_analytics.md)

Sends events to the Microsoft Azure Logs Ingestion API.

```tql
to_azure_log_analytics tenant_id="...", workspace_id="..."
```

### [to\_clickhouse](https://preview.docs.tenzir.com/375/375/reference/operators/to_clickhouse.md)

Sends events to a ClickHouse table.

```tql
to_clickhouse table="my_table"
```

### [to\_elasticsearch](https://preview.docs.tenzir.com/375/375/reference/operators/to_elasticsearch.md)

Sends events to an Elasticsearch-compatible Bulk API.

```tql
to_elasticsearch "localhost:9200", …
```

### [to\_file](https://preview.docs.tenzir.com/375/375/reference/operators/to_file.md)

Writes events to one or multiple files on a filesystem.

```tql
to_file "/tmp/out.json" { write_ndjson }
```

### [to\_fluent\_bit](https://preview.docs.tenzir.com/375/375/reference/operators/to_fluent_bit.md)

Sends events via Fluent Bit.

```tql
to_fluent_bit "elasticsearch" …
```

### [to\_ftp](https://preview.docs.tenzir.com/375/375/reference/operators/to_ftp.md)

Prints events to bytes and uploads them via FTP.

```tql
to_ftp "ftp.example.org/events.ndjson" { write_ndjson }
```

### [to\_google\_cloud\_logging](https://preview.docs.tenzir.com/375/375/reference/operators/to_google_cloud_logging.md)

Sends events to Google Cloud Logging.

```tql
to_google_cloud_logging …
```

### [to\_google\_cloud\_pubsub](https://preview.docs.tenzir.com/375/375/reference/operators/to_google_cloud_pubsub.md)

Publishes events to a Google Cloud Pub/Sub topic.

```tql
to_google_cloud_pubsub project_id="my-project", topic_id="alerts", message=text
```

### [to\_google\_cloud\_storage](https://preview.docs.tenzir.com/375/375/reference/operators/to_google_cloud_storage.md)

Writes events to one or multiple objects in Google Cloud Storage.

```tql
to_google_cloud_storage "gs://my-bucket/data/{uuid}.json" { write_ndjson }
```

### [to\_google\_secops](https://preview.docs.tenzir.com/375/375/reference/operators/to_google_secops.md)

Sends unstructured events to a Google SecOps Chronicle instance.

```tql
to_google_secops …
```

### [to\_hive](https://preview.docs.tenzir.com/375/375/reference/operators/to_hive.md)

Writes events to a URI using hive partitioning.

```tql
to_hive "s3://…", partition_by=[x]
```

### [to\_http](https://preview.docs.tenzir.com/375/375/reference/operators/to_http.md)

Sends events as a single HTTP request to a webhook or API endpoint.

```tql
to_http "https://example.com/webhook" { write_ndjson }
```

### [to\_kafka](https://preview.docs.tenzir.com/375/375/reference/operators/to_kafka.md)

Sends messages to an Apache Kafka topic.

```tql
to_kafka "topic"
```

### [to\_nats](https://preview.docs.tenzir.com/375/375/reference/operators/to_nats.md)

Publishes messages to a NATS JetStream subject.

```tql
to_nats "alerts"
```

### [to\_opensearch](https://preview.docs.tenzir.com/375/375/reference/operators/to_opensearch.md)

Sends events to an OpenSearch-compatible Bulk API.

```tql
to_opensearch "localhost:9200", …
```

### [to\_prometheus](https://preview.docs.tenzir.com/375/375/reference/operators/to_prometheus.md)

Sends metric events to a Prometheus Remote Write receiver.

```tql
to_prometheus "https://prometheus.example/api/v1/write"
```

### [to\_s3](https://preview.docs.tenzir.com/375/375/reference/operators/to_s3.md)

Writes events to one or multiple objects in Amazon S3.

```tql
to_s3 "s3://my-bucket/data/{uuid}.json" { write_ndjson }
```

### [to\_sentinelone\_data\_lake](https://preview.docs.tenzir.com/375/375/reference/operators/to_sentinelone_data_lake.md)

Sends security events to SentinelOne Singularity Data Lake via REST API.

```tql
to_sentinelone_data_lake "https://…", …
```

### [to\_snowflake](https://preview.docs.tenzir.com/375/375/reference/operators/to_snowflake.md)

Sends events to a Snowflake database.

```tql
to_snowflake account_identifier="…
```

### [to\_splunk](https://preview.docs.tenzir.com/375/375/reference/operators/to_splunk.md)

Sends events to a Splunk HTTP Event Collector (HEC).

```tql
to_splunk "localhost:8088", …
```

### [to\_stdout](https://preview.docs.tenzir.com/375/375/reference/operators/to_stdout.md)

Writes events to standard output.

```tql
to_stdout
```

### [to\_tcp](https://preview.docs.tenzir.com/375/375/reference/operators/to_tcp.md)

Connects to a remote TCP or TLS endpoint and sends events.

```tql
to_tcp "collector.example.com:5044" { write_json }
```

### [to\_udp](https://preview.docs.tenzir.com/375/375/reference/operators/to_udp.md)

Sends one UDP datagram per input event.

```tql
to_udp "127.0.0.1:514"
```

### [to\_unix\_socket](https://preview.docs.tenzir.com/375/375/reference/operators/to_unix_socket.md)

Connects to a Unix domain socket and sends events.

```tql
to_unix_socket "/run/collector.sock" { write_json }
```

### [to\_zmq](https://preview.docs.tenzir.com/375/375/reference/operators/to_zmq.md)

Connects to a remote ZeroMQ subscriber endpoint and sends events.

```tql
to_zmq "tcp://collector.example.com:5555", encoding="json", prefix=f"{kind}/"
```

## Packages

### [package::add](https://preview.docs.tenzir.com/375/375/reference/operators/package/add.md)

Installs a package.

```tql
package::add "suricata-ocsf"
```

### [package::list](https://preview.docs.tenzir.com/375/375/reference/operators/package/list.md)

Shows installed packages.

```tql
package::list
```

### [package::remove](https://preview.docs.tenzir.com/375/375/reference/operators/package/remove.md)

Uninstalls a package.

```tql
package::remove "suricata-ocsf"
```

## Parsing

### [read\_all](https://preview.docs.tenzir.com/375/375/reference/operators/read_all.md)

Parses an incoming bytes stream into a single event.

```tql
read_all binary=true
```

### [read\_bitz](https://preview.docs.tenzir.com/375/375/reference/operators/read_bitz.md)

Parses bytes as *BITZ* format.

```tql
read_bitz
```

### [read\_cef](https://preview.docs.tenzir.com/375/375/reference/operators/read_cef.md)

Parses an incoming Common Event Format (CEF) stream into events.

```tql
read_cef
```

### [read\_csv](https://preview.docs.tenzir.com/375/375/reference/operators/read_csv.md)

Read CSV (Comma-Separated Values) from a byte stream.

```tql
read_csv null_value="-"
```

### [read\_delimited](https://preview.docs.tenzir.com/375/375/reference/operators/read_delimited.md)

Parses an incoming bytes stream into events using a string as delimiter.

```tql
read_delimited "|"
```

### [read\_delimited\_regex](https://preview.docs.tenzir.com/375/375/reference/operators/read_delimited_regex.md)

Parses an incoming bytes stream into events using a regular expression as delimiter.

```tql
read_delimited_regex r"\s+"
```

### [read\_feather](https://preview.docs.tenzir.com/375/375/reference/operators/read_feather.md)

Parses an incoming Feather byte stream into events.

```tql
read_feather
```

### [read\_gelf](https://preview.docs.tenzir.com/375/375/reference/operators/read_gelf.md)

Parses an incoming GELF stream into events.

```tql
read_gelf
```

### [read\_grok](https://preview.docs.tenzir.com/375/375/reference/operators/read_grok.md)

Parses lines of input with a grok pattern.

```tql
read_grok "%{IP:client} %{WORD:action}"
```

### [read\_json](https://preview.docs.tenzir.com/375/375/reference/operators/read_json.md)

Parses an incoming JSON stream into events.

```tql
read_json arrays_of_objects=true
```

### [read\_kv](https://preview.docs.tenzir.com/375/375/reference/operators/read_kv.md)

Read Key-Value pairs from a byte stream.

```tql
read_kv r"(\s+)[A-Z_]+:", r":\s*"
```

### [read\_leef](https://preview.docs.tenzir.com/375/375/reference/operators/read_leef.md)

Parses an incoming LEEF stream into events.

```tql
read_leef
```

### [read\_lines](https://preview.docs.tenzir.com/375/375/reference/operators/read_lines.md)

Parses an incoming bytes stream into events.

```tql
read_lines
```

### [read\_ndjson](https://preview.docs.tenzir.com/375/375/reference/operators/read_ndjson.md)

Parses an incoming NDJSON (newline-delimited JSON) stream into events.

```tql
read_ndjson
```

### [read\_parquet](https://preview.docs.tenzir.com/375/375/reference/operators/read_parquet.md)

Reads events from a Parquet byte stream.

```tql
read_parquet
```

### [read\_pcap](https://preview.docs.tenzir.com/375/375/reference/operators/read_pcap.md)

Reads raw network packets in PCAP file format.

```tql
read_pcap
```

### [read\_ssv](https://preview.docs.tenzir.com/375/375/reference/operators/read_ssv.md)

Read SSV (Space-Separated Values) from a byte stream.

```tql
read_ssv header="name count"
```

### [read\_suricata](https://preview.docs.tenzir.com/375/375/reference/operators/read_suricata.md)

Parses an incoming Suricata EVE JSON stream into events.

```tql
read_suricata
```

### [read\_syslog](https://preview.docs.tenzir.com/375/375/reference/operators/read_syslog.md)

Parses an incoming Syslog stream into events.

```tql
read_syslog
```

### [read\_tql](https://preview.docs.tenzir.com/375/375/reference/operators/read_tql.md)

Parses an incoming byte stream of TQL-formatted records into events.

```tql
read_tql
```

### [read\_tsv](https://preview.docs.tenzir.com/375/375/reference/operators/read_tsv.md)

Read TSV (Tab-Separated Values) from a byte stream.

```tql
read_tsv auto_expand=true
```

### [read\_xsv](https://preview.docs.tenzir.com/375/375/reference/operators/read_xsv.md)

Read XSV from a byte stream.

```tql
read_xsv ";", ":", "N/A"
```

### [read\_yaml](https://preview.docs.tenzir.com/375/375/reference/operators/read_yaml.md)

Parses an incoming YAML stream into events.

```tql
read_yaml
```

### [read\_zeek\_json](https://preview.docs.tenzir.com/375/375/reference/operators/read_zeek_json.md)

Parse an incoming Zeek JSON stream into events.

```tql
read_zeek_json
```

### [read\_zeek\_tsv](https://preview.docs.tenzir.com/375/375/reference/operators/read_zeek_tsv.md)

Parses an incoming `Zeek TSV` stream into events.

```tql
read_zeek_tsv
```

## Pipelines

### [pipeline::activity](https://preview.docs.tenzir.com/375/375/reference/operators/pipeline/activity.md)

Summarizes the activity of pipelines.

```tql
pipeline::activity range=1d, interval=1h
```

### [pipeline::detach](https://preview.docs.tenzir.com/375/375/reference/operators/pipeline/detach.md)

Starts a pipeline in the node.

```tql
pipeline::detach { … }
```

### [pipeline::list](https://preview.docs.tenzir.com/375/375/reference/operators/pipeline/list.md)

Shows managed pipelines.

```tql
pipeline::list
```

### [pipeline::run](https://preview.docs.tenzir.com/375/375/reference/operators/pipeline/run.md)

Starts a pipeline in the node and waits for it to complete.

```tql
pipeline::run { … }
```

## Printing

### [write\_all](https://preview.docs.tenzir.com/375/375/reference/operators/write_all.md)

Concatenates one field from all input events into a byte stream.

```tql
write_all data
```

### [write\_bitz](https://preview.docs.tenzir.com/375/375/reference/operators/write_bitz.md)

Writes events in *BITZ* format.

```tql
write_bitz
```

### [write\_csv](https://preview.docs.tenzir.com/375/375/reference/operators/write_csv.md)

Transforms event stream to CSV (Comma-Separated Values) byte stream.

```tql
write_csv
```

### [write\_delimited](https://preview.docs.tenzir.com/375/375/reference/operators/write_delimited.md)

Frames string or blob event values as bytes with a separator after each value.

```tql
write_delimited data, "|"
```

### [write\_feather](https://preview.docs.tenzir.com/375/375/reference/operators/write_feather.md)

Transforms the input event stream to Feather byte stream.

```tql
write_feather
```

### [write\_json](https://preview.docs.tenzir.com/375/375/reference/operators/write_json.md)

Transforms the input event stream to a JSON byte stream.

```tql
write_json
```

### [write\_kv](https://preview.docs.tenzir.com/375/375/reference/operators/write_kv.md)

Writes events in a Key-Value format.

```tql
write_kv
```

### [write\_lines](https://preview.docs.tenzir.com/375/375/reference/operators/write_lines.md)

Writes events as key-value pairsthe *values* of an event.

```tql
write_lines
```

### [write\_ndjson](https://preview.docs.tenzir.com/375/375/reference/operators/write_ndjson.md)

Transforms the input event stream to a Newline-Delimited JSON byte stream.

```tql
write_ndjson
```

### [write\_parquet](https://preview.docs.tenzir.com/375/375/reference/operators/write_parquet.md)

Transforms event stream to a Parquet byte stream.

```tql
write_parquet
```

### [write\_pcap](https://preview.docs.tenzir.com/375/375/reference/operators/write_pcap.md)

Transforms event stream to PCAP byte stream.

```tql
write_pcap
```

### [write\_ssv](https://preview.docs.tenzir.com/375/375/reference/operators/write_ssv.md)

Transforms event stream to SSV (Space-Separated Values) byte stream.

```tql
write_ssv
```

### [write\_syslog](https://preview.docs.tenzir.com/375/375/reference/operators/write_syslog.md)

Writes events as syslog.

```tql
write_syslog
```

### [write\_tql](https://preview.docs.tenzir.com/375/375/reference/operators/write_tql.md)

Transforms the input event stream to a TQL notation byte stream.

```tql
write_tql
```

### [write\_tsv](https://preview.docs.tenzir.com/375/375/reference/operators/write_tsv.md)

Transforms event stream to TSV (Tab-Separated Values) byte stream.

```tql
write_tsv
```

### [write\_xsv](https://preview.docs.tenzir.com/375/375/reference/operators/write_xsv.md)

Transforms event stream to XSV byte stream.

```tql
write_xsv
```

### [write\_yaml](https://preview.docs.tenzir.com/375/375/reference/operators/write_yaml.md)

Transforms the input event stream to YAML byte stream.

```tql
write_yaml
```

### [write\_zeek\_tsv](https://preview.docs.tenzir.com/375/375/reference/operators/write_zeek_tsv.md)

Transforms event stream into Zeek Tab-Separated Value byte stream.

```tql
write_zeek_tsv
```

## Storage

### [export](https://preview.docs.tenzir.com/375/375/reference/operators/export.md)

Retrieves events from a Tenzir node.

```tql
export
```

### [fields](https://preview.docs.tenzir.com/375/375/reference/operators/fields.md)

Retrieves all fields stored at a node.

```tql
fields
```

### [import](https://preview.docs.tenzir.com/375/375/reference/operators/import.md)

Imports events into a Tenzir node.

```tql
import
```

### [partitions](https://preview.docs.tenzir.com/375/375/reference/operators/partitions.md)

Retrieves metadata about events stored at a node.

```tql
partitions src_ip == 1.2.3.4
```

### [schemas](https://preview.docs.tenzir.com/375/375/reference/operators/schemas.md)

Retrieves all schemas for events stored at a node.

```tql
schemas
```