DSL Reference
DSL Reference
Use the filters below to quickly surface DSL inputs, actions, outputs, categories, and edition availability.
| Type | Name | Categories | Edition | Summary |
|---|---|---|---|---|
| Action | Abort | Control | Both | Abort the job if the condition is met. |
| Action | Add | Transform | Both | Add fields to the event. |
| Action | Aggregate | Stateful Transform | Both | Aggregate events by key and emit summary statistics. |
| Action | Assert | Validation | Both | Validate an event against a JSON Schema, based on IETF's draft v7 (http://json-schema.org). |
| Input | Azure Blob | Block Store Cloud | Enterprise edition | Retrieve (or list) Microsoft Azure Storage blobs (Block Storage). |
| Output | Azure Blob | Block Store Cloud | Enterprise edition | Send data to a Microsoft Azure Storage blob (Block Storage). |
| Output | Azure Monitor Data Collector | Observability | Enterprise edition | Specialized preset that wraps `azure-monitor` output parameters so deployments can ship datasets into Azure Log Analytics/Sentinel without hand-authoring `http-post` jobs. |
| Action | Batch In | Transform | Both | Accumulate events into batches before downstream processing. |
| Input | BigQuery | Data Warehouse | Enterprise edition | Ingest data from Google BigQuery. |
| Output | BigQuery | Data Warehouse | Enterprise edition | Stream data into Google BigQuery. |
| Action | Bucket | Transform | Both | Assign numeric values to named buckets using ordered thresholds. |
| Action | Chunk | Text AI & ML Transform | Both | Segment large payloads into smaller chunks for downstream processing. |
| Input | ClickHouse | Database | Enterprise edition | Query a ClickHouse cluster on a schedule. |
| Output | ClickHouse | Database | Enterprise edition | Write events to a ClickHouse table using the HTTP interface or native endpoint. |
| Action | Cluster | AI & ML Transform | Both | Assign cluster identifiers to numeric vectors. |
| Action | Convert | Transform | Both | Convert fields from one type to another, supporting simple and unit conversions Convert fields from one type to another, e.g. strings to numbers. |
| Action | Copy | Transform | Both | Copy fields of an event using JSONPATH expressions. |
| Action | Csv | Transform | Both | Parse CSV from field text. |
| Action | Delta | Stateful Transform | Both | Convenience wrapper that enables `stream` delta mode with a slim option set. |
| Output | Discard | Debug | Both | Discard any output from the job. |
| Action | Docx to Text | Transform | Both | Extract content from Microsoft Word documents with optional image emission. |
| Input | Echo | Utility | Both | Create a simple static event. |
| Output | Elasticsearch | Search | Enterprise edition | Bulk-index events into Elasticsearch clusters. |
| Action | Enrich | Enrichment | Both | Look up values in a CSV or Sqlite database and add matching fields. |
| Input | Exec | Utility | Both | Obtain data by executing a shell command. |
| Action | Expand | Transform | Both | expand data in various ways: events, XML, multiline events. |
| Action | Expand Events | Transform | Both | expand a single JSON document into multiple JSON events. |
| Action | Extract | Transform | Both | Extract fields from text using regular expressions. |
| Input | Facebook Graph Poll | Enterprise edition | Opinionated preset for polling Facebook Graph posts with cursor pagination and AI-prep ready defaults. | |
| Input | File Store | Block Store File | Both | Read from a local file system object store. |
| Output | File Store | Block Store File | Both | Write to a local file system object store. |
| Action | Filter | Transform | Both | Only let certain events pass through. |
| Action | Flatten | Transform | Both | Flatten nested JSON Objects and Arrays into a single JSON Object containing only top-level fields. |
| Input | FTP | File Utility | Enterprise edition | Poll remote FTP/SFTP/TFTP servers for new files. |
| Output | FTP | File Utility | Enterprise edition | Upload events to FTP/SFTP/TFTP servers. |
| Input | Google Cloud Storage | Block Store Cloud | Enterprise edition | Read objects from Google Cloud Storage. |
| Output | Google Cloud Storage | Block Store Cloud | Enterprise edition | Write events to a Google Cloud bucket. |
| Output | HTTP Get | Http | Both | Send event data to a remote server using GET. |
| Input | HTTP Poll | Http | Both | Run HTTP queries. |
| Output | HTTP Post | Http | Both | POST event data to an HTTPS server. |
| Input | HTTP Server | Http | Both | Run an HTTP server and output any received requests. |
| Action | Infer | AI & ML | Enterprise edition | Execute inference workloads (LLM, embeddings, anomaly detection). |
| Input | Internal Messages | Messaging | Both | Receive internal messages. |
| Action | Java Script | Transform Scripting | Enterprise edition | Execute embedded JavaScript to transform events. |
| Input | Journald | Linux | Enterprise edition | Read events from systemd-journald (Linux-only). |
| Action | Json | Transform | Both | Parse text as JSON. |
| Input | Kafka | Messaging | Enterprise edition | Consume records from Kafka/Redpanda clusters. |
| Output | Kafka | Messaging | Enterprise edition | Publish events to Kafka/Redpanda clusters. |
| Action | Key Value | Transform | Both | Parse key-value pairs, like "k1=v1,k2=v2,....". |
| Action | Label Map | Transform | Both | Map string values to canonical labels using ordered rules. |
| Output | Log Files | File | Both | Append events to one or more files. |
| Input | Log Files | File | Both | Monitor one or more log files for new lines. |
| Action | Markdown Outline | Text AI & ML Transform | Both | Parse Markdown documents into structured outline data. |
| Action | Message | Messaging | Both | Conditionally generate a message when an event meets the provided condition. |
| Output | Message | Messaging | Both | Create a message to the internal message subsystem. |
| Input | Microsoft Graph | API Microsoft | Enterprise edition | Ingest data from Microsoft Graph resources such as mail, calendars, or directory objects via REST calls. |
| Input | MongoDB | Database | Enterprise edition | Read MongoDB documents via scheduled `find` or `aggregate` queries. |
| Output | MongoDB | Database | Enterprise edition | Write events to MongoDB collections. |
| Input | MQTT | Messaging | Enterprise edition | Ingest events from MQTT brokers (client mode) or an embedded broker (broker mode). |
| Output | MQTT | Messaging | Enterprise edition | Publish events to external MQTT brokers or an embedded broker instance. |
| Input | MySQL | Database | Enterprise edition | Query MySQL databases or stream change data capture events. |
| Output | MySQL | Database | Enterprise edition | Execute parameterised statements against MySQL databases. |
| Input | ODBC SQL | Database | Enterprise edition | Query relational databases over ODBC or stream change data capture events. |
| Output | ODBC SQL | Database | Enterprise edition | Execute parameterised statements against relational databases over ODBC. |
| Output | OpenSearch | Search | Enterprise edition | Bulk-index events into OpenSearch clusters, including AWS-managed variants. |
| Input | OpenTelemetry | Observability | Enterprise edition | Accept OpenTelemetry OTLP signals over gRPC. |
| Output | OpenTelemetry | Observability | Enterprise edition | Export events using the OpenTelemetry OTLP protocol. |
| Action | PDF to Text | Transform | Both | Extract text content from PDF documents using auto or render-based strategies. |
| Input | PostgreSQL | Database | Enterprise edition | Query PostgreSQL databases or stream change data capture events. |
| Output | PostgreSQL | Database | Enterprise edition | Execute parameterised statements against PostgreSQL databases. |
| Action | Debug | Both | Print event payloads to the terminal. | |
| Output | Debug | Both | Print event payloads to the terminal. | |
| Action | Remove | Transform | Both | Remove fields from an event. |
| Action | Rename | Transform | Both | Rename event fields. |
| Input | S3 | Block Store Cloud | Enterprise edition | Stream data from an S3 object. |
| Output | S3 | Block Store Cloud | Enterprise edition | Write events to an S3 bucket. |
| Action | Scoring | Analytics | Both | Evaluate weighted conditions to produce a composite score. |
| Action | Script | Transform Scripting | Enterprise edition | Calculated fields. |
| Action | Slugify | Transform | Both | Generate stable slugs from one or more fields. |
| Output | Splunk HEC | Observability | Enterprise edition | Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC). |
| Input | SQL Server | Database | Enterprise edition | Query Microsoft SQL Server databases. |
| Output | SQL Server | Database | Enterprise edition | Execute parameterised statements against Microsoft SQL Server databases. |
| Action | Stalled | Stateful Transform | Both | Emit stall markers when no matching events arrive within the configured timeout. |
| Action | Stop Word | Text AI & ML Transform | Both | Remove or mask common stop words from textual content. |
| Action | Stream | Stateful Transform | Both | Track per-key changes and emit deltas, elapsed times, and optional aggregates. |
| Output | Syslog | Observability | Enterprise edition | Emit events as syslog messages to remote or local syslog receivers. Supported endpoint schemes: - `udp://host:port` - `tcp://host:port` - `tls://host:port` - `unix:///path` (unix stream) - `unixgram:///path` (unix datagram). |
| Action | Time | Transform | Both | Time processing: parsing and formatting time values. |
| Action | Tokenize | Text AI & ML Transform | Both | Convert free-form text into token sequences for downstream analytics. |
| Action | Transaction | Stateful Transform | Both | Sessionize related events using start/end markers and optional summary fields. |
| Action | Transition | Stateful Transform | Both | Track field transitions, elapsed time since last change, and optional state metadata. |
| Input | Trigger | Scheduler | Both | Managed trigger input that emits scheduler messages with optional Worker KV leadership. |
| Action | Unbatch | Transform | Both | Expand a batched event back into individual events. |
| Input | Web Dav Store | Block Store WebDAV | Enterprise edition | Read from a WebDAV-compatible object store. |
| Output | Web Dav Store | Block Store WebDAV | Enterprise edition | Write to a WebDAV-compatible object store. |
| Input | WebSocket | Messaging | Enterprise edition | Consume events from remote WebSocket endpoints. |
| Output | WebSocket | Messaging | Enterprise edition | Send events to remote WebSocket peers or expose an embedded server. |
| Input | Windows Event Log | Windows | Enterprise edition | Read events from Windows Event Log. |
| Input | Worker Channel | Messaging | Both | Receive events from a worker managed channel. |
| Output | Worker Channel | Messaging | Both | Receive events from a worker managed channel. |
| Input | Worker KV | Storage | Both | Interact with the deployments-managed Worker KV store. |
| Output | Worker KV | Storage | Both | Mutate the deployments-managed Worker KV store. |
| Action | Worker KV (Mutate) | Storage | Both | Mutate the deployments-managed Worker KV store. |
| Action | Worker KV Get | Storage | Both | Fetch a single Worker KV value and write it into an event field. |
| Action | XLSX Expand | Transform | Both | Expand Microsoft Excel worksheets into individual events or CSV-like structures. |
| Action | Xml | Transform | Both | expand XML into JSON events. |
No DSL entries match your filters. Clear the search or choose another type.