DSL Reference
DSL Reference
Use the filters below to quickly surface DSL inputs, actions, and outputs.
| Type | Name | Summary |
|---|---|---|
| Action | Abort | Abort the job if the condition is met. |
| Action | Add | Add fields to the event. |
| Action | Aggregate | Aggregate events by key and emit summary statistics. |
| Action | Assert | Validate an event against a JSON Schema, based on IETF's draft v7 (http://json-schema.org). |
| Input | Azure Blob | Retrieve (or list) Microsoft Azure Storage blobs (Block Storage). |
| Output | Azure Blob | Send data to a Microsoft Azure Storage blob (Block Storage). |
| Output | Azure Monitor Data Collector | Specialized preset that wraps `azure-monitor` output parameters so deployments can ship datasets into Azure Log Analytics/Sentinel without hand-authoring `http-post` jobs. |
| Action | Batch In | Accumulate events into batches before downstream processing. |
| Input | BigQuery | Ingest data from Google BigQuery. |
| Output | BigQuery | Stream data into Google BigQuery. |
| Action | Bucket | Assign numeric values to named buckets using ordered thresholds. |
| Action | Chunk | Segment large payloads into smaller chunks for downstream processing. |
| Input | ClickHouse | Query a ClickHouse cluster on a schedule. |
| Output | ClickHouse | Write events to a ClickHouse table using the HTTP interface or native endpoint. |
| Action | Cluster | Assign cluster identifiers to numeric vectors. |
| Action | Convert | Convert fields from one type to another, supporting simple and unit conversions Convert fields from one type to another, e.g. strings to numbers. |
| Action | Copy | Copy fields of an event using JSONPATH expressions. |
| Action | Csv | Parse CSV from field text. |
| Action | Delta | Convenience wrapper that enables `stream` delta mode with a slim option set. |
| Output | Discard | Discard any output from the job. |
| Action | Docx to Text | Extract content from Microsoft Word documents with optional image emission. |
| Input | Echo | Create a simple static event. |
| Output | Elasticsearch | Bulk-index events into Elasticsearch clusters. |
| Action | Enrich | Look up values in a CSV or Sqlite database and add matching fields. |
| Input | Exec | Obtain data by executing a shell command. |
| Action | Expand | expand data in various ways: events, XML, multiline events. |
| Action | Expand Events | expand a single JSON document into multiple JSON events. |
| Action | Extract | Extract fields from text using regular expressions. |
| Input | Facebook Graph Poll | Opinionated preset for polling Facebook Graph posts with cursor pagination and AI-prep ready defaults. |
| Input | File Store | Read from a local file system object store. |
| Output | File Store | Write to a local file system object store. |
| Action | Filter | Only let certain events pass through. |
| Action | Flatten | Flatten nested JSON Objects and Arrays into a single JSON Object containing only top-level fields. |
| Input | Ftp | Poll remote FTP/SFTP/TFTP servers for new files. |
| Output | Ftp | Upload events to FTP/SFTP/TFTP servers. |
| Input | Google Cloud Storage | Read objects from Google Cloud Storage. |
| Output | Google Cloud Storage | Write events to a Google Cloud bucket. |
| Output | HTTP Get | Send event data to a remote server using GET. |
| Input | HTTP Poll | Run HTTP queries. |
| Input | HTTP Poll (Header Token) | Opinionated preset for polling HTTP endpoints that authenticate via a header token (bearer tokens, API keys, etc). |
| Input | HTTP Poll (OAuth2 via Credential Manager) | Opinionated preset for polling HTTP endpoints using a credential-backed OAuth2 access token and cursor pagination. |
| Output | HTTP Post | POST event data to an HTTPS server. |
| Input | HTTP Server | Run an HTTP server and output any received requests. |
| Action | Infer | Execute inference workloads (LLM, embeddings, anomaly detection). |
| Input | Internal Messages | Receive internal messages. |
| Action | Java Script | Execute embedded JavaScript to transform events. |
| Input | Journald | Read events from systemd-journald (Linux-only). |
| Action | Json | Parse text as JSON. |
| Input | Kafka | Consume records from Kafka/Redpanda clusters. |
| Output | Kafka | Publish events to Kafka/Redpanda clusters. |
| Action | Key Value | Parse key-value pairs, like "k1=v1,k2=v2,....". |
| Action | Label Map | Map string values to canonical labels using ordered rules. |
| Output | Log Files | Append events to one or more files. |
| Input | Log Files | Monitor one or more log files for new lines. |
| Input | MQTT | Ingest events from MQTT brokers (client mode) or an embedded broker (broker mode). |
| Output | MQTT | Publish events to external MQTT brokers or an embedded broker instance. |
| Action | Markdown Outline | Parse Markdown documents into structured outline data. |
| Action | Message | Conditionally generate a message when an event meets the provided condition. |
| Output | Message | Create a message to the internal message subsystem. |
| Input | Microsoft Graph | Ingest data from Microsoft Graph resources such as mail, calendars, or directory objects via REST calls. |
| Output | OpenSearch | Bulk-index events into OpenSearch clusters, including AWS-managed variants. |
| Input | OpenTelemetry | Accept OpenTelemetry OTLP signals over gRPC. |
| Output | OpenTelemetry | Export events using the OpenTelemetry OTLP protocol. |
| Action | PDF to Text | Extract text content from PDF documents using auto or render-based strategies. |
| Action | Print event payloads to the terminal. | |
| Output | Print event payloads to the terminal. | |
| Action | Remove | Remove fields from an event. |
| Action | Rename | Rename event fields. |
| Input | S3 | Stream data from an S3 object. |
| Output | S3 | Write events to an S3 bucket. |
| Input | SQL | Query relational databases or stream change data capture events. |
| Output | SQL | Execute parameterised statements against relational databases. |
| Action | Scoring | Evaluate weighted conditions to produce a composite score. |
| Action | Script | Calculated fields. |
| Action | Slugify | Generate stable slugs from one or more fields. |
| Output | Splunk HEC | Output events to a Splunk HTTP Event Collector endpoint (Splunk HEC). |
| Action | Stalled | Emit stall markers when no matching events arrive within the configured timeout. |
| Action | Stop Word | Remove or mask common stop words from textual content. |
| Action | Stream | Track per-key changes and emit deltas, elapsed times, and optional aggregates. |
| Output | Syslog | Emit events as syslog messages to remote or local syslog receivers. Supported endpoint schemes: - `udp://host:port` - `tcp://host:port` - `tls://host:port` - `unix:///path` (unix stream) - `unixgram:///path` (unix datagram). |
| Action | Time | Time processing: parsing and formatting time values. |
| Action | Tokenize | Convert free-form text into token sequences for downstream analytics. |
| Action | Transaction | Sessionize related events using start/end markers and optional summary fields. |
| Action | Transition | Track field transitions, elapsed time since last change, and optional state metadata. |
| Input | Trigger | Managed trigger input that emits scheduler messages with optional Worker KV leadership. |
| Action | Unbatch | Expand a batched event back into individual events. |
| Input | Web Dav Store | Read from a WebDAV-compatible object store. |
| Output | Web Dav Store | Write to a WebDAV-compatible object store. |
| Input | WebSocket | Consume events from remote WebSocket endpoints. |
| Output | WebSocket | Send events to remote WebSocket peers or expose an embedded server. |
| Input | Windows Event Log | Read events from Windows Event Log. |
| Input | Worker Channel | Receive events from a worker managed channel. |
| Output | Worker Channel | Receive events from a worker managed channel. |
| Input | Worker KV | Interact with the deployments-managed Worker KV store. |
| Output | Worker KV | Mutate the deployments-managed Worker KV store. |
| Action | XLSX Expand | Expand Microsoft Excel worksheets into individual events or CSV-like structures. |
| Action | Xml | expand XML into JSON events. |
No DSL entries match your filters. Clear the search or choose another type.