write_zeek_tsv
Transforms event stream into Zeek Tab-Separated Value byte stream.
write_zeek_tsv [set_separator=str, empty_field=str, unset_field=str, disable_timestamp_tags=bool]Description
Section titled “Description”The Zeek network security monitor comes with its own tab-separated value (TSV) format for representing logs. This format includes additional header fields with field names, type annotations, and additional metadata.
The write_zeek_tsv operator (re)generates the TSV metadata based on
Tenzir’s internal schema. Tenzir’s data model is a superset of
Zeek’s, so the conversion into Zeek TSV may be lossy. The Zeek types count,
real, and addr map to the respective Tenzir types uint64, double, and
ip.
set_separator = str (optional)
Section titled “set_separator = str (optional)”Specifies the set separator.
Defaults to \x09.
empty_field = str (optional)
Section titled “empty_field = str (optional)”Specifies the separator for empty fields.
Defaults to (empty).
unset_field = str (optional)
Section titled “unset_field = str (optional)”Specifies the separator for unset “null” fields.
Defaults to -.
disable_timestamp_tags = bool (optional)
Section titled “disable_timestamp_tags = bool (optional)”Disables the #open and #close timestamp tags.
Defaults to false.
Examples
Section titled “Examples”Write pipelines results in Zeek TSV format
Section titled “Write pipelines results in Zeek TSV format”subscribe "zeek-logs"where duration > 2s and id.orig_p != 80write_zeek_tsvsave_file "filtered_conn.log"