Stage Commands
Stage commands perform operations on a single event, this category of commands are typically the most performant and have the lowest resource requirements.
These commands are executed in parallel and don’t require any synchronisation.
Available Stage Commands
| Command | Description |
|---|---|
eval | Evaluate expressions to create or modify fields |
extract | Extract new fields from existing ones using regex named capture groups |
expandobject | Expand object child fields |
fields | Select or reorder fields from events |
filter | Filter events based on field values |
lookup | Enrich events by joining against external data sources |
match | Match field values against patterns |
rename | Rename fields in events |
sigcheck | Evaluate events against loaded Sigma signatures |