Stage Commands
Stage commands perform operations on a single event, this category of commands are typically the most performant and have the lowest resource requirements.
These commands are executed in parallel and don’t require any synchronisation.
Available Stage Commands
| Command | Description |
|---|---|
eval | Evaluate expressions to create or modify fields |
extract | Extract new fields from existing ones using regex named capture groups |
expandobject | Expand object child fields |
fields | Select or reorder fields from events |
filter | Narrow multivalue fields without removing events |
lookup | Enrich events by joining against external data sources |
match | Match field values against patterns |
rename | Rename fields in events |
sigcheck | Evaluate events against loaded Sigma signatures |
switch | Route events to subsearches based on match conditions |