1 of 100

v1.692.0

Welcome

Onum helps security and IT leaders focus on the most important data. Gain control of your data by cutting through the noise for deep insights in real-time.

Quick Links

Getting Started

About Onum

Observability & Orquestration in real time. Any format. Any source.

Overview

The exponential growth of data ingestion volumes can lead to reduced performance, slow response times, and increased costs. With this comes the need to implement optimization strategies & volume reduction control. We help you cut the noise of large data streams and reduce infrastructure by up to 80%.

Gain deep insights from any type of data, using any format, from any source.

All of this...

@ the Edge

By collecting and observing that data at the edge, as close as possible to where it’s being generated, gain real-time observations and take decisive action to prevent network downtime, payment system failures, malware infections, and more.

Unlike most tools that provide data observation and orchestration, Onum is not a data analytics space, which is already served well by security information and event management (SIEM) vendors and other analytics tools. Instead, Onum sits as close as possible to where the data is generated, and well in front of your analytics platforms, to collect and observe data across every aspect of your hybrid network.

Start with the basics

Architecture

Designed for the Edge, created in the Cloud

Easy, flexible deployment in any environment while keeping them as close as possible to where the data is produced delivers unparalleled speed and efficiency, enabling you to cut the infrastructure you have dedicated to orchestration by up to 80%.

The Onum infrastructure consists of:

Distributor: this is the service that hosts the Listener before forwarding it to Workers.
Worker: this is the service that runs the Pipelines, receiving data from its Distributor and contained within a Cluster.
Cluster: a container grouping Distributors and Workers. You can have as many clusters as required per Tenant.

Listeners are hosted within Distributors and are placed as close as possible to where data is generated. The Distributor pulls tasks from the data queue passing through the pipeline and distributes it to the next available worker in a Cluster. As soon as a Worker completes a task it becomes available again, and the Distributor in turn will assign it the next task from the queue.

The installation process creates the Distributor and all Workers for each data source in the cluster.

How it works

Deployment types

The Onum Platform supports any deployment type ― including on-premises, the Onum public cloud, or your own private cloud.

In a typical SaaS-based deployment, most processing activities are conducted in the Cloud.

Client-side components can be deployed on a Linux machine or on a Kubernetes cluster for easy, flexible deployment in any environment. Onum supports all major cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

Learn more about Deployment requirements .

Delivery methods

Onum supports all major standards such as Netflow, Syslog, and Kafka to orchestrate data streams to any desired destination, including popular data analytics tools such as Splunk and Devo, as well as storage environments such as S3.

Deployment

Onum installation process

Overview

Once you’ve obtained an Onum account, just a few steps are needed to complete the installation, depending on the type of deployment you require. Onum supports flexible deployment options, including both on-premises and cloud environments.

In case you have any question regarding the deployment and installation process, please contact us.

Supported browsers

Onum supports the following browsers:

Google Chrome

Cloud Deployment

For cloud-based installations, either our Customer Success team or a partner will access Onum's internal tenant manager and create the new account. All the necessary infrastructure will be set up based on estimated usage metrics.

The deployment process is fully automated, ensuring quick and streamlined provisioning and configuration.

Cloud Listeners

Note that the Listener configuration process is slightly different if you are using a Cloud deployment. Learn more about Cloud Listeners in this article.

On-Premises Deployment

In on-premises deployments, either our Customer Success team or a partner will set up the new account. Appropriate access permissions are granted to allow Onum to perform the installation.

A validation script is run to confirm all prerequisites are met and connectivity is established, ensuring a smooth installation process. Once installed, you can access your tenant, start ingesting data, invite users, and take full advantage of Onum’s capabilities.

Dependencies:

Docker
Packages:
- gpg
- curl
- ipvsadm
- ca-certificates
SIEM access
Access to sources

Hardware requirements

Hardware (per Virtual Machine):

Distribution: Linux (Debian or Red Hat)
Server Hardware: 16GB RAM and 8 CPU
Disk Storage: 500GB

Access

In case of upcoming system maintenance, we kindly seek permission to access the customer infrastructure. We aim to ensure seamless operations and address any potential issues promptly.

Getting Started with Onum

Welcome to Onum! This guide will help you start working with Onum, a powerful tool designed to enhance your data analysis and processing capabilities.

Accessing Onum

Once you get your Onum credentials, you only have to go to and enter them to access your Tenant.

A Tenant is a domain that contains a set of data in your organization. You can use one or various Tenants and grant access to as many as required. Learn more about working with Tenants .

Logging in

Once in , there are two ways to log in.

Log in with email address and password

Your password must be a minimum of 10 characters and include a combination of uppercase letters, lowercase letters, numbers, and symbols.

An inactive session will be automatically logged out after one hour.

Navigating the Interface

When you access the Onum app, you'll see , where you can see an overview of the activity in your Tenant.

You can access the rest of the areas in Onum using the left panel.

Create Your First Listener

Onum receives any data through Listeners.

These are logical entities created within a Distributor, acting as the gateway to the Onum system. Configuring a Listener involves defining an IP address, a listening port, and a transport layer protocol, along with additional settings depending on the type of Listener specialized in the data it will receive.

Access the Listeners area to start working with them. Learn how to create your first Listener .

Create Your First Data Sink

Onum outputs data via Data sinks. Use them to define where and how to forward the results of your streamlined data.

Access the Data sinks area to start working with them. Learn how to create your first Data sink .

Build Your First Pipeline

Use Pipelines to start transforming your data and build a data flow. Pipelines are made of the following components:

Learn more about Pipelines .

Use cases

Do you want to check the essential steps in Onum through specific Pipelines? Explore the most common use cases in .

Understanding The Essentials

Get to grips with the important concepts & best practices of the Onum application.

These articles contain information on functionalities across the entire platform.

The Time Range Selector

Overview

Throughout the entire Onum platform, you can set a period to either narrow down or extend the data shown. You can either select a predefined period or apply a custom time range.

The related graph and resources will be automatically updated to display data from the chosen period. To remove a selected period, simply click the bin icon that appears next to the period to go back to the default time range (1 hour ago).

The intervals will be calculated according to the Timezone of your browser. Keep an eye out for future implementations, where you can manually select a timezone.

Predefined and Custom time ranges

As well as predefined time intervals, you can also define a custom time range. To do it, simply select the required starting and ending dates in the calendar.

Comparisons

The interesting thing about Onum is that you can directly see how much volume you have saved compared to past ingestions, telling you what is going well and what requires further streamlining.

The comparison is direct/equivalent, meaning all data shown is analyzed compared to the previously selected equivalent time range.

For example, if the time range is 1 hour, the calculation of differences will be carried out using the previous one hour before the current selection =

Range selected: 10:00-11:00
Comparison: 09:00-10:00

Again, let´s say you now wish to view data over the last 7 days. The percentages will be calculated by measuring the volume retrospectively two weeks ago with the previous week.

Key Terminology

Get to grips with these key concepts to better understand how Onum works and use it to its full potential.

Action

A unit of work performing a given operation on an event.

API

Application Programming Interface. A set of defined methods of communication among various components.

Cluster

Various distributors and workers can be grouped and contained within a cluster. You can have as many clusters as required per Tenant.

Data sink

Where the data is routed after being processed by Onum.

Data source

Where the data is generated before ingesting it into Onum, e.g. application server logs, firewall logs, S3 bucket, Kafka Topic, etc.

Distributor

This service receives and processes the Listener data before sending it on to workers within a cluster.

Event

An event represents semi-structured data such as a log entry. Events can be parsed so that structured data can be generated and eventually processed by the engine. Events are composed of fields, which are referred to as Field. An action that produces a new field will be referred to as outputField.

Label

Used to sort events coming from Listeners into categories or sets that meet given filters to be used in a Pipeline.

Listener

A Listener retrieves events in a given IP address and a port, routing the data to the Pipelines so that it can be processed.

Lookup

A lookup refers to searching for and retrieving information from a specific source or dataset, typically based on a key or reference.

Multitenancy

Multitenancy is an architecture in which tenants share the same underlying infrastructure, including databases and application code, but their data and configurations are kept separate to ensure privacy and security.

Pipeline

A sequence of Actions connected through inputs/outputs to process a stream of data. Data comes from the Listener and eventually is routed to a Datasink.

Role

A role is assigned to a user in order to control the access they have to certain or all Onum features. This way, we can personalise the experience for each user.

Tag

Tags can be assigned to Listeners, Pipelines or Data sinks in order to classify them or make them easier to find. This is particularly useful if you have a wide database and want to avoid lengthy searching for the resources you wish to use.

Tenant

A Tenant is a domain that contains a set of data in your organization. You can use one or various tenants and grant access to as many as required.

Worker

This service runs the Pipelines, receiving data from its distributor and contained within a Cluster.

THE WORKSPACE

Home

A summary of your Tenant activity

Overview

When opening Onum, the Home area is the default view. Here you can see an overview of all the activity in your Tenant.

Use this view to analyze the flow of data and the change from stage to stage of the process. Here you can locate the most important contributions to your workflow at a glance.

All data shown is analyzed compared to the previously selected time range. Use the time range selector at the top of this area to specify the periods to examine.

For example, if the time range were 1 hour ago (the default period), the calculation of differences will be carried out using the previous one hour before the current selection:

Range selected: 10:00-11:00
Comparison: 09:00-10:00

To learn more about time ranges, go to Selecting a Time Range.

Metrics

The Home view shows various infographics that provide insights into your data flow. Some Listeners or Data Sinks may be excluded from these metrics if they are duplicates or reused.

The Net Saved/Increased and Estimation graphs will show an info tooltip if some Data sinks are excluded from these metrics. You may decide this during the Data sink creation.

In those cases, you can hover over the icon to check the total metrics including all the Data sinks.

Sankey Diagram

Each column of the Sankey diagram provides information and metrics on the key steps of your flow.

You can see how the data flows between:

Listeners: each Listener in your Tenant.
Clusters: the Distributor/Worker group receives the Listener data and forwards it to Pipeline.
Labels: the operations and criteria used to filter out the data to be sent on to Pipelines.
Pipelines: the Pipelines used to obtain desired data and results.
Data sinks: the end destination for data having passed through Listener › Cluster › Label › Pipeline.

Hover over a part of the diagram to see specific savings.

Show Metrics

You can narrow down your analysis even further by selecting a specific node and selecting Show metrics.

This option is not available for all columns.

View Details

Click a node and select View details to open a panel with in-depth details of the selected piece.

From here, you can go on to edit the selected element.

This option is not available for all columns.

Hide/Show Columns

You can choose which columns to view or hide using the eye icon next to its name.

Add New Elements

You can add a new Listener, Label, Pipeline or Data sink using the plus button next to its name.

You can also create all of the aforementioned elements using the Create new button at the top-right:

Listeners

Everything starts with a good Listener

Overview

Essentially, Onum receives any data through Listeners. These are logical entities created within a Distributor, acting as the gateway to the Onum system. Due to this, configuring a Listener involves defining an IP address, a listening port, and a transport layer protocol, along with additional settings depending on the type of Listener specialized in the data it will receive.

A Push type of Listener passively sources data without explicitly requesting, whereas a Pull type is where the user actively requests data from an external source.

If you are using more than one Cluster, it is recommended not to use a Pull-type Listener. You can find out the Listener type in the integration-specific articles below.

Click the Listeners tab on the left menu for a general overview of the Listeners configured in your Tenant and the events generated.

The graph at the top plots the volume ingested by your listeners. Click Events to see the events in for all your Listeners, or Bytes to see a bar graph representing the bytes in. Learn more about this graph in this article.
- Use the Stack Listeners toggle to view each individual Listener on your graph and its metrics.
Hover over a point on the chart to show a tooltip containing the Events and Bytes OUT for the selected time, as well as a percentage of how much increase/decrease has occurred between the previous lapse of time and the one currently selected.

At the bottom, you have a list of all the Listeners in your Tenant. You can switch between the Cards view, which shows each Listener in a card, and the Table view, which displays Listeners listed in a table. Learn more about the cards and table views in this article.

Narrow Down Your Data

There are various ways to narrow down what you see in this view:

Add Filters

Add filters to narrow down the Listeners you see in the list. Click the + Add filter button and select the required filter type(s). You can filter by:

Name: Select a Condition (Contains, Equals, or Matches) and a Value to filter Listeners by their names.
Type: Choose the Listener type(s) you want to see in the list.
Version: Filter Listeners by their version.
Created by: Selecting this option opens a User drop-down where you can filter by creator.
Updated by: Selecting this option opens a User drop-down where you can filter by the last user to update a pipeline.

The filters applied will appear as tags at the top of the view.

Note that you can only add one filter of each type.

Select a Time Range

If you wish to see data for a specific time period, this is the place to click. Go to this article to dive into the specifics of how the time range works.

Select Tags

You can choose to view only those Listeners that have been assigned the desired tags. You can create these tags in the Listener settings or from the cards view. Press the Enter key to confirm the tag, then Save.

To filter by tags, click the + Tags button, select the required tag(s) and click Save.

Create a Listener

Depending on your permissions, you can create a new Listener from this view.

There are several ways to create a new Listener:

From the Listeners view:

Within a Pipeline:

From the Home Page:

Configure a Listener

Configuring your Listener involves various steps. You can open the configuration pane by creating a new Listener or by clicking a Listener in the Listener tab or the Pipeline view and selecting Edit Listener in the pane that opens.

Alternatively, click the ellipses in the card or table view and select Edit.

01. Type

The first step is to define the Listener Type. Select the desired type in this window and select Configuration.

02. Configuration

The configuration is different for each Listener type. Check the different Listener types and how to configure them in this section.

If your Listener is deployed in the Cloud, you will see an extra step for the network properties. Learn more about Listeners in a Cloud deployment in this article.

03. Labels

Use Onum's labels to cut out the noise with filters and search criteria based on specific metadata. This way, you can categorize events sent on and processed in your Pipelines.

Learn more about labels in this article.

Cloud Listeners

Are you interested in deploying your Onum installation in our Cloud? , and we will configure a dedicated Cloud Tenant for you and your organization.

Overview

If your Onum installation is deployed in our Cloud, the configuration settings of a Listener would be slightly different from Listeners defined in an On-Premise deployment:

Cloud Listeners do not have the TLS configuration settings in their creation form, as the connection is already secured.
Cloud Listeners have an additional step in their creation process: Network configuration. Use these details to configure your data source to communicate with Onum. Click Download certificate to get the required certificate for the connection. You can also download it from the Listener details once it is created.

Learn more about the configuration steps of each Listener type .

Important Considerations

You must consider the following indications before using Cloud Listeners:

Cloud Listener endpoints are created in Onum's DNS. This process is usually fast, and Listeners are normally available immediately. However, note that this may last up to 24-48 hours, depending on your organization's DNS configuration.
Cloud Listener endpoints require Mutual TLS (mTLS) authentication, which means that your data input must be able to process a TLS connection and be authorized with a certificate.
Your data input must use the Server Name Indication (SNI) method, which means it must send its hostname in the TLS authentication process. If SNI is not used, the certificate routing will fail, and data will not be received, even if the certificate is valid.

If your organization's software cannot meet points 2 and 3, you can use an intermediate piece of software to ensure the client-Onum connection, such as Stunnel.

Listener Integrations

Onum is compatible with any data source, regardless of technology and architecture. A Listener Type is not necessarily limited to one integration and can be used to connect to various.

Although there are only a limited number of types available for use, the integration possibilities are endless. Alternatively, you can contact us to request a Listener type.

Click a Listener to see how to configure it.

Google Cloud

Microsoft

Labels

Overview

Use Onum's labels to cut out the noise with filters and search criteria based on specific metadata. This way, you can categorize the events that Listeners receive before being processed in your Pipelines.

As different log formats are being ingested in real-time, the same Listener may ingest different technologies. Labels are useful for categorizing events based on specific criteria.

When creating or editing a Listener, use Labels to categorize and assign filters to your data.

For most Listeners, you will see two main event categories on this screen:

All Data - Events that follow the structure defined by the specified protocol, for example, Syslog events with the standard fields, or most of them.
Unparsed - These are events that do not follow the structure defined in the selected protocol.

You can define filters and rules for each of these main categories.

What Are Labels Used For?

Once you've defined your labels to filter specific events, you can use them in your Pipelines.

Instead of using the whole set of events that come into your Listeners, you can use your defined labels to use only specific sets of data filtered by specific rules.

Creating Your First Label

When you create a new Listener, you'll be prompted to the Labels screen after configuring your Listener data.

Click the + button under the set of data you want to filter (All Data or Unparsed). You'll see your first label. Click the pencil icon a give it a name that describes the data that will filter out.

In this example, we want to filter only events whose version is 2.x, so we named our label accordingly:

Below, see the Add filter button. This is where you add the criteria to categorize the content under that label. Choose the field you want to filter by.

In this example, we're choosing Version.

Now, define the filter criteria:

Condition - Choose between:
- Contains - Checks when the indicated value appears anywhere in the log.
- Equals - Filters for exact matches of the value in the log.
- Matches - Filters for exact matches of the value in the log, allowing for regular expressions.
Value - Enter the value to filter by.

In this example, we are setting the Condition to Contains and Value to 2.

Click Save and see the header appear for your first label.

From here, you have various options:

Create a new label

To create a new subset of data, select the + sign that extends directly from the All data or Unparsed bars. Be aware that if you select the + sign extending from the header bar, you will create a subheader.

Create a sub-label

You can create a branch from your primary header by clicking the plus button that extends from the main header. There is no limit to the amount that you can add.

Notice that the subheader shows a filter icon with a number next to it to indicate the string of filters applied to it already.

Duplicate your label

To duplicate a label, simply select the duplicate button in its row.

Delete a label

To delete a label, simply select the delete button in its row.

If you attempt to delete a Label that is being used in a Pipeline, you will be asked to confirm where to remove it from.

Once you have completed your chain, click Save.

Unlabeled

Any data that has not been assigned a label will be automatically categorized as unlabeled. This allows you to see the data that is not being processed by any Pipeline, but has not been lost.

This label will appear in the list of Labels for use in your Pipeline so that you can process the data in its unfiltered form.

Your Listener is now ready to use and will appear in the list.

Listeners

The default tab that opens when in the Pipeline area is the Listeners tab, which shows all Listeners in your Tenant, as well as their labels.

Use the search bar to find a specific Listener or Label.

Edit a Listener

You can edit a label from the list by clicking the ellipses next to its name and selecting Edit.

This will open the Listener Configuration and Labels for you to modify.

Create Listener

If the Listener you wish to use in the Pipeline does not already exist, you can create it directly from this view using the Create Listener button in the bottom right of the tab. This will open the Listener Configuration window.

Add a Listener to your Pipeline

Go to Building a Pipeline to learn step by step.

Advanced

Aggregation

AI

Replicate

Most recent version: v0.1.0

See the changelog of this Action type .

Note that this Action is only available in certain Tenants. if you need to use it and don't see it in your Tenant.

Overview

This action offers automatic integration with models available on the Replicate platform, whether publicly accessible or privately deployed. This component simplifies accessing and utilizing a wide array of models without manual integration efforts.

Integrating Onum with replicate.com can offer several benefits, enhancing the platform's capabilities and the value it delivers:

Access to a Broad Range of Models
Ease of Model Deployment
Scalability
Continuous Model Updates
Cost-Effective AI Integration
Rapid Prototyping and Experimentation
Enhanced Data Privacy and Security

In order to configure this action, you must first link it to a Listener. Go to to learn how to link.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find MLReplicate in the Actions tab (under the Enrichment group) and drag it onto the canvas. Link it to the required and .

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Parameter

Description

Click Save to complete.

Where to find these values

It is possible to use all the public models from related to process natural language.

To fill in the values, you need to utilize the information about the user and model from Replicate.com and execute a copy/paste. The following image illustrates how to locate the required parameters on the Replicate.com model website.

Just in case, if the version does not appear, choose the Cog tag and copy the version like in the following picture.

A version identifies every model and requires a set of input parameters.

Detection

Enrichment

Filtering

Formatting

Schemas

OCSF

Most recent version: v0.2.1

See the changelog of this Action type .

Overview

The OCSF Action allows users to build messages in accordance with the Open Cybersecurity Schema Framework.

In order to configure this Action, you must first link it to a Listener. Go to Building a Pipeline to learn how to link.

AI Action Assistant

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in this article.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find OCSF in the Actions tab (under the Schema group) and drag it onto the canvas. Link it to the required Listener and Data sink.

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Parameter

Description

Fields*

This is where you specify the fields you wish to include in your message, by type.

Fields beginning with _ are internal fields.

OCSF Template*

Choose the blueprint used to create the standardized cybersecurity message within the OCSF model.

Destination Field Name*

Give your message a name to identify it by in the end destination.

Message

The message will be automatically transformed to fit the OCSF template selected above, show in JSON format. Drag and drop more fields from the fields area and rearrange them here.

Click Save to complete.

Example

Let's say you have received drone flight logs in JSON format and wish to transform it to a OCSF-formatted JSON using the Drone Flights Activity [8001] schema.

Raw data

{
  "drone_id": "DRONE-XT12",
  "operator": "alice.wong",
  "flight_id": "FL-20250602-0001",
  "start_time": "2025-06-02T08:00:00Z",
  "end_time": "2025-06-02T08:30:00Z",
  "status": "completed",
  "latitude": 40.7128,
  "longitude": -74.0060,
  "altitude_m": 150.0,
  "battery_level": 45,
  "vendor": "AeroFleet"
}

Parse the JSON

Add a Parser to the canvas and extract the fields using the automatic parsing.

Build the message

Now use the Message Builder to create a template containing these fields as an OSCF-formatted message.

Select the Drone Flights Activity [8001] schema from the list.

See the JSON reformatted in the Message area:

[
{
  "event_class": "drone_activity",
  "event_type_id": 8001,
  "time": "2025-06-02T08:00:00Z",
  "severity_id": 1,
  "message": "Drone flight FL-20250602-0001 completed successfully",
  "actor": {
    "user": {
      "name": "alice.wong"
    }
  },
  "drone_activity": {
    "drone_id": "DRONE-XT12",
    "flight_id": "FL-20250602-0001",
    "status": "completed",
    "start_time": "2025-06-02T08:00:00Z",
    "end_time": "2025-06-02T08:30:00Z",
    "location": {
      "latitude": 40.7128,
      "longitude": -74.0060,
      "altitude_m": 150.0
    },
    "battery_level": 45
  },
  "metadata": {
    "product": {
      "name": "DroneLogSystem",
      "vendor_name": "AeroFleet"
    }
  }
}
]

Drag and drop the fields to fill in the template with the real data.

Your message now matches the OCSF best practices: it normalizes data into structured actor, drone_activity, and metadata fields.

Field Transformation

Most recent version: v1.1.1

See the changelog of this Action type .

Overview

The Field Transformation action acts as a container that enables users to perform a wide range of operations on data, including encoding and decoding various types of encryption, format conversion, file compression and decompression, data structure analysis, and much more. The results are stored in new events fields.

In order to configure this action, you must first link it to a Listener or other Action. Go to to learn how to link.

AI Action Assistant

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in .

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find Field Transformation in the Actions tab (under the Transformation group) and drag it onto the canvas.

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Parameter

Description

Click Save to complete the process.

Example

Here is an example of a data set on the Bytes in/out from IP addresses.

We can use the field transformation operations to reduce the quantity of data sent.

We have a Syslog Listener, connected to a Parser.

Click if you need help configuring the Parser

Configure the parser as follows:

Paste input:

This is the data in its raw format.

Select Manual in the parser drop-down, go to code mode using the button on the right, and paste this log:

You have manually parsed the raw data into separate fields. This is reflected in the output field.

Link the Parser to the Field Transformation action and open its configuration.

We will use the

Input

Output

Destination IP to Hex

Transform the Destination IP to hexadecimal to reduce the number of characters.

Original IP

Hexadecimal

Field>Parser: DESTINATION_IP_ADDRESS
Operation: To IP Hex
Output Field: DestinationIPAddessHex

Add a new field for Destination Host to CRC32

Codify the Destination Host as crc32 to transform the machine name into 8 characters.

Original

CRC32

Field>Parser: DESTINATION_HOST
Operation: Crc32
Output field: DestinationHostCrc32

Arithmetic / Logic

Code tidy

Control characters

Conversion

Convert Distance

Description

This operation converts values between different units of length or distance.

Data types

These are the input/output expected data types for this operation:

Input data

- Values whose unit of length you want to transform. They must be strings representing numbers.

Output data

- Resulting values after transforming them to the selected unit of length.

Parameters

These are the parameters you need to configure to use this operation (mandatory parameters are marked with a *):

Input units*

Enter the unit of length of your input data. You must indicate one of the following:

Metric

Nanometres (nm)
Micrometres (μm)
Millimetres (mm)
Centimetres (cm)
Metres (m)
Kilometres (km)

Imperial

Thou (th)
Inches (in)
Feet (ft)
Yards (yd)
Chains (ch)
Furlongs (fur)
Miles (mi)
Leagues (lea)

Maritime

Fathoms (ftm)
Cables
Nautical miles

Comparisons

Cars (4m)
Buses (8.4m)
American football fields (91m)
Football pitches (105m)

Astronomical

Earth-to-Moons
Earth's equators
Astronomical units (au)
Light-years (ly)
Parsecs (pc)

Output units*

Enter the required unit of length of your output data. You must indicate one of the following:

Metric

Nanometres (nm)
Micrometres (μm)
Millimetres (mm)
Centimetres (cm)
Metres (m)
Kilometres (km)

Imperial

Thou (th)
Inches (in)
Feet (ft)
Yards (yd)
Chains (ch)
Furlongs (fur)
Miles (mi)
Leagues (lea)

Maritime

Fathoms (ftm)
Cables
Nautical miles

Comparisons

Cars (4m)
Buses (8.4m)
American football fields (91m)
Football pitches (105m)

Astronomical

Earth-to-Moons
Earth's equators
Astronomical units (au)
Light-years (ly)
Parsecs (pc)

Example

Suppose you want to convert a series of events from meters into yards:

In your Pipeline, open the required configuration and select the input Field.
In the Operation field, choose Convert distance.
Set Input units to Metres (m).
Set Output units to Yards (yd).
Give your Output field a name and click Save. The unit of length of the values in your input field will be transformed. For example:

You can try out operations with specific values using the Input field above the operation. You can enter the value in the example above and check the result in the Output field.

Convert Speed

Description

This operation converts values between different units of speed.

Data types

These are the input/output expected data types for this operation:

Input data

- Values whose unit of speed you want to transform. They must be strings representing numbers.

Output data

- Resulting values after transforming them to the selected unit of speed.

Parameters

These are the parameters you need to configure to use this operation (mandatory parameters are marked with a *):

Input units*

Enter the unit of speed of your input data. You must indicate one of the following:

Metric

Metres per second (m/s)
Kilometres per hour (km/h)

Imperial

Miles per hour (mph)
Knots (kn)

Comparisons

Human hair growth rate
Bamboo growth rate
World's fastest snail
Usain Bolt's top speed
Jet airliner cruising speed
Concorde
SR-71 Blackbird
Space Shuttle
International Space Station

Scientific

Sound in standard atmosphere
Sound in water
Lunar escape velocity
Earth escape velocity
Earth's solar orbit
Solar system's Milky Way orbit
Milky Way relative to the cosmic microwave background
Solar escape velocity
Neutron star escape velocity (0.3c)
Light in a diamond (0.4136c)
Signal in an optical fibre (0.667c)
Light (c)

Output units*

Enter the required unit of speed of your output data. You must indicate one of the following:

Metric

Metres per second (m/s)
Kilometres per hour (km/h)

Imperial

Miles per hour (mph)
Knots (kn)

Comparisons

Human hair growth rate
Bamboo growth rate
World's fastest snail
Usain Bolt's top speed
Jet airliner cruising speed
Concorde
SR-71 Blackbird
Space Shuttle
International Space Station

Scientific

Sound in standard atmosphere
Sound in water
Lunar escape velocity
Earth escape velocity
Earth's solar orbit
Solar system's Milky Way orbit
Milky Way relative to the cosmic microwave background
Solar escape velocity
Neutron star escape velocity (0.3c)
Light in a diamond (0.4136c)
Signal in an optical fibre (0.667c)
Light (c)

Example

Suppose you want to convert a series of events from kilometers per hour into miles per hour:

In your Pipeline, open the required Action configuration and select the input Field.
In the Operation field, choose Convert speed.
Set Input units to Kilometres per hour (km/h).
Set Output units to Miles per hour (mph).
Give your Output field a name and click Save. The unit of speed of the values in your input field will be transformed. For example:

200 Kilometres per hour (km/h) -> 124.2841804 Miles per hour (mph)

You can try out operations with specific values using the Input field above the operation. You can enter the value in the example above and check the result in the Output field.

String to List

Description

This operation converts a string composed of values separated by a specific separator into a list of comma-separated values (data type listString).

Data types

These are the input/output expected data types for this operation:

Input data

- String of separated values to be transformed. You must enter the separator in the parameter below.

Output data

- Resulting values after transforming them into a list of comma-separated values.

Parameters

These are the parameters you need to configure to use this operation (mandatory parameters are marked with a *):

Separator*

Enter the character(s) that separate the values in the input strings.

Example

Suppose you want to convert a series of strings representing values separated by / into a list of comma-separated values:

In your Pipeline, open the required configuration and select the input Field.
In the Operation field, choose String to list.
Set Separator to /.
Give your Output field a name and click Save. The values in your input field will be transformed into a comma-separated list. For example:

You can try out operations with specific values using the Input field above the operation. You can enter the value in the example above and check the result in the Output field.

Data format

Convert Mass

Description

This operation converts values between different units of mass.

Data types

These are the input/output expected data types for this operation:

Input data

- Values whose unit of mass you want to transform. They must be strings representing numbers.

Output data

- Resulting values after transforming them to the selected unit of mass.

Parameters

These are the parameters you need to configure to use this operation (mandatory parameters are marked with a *):

Input units*

Enter the unit of mass of your input data. You must indicate one of the following:

Metric

Yoctogram (yg)
Zeptogram (zg)
Attogram (ag)
Femtogram (fg)
Picogram (pg)
Nanogram (ng)
Microgram (μg)
Milligram (mg)
Centigram (cg)
Decigram (dg)
Gram (g)
Decagram (dag)
Hectogram (hg)
Kilogram (kg)
Megagram (Mg)
Tonne (t)
Gigagram (Gg)
Teragram (Tg)
Petagram (Pg)
Exagram (Eg)
Zettagram (Zg)
Yottagram (Yg)

Imperial Avoirdupois

Grain (gr)
Dram (dr)
Ounce (oz)
Pound (lb)
Nail
Stone (st)
Quarter (qr)
Tod
US hundredweight (cwt)
Imperial hundredweight (cwt)
US ton (t)
Imperial ton (t)

Imperial Troy

Grain (gr)
Pennyweight (dwt)
Troy dram (dr t)
Troy ounce (oz t)
Troy pound (lb t)
Mark

Archaic

Wey
Wool wey
Suffolk wey
Wool sack
Coal sack
Load
Last
Flax or feather last
Gunpowder last
Picul
Rice last

Comparisons

Big Ben (14 tonnes)
Blue whale (180 tonnes)
International Space Station (417 tonnes)
Space Shuttle (2,041 tonnes)
RMS Titanic (52,000 tonnes)
Great Pyramid of Giza (6,000,000 tonnes)
Earth's oceans (1.4 yottagrams)

Astronomical

A teaspoon of neutron star (5,500 million tonnes)
Lunar mass (ML)
Earth mass (M⊕)
Jupiter mass (MJ)
Solar mass (M☉)
Sagittarius A* (7.5 x 10^36 kgs-ish)
Milky Way galaxy (1.2 x 10^42 kgs)
The observable universe (1.45 x 10^53 kgs)

Output units*

Enter the required unit of mass of your output data. You must indicate one of the following:

Metric

Yoctogram (yg)
Zeptogram (zg)
Attogram (ag)
Femtogram (fg)
Picogram (pg)
Nanogram (ng)
Microgram (μg)
Milligram (mg)
Centigram (cg)
Decigram (dg)
Gram (g)
Decagram (dag)
Hectogram (hg)
Kilogram (kg)
Megagram (Mg)
Tonne (t)
Gigagram (Gg)
Teragram (Tg)
Petagram (Pg)
Exagram (Eg)
Zettagram (Zg)
Yottagram (Yg)

Imperial Avoirdupois

Grain (gr)
Dram (dr)
Ounce (oz)
Pound (lb)
Nail
Stone (st)
Quarter (qr)
Tod
US hundredweight (cwt)
Imperial hundredweight (cwt)
US ton (t)
Imperial ton (t)

Imperial Troy

Grain (gr)
Pennyweight (dwt)
Troy dram (dr t)
Troy ounce (oz t)
Troy pound (lb t)
Mark

Archaic

Wey
Wool wey
Suffolk wey
Wool sack
Coal sack
Load
Last
Flax or feather last
Gunpowder last
Picul
Rice last

Comparisons

Big Ben (14 tonnes)
Blue whale (180 tonnes)
International Space Station (417 tonnes)
Space Shuttle (2,041 tonnes)
RMS Titanic (52,000 tonnes)
Great Pyramid of Giza (6,000,000 tonnes)
Earth's oceans (1.4 yottagrams)

Astronomical

A teaspoon of neutron star (5,500 million tonnes)
Lunar mass (ML)
Earth mass (M⊕)
Jupiter mass (MJ)
Solar mass (M☉)
Sagittarius A* (7.5 x 10^36 kgs-ish)
Milky Way galaxy (1.2 x 10^42 kgs)
The observable universe (1.45 x 10^53 kgs)

Example

Suppose you want to convert a series of events from kilograms into pounds:

In your Pipeline, open the required configuration and select the input Field.
In the Operation field, choose Convert mass.
Set Input units to Kilogram (kg).
Set Output units to Pound (lb).
Give your Output field a name and click Save. The unit of mass of the values in your input field will be transformed. For example:

You can try out operations with specific values using the Input field above the operation. You can enter the value in the example above and check the result in the Output field.

Convert Data Units

Description

This operation converts values between different units of digital data, such as bits, bytes, kilobytes, megabytes, and so on. It’s especially useful when you’re dealing with data storage or transfer rates and you need to switch between binary (base 2) and decimal (base 10) units.

Data types

These are the input/output expected data types for this operation:

Input data

- Values whose unit of data you want to transform. They must be strings representing numbers.

Output data

- Resulting values after transforming them to the selected unit of data.

Parameters

These are the parameters you need to configure to use this operation (mandatory parameters are marked with a *):

Input units*

Enter the unit of your input data. You must indicate one of the following:

Bits (b)
Nibbles
Octets
Bytes (B)

Binary bits (2^n)

Kibibits (Kib)
Mebibits (Mib)
Gibibits (Gib)
Tebibits (Tib)
Pebibits (Pib)
Exbibits (Eib)
Zebibits (Zib)
Yobibits (Yib)

Decimal bits (10^n)

Decabits
Hectobits
Kilobits (Kb)
Megabits (Mb)
Gigabits (Gb)
Terabits (Tb)
Petabits (Pb)
Exabits (Eb)
Zettabits (Zb)
Yottabits (Yb)

Binary bytes (8 x 2^n)

Kibibytes (KiB)
Mebibytes (MiB)
Gibibytes (GiB)
Tebibytes (TiB)
Pebibytes (PiB)
Exbibytes (EiB)
Zebibytes (ZiB)
Yobibytes (YiB)

Decimal bytes (8 x 10^n)

Kilobytes (KB)
Megabytes (MB)
Gigabytes (GB)
Terabytes (TB)
Petabytes (PB)
Exabytes (EB)
Zettabytes (ZB)
Yottabytes (YB)

Output units*

Enter the required unit of your output data. You must indicate one of the following:

Bits (b)
Nibbles
Octets
Bytes (B)

Binary bits (2^n)

Kibibits (Kib)
Mebibits (Mib)
Gibibits (Gib)
Tebibits (Tib)
Pebibits (Pib)
Exbibits (Eib)
Zebibits (Zib)
Yobibits (Yib)

Decimal bits (10^n)

Decabits
Hectobits
Kilobits (Kb)
Megabits (Mb)
Gigabits (Gb)
Terabits (Tb)
Petabits (Pb)
Exabits (Eb)
Zettabits (Zb)
Yottabits (Yb)

Binary bytes (8 x 2^n)

Kibibytes (KiB)
Mebibytes (MiB)
Gibibytes (GiB)
Tebibytes (TiB)
Pebibytes (PiB)
Exbibytes (EiB)
Zebibytes (ZiB)
Yobibytes (YiB)

Decimal bytes (8 x 10^n)

Kilobytes (KB)
Megabytes (MB)
Gigabytes (GB)
Terabytes (TB)
Petabytes (PB)
Exabytes (EB)
Zettabytes (ZB)
Yottabytes (YB)

Example

Suppose you want to convert a series of events from megabits into kilobytes:

In your Pipeline, open the required Action configuration and select the input Field.
In the Operation field, choose Convert data units.
Set Input units to Megabits (Mb).
Set Output units to Kilobytes (KB).
Give your Output field a name and click Save. The data type of the values in your input field will be transformed. For example:

2 Megabits (Mb) -> 250 Kilobytes (KB)

You can try out operations with specific values using the Input field above the operation. You can enter the value in the example above and check the result in the Output field.

Conditional

Most recent version: v1.1.0

See the changelog of this Action type here.

Overview

The Conditional Action evaluates a list of conditions for an event. If an event meets a given condition, it will be sent through an output port specific to that condition. The event will be sent through the default output if it does not meet any conditions.

Set any number of conditions on your data for filtering and alerting.

In order to configure this Action, you must first link it to a Listener or other Action. Go to Building a Pipeline to learn how to link.

AI Action Assistant

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in this article.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.
Condition port - Each condition you add will have its own port. There is currently a limit of 8 conditions per Action, however, if you link another Conditional to the Default port, you can use the events to continue creating more conditions.

Configuration

Find Conditional in the Actions tab (under the Filtering group) and drag it onto the canvas. Link it to the required Listener and Data sink.

To open the configuration, click the Action in the canvas and select Configuration.

Choose how to start adding conditions using the View mode buttons. Select your conditions using the buttons available in the Visual view (default mode), or write them in Code mode.

Now, start adding your conditions. Each of the conditions you define will create a new output port in the Action. Give a name to the Port.

Choose the Field with the input data you want to use in the condition. This allows you to choose not only the field to filter by, but also the specific Action to take it from, if there are multiple options.

Choose a Condition for the filter. The options you see here will differ depending on the data type of the field you have selected:

Condition

Data types

Description

Contains

This condition checks if your input data strings contain certain keywords (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} contains ${field2}
${field1} contains "test"

Doesn't contain

This condition checks if your input data strings do not contain certain keywords (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} does not contain ${field2}

${field1} does not contain "test"

Equal / Equal to

This condition checks if your input data values are the same as other values (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} == ${field2}

${field1} == "test"
${field1} == 5

Not equal / Not equal to

This condition checks if your input data values are not the same as other values (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} != ${field2}

${field1} != "test"
${field1} != 5

Is null

This condition checks if your input data values are null.

In code mode, this condition is represented like this:

${field1} is null

Is not null

This condition checks if your input data values are not null.

In code mode, this condition is represented like this:

${field1} is not null

Matches

This condition checks if your input data strings match a given RegEx.

Enter your RegEx in the Regular expression field that appears, or type it directly in the code mode. Click the flag icon in the editor to add additional conditions (you can combine as many as required):

multiline - This flag affects the behavior of ^ and $. In multiline mode, matches occur not only at the beginning and the end of the string, but also at the start/end of each line. In code mode, add m at the end of your RegEx to include this condition.
insensitive - Add this flag if you want to make the matches case insensitive. In code mode, add i at the end of your RegEx to include this condition.

single - In code mode, add s at the end of your RegEx to include this condition.
ungreedy - Add this flag if you want to apply an ungreedy (lazy) matching, that is to say, you want to get as few characters as needed to complete the pattern in a single match. In code mode, add U at the end of your RegEx to include this condition.

In code mode, this condition is represented like this:

${field1} matches `\d{3}`
${field1} matches `\d{3}`i
${field1} matches `\d{3}`misU

Does not match

This condition checks if your input data strings do not match a given RegEx.

Enter your RegEx in the Regular expression field that appears, or type it directly in the code mode. Click the flag icon in the editor to add additional conditions (check their description in the Matches condition above).

In code mode, this condition is represented like this:

${field1} does not match `\d{3}`
${field1} does not match `\d{3}`m
${field1} does not match `\d{3}`misU

Less than

This condition checks if your input data numbers are less than other values (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} < ${field2}

${field1} < 5
${field1} < 1.4

Less than or equal to

This condition checks if your input data numbers are less than or equal to other values (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} <= ${field2}

${field1} <= 5
${field1} <= 1.4

Greater than

This condition checks if your input data numbers are greater than other values (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} > ${field2}

${field1} > 5
${field1} > 1.4

Greater than or equal to

This condition checks if your input data numbers are greater than or equal to other values (either matching the data with another field or entering a specific literal).

In code mode, this condition is represented like this:

${field1} >= ${field2}

${field1} >= 5
${field1} >= 1.4

Now you can add AND/OR clauses to your condition, or add a new condition entirely using the Add Condition option. You can add a maximum of 8 conditions/ports.

In code mode, AND/OR clauses are represented like this:

${field1} contains "test" and ${field2} == 10
${field1} contains "test" or ${field2} contains "test"

Only one level of grouping allowed in conditions When defining conditions through the user interface, only one level of grouping using parentheses is allowed. This means you can use and, or, and parentheses to group expressions, but you cannot nest groups within other groups.

Allowed: (${A} != null and ${A} != "" and (${A} == "x" or ${A} == "y"))

Not allowed: (((${A} == "x" or ${A} == "y") and ${A} != null) or (${B} == "internet")) In code mode: If you're configuring conditions directly in code mode, you can use multiple levels of grouping without restrictions.

Click Save to complete.

Example

Let's say you have data on error and threat detection methods in storage devices and you wish to detect threats and errors using the Cyclic Redundancy Check methods crc8, crc16 and crc24.

Conditional

Add a Conditional to the canvas and link it to the Listener or Action, providing your data.

Condition 1

Field: crc
Condition: equals
Field: crc8

Any events meeting this condition will exit via this port. Each condition has its own port.

Condition 2

Field: crc
Condition: equals
Field: crc16

Condition 3

Field: crc
Condition: equals
Field: crc24

Output

Now you have a Conditional action with three output ports, crc8, crc16 and crc24, as well as the default and error ports.

Conditional 2

Add another conditional to the canvas and enter the following:

Field: msg
Condition: contains
Field: threat

Now when the message contains "threat", an event will be generated and sent via the threat port.

HTTP Pull

Most recent version: v0.0.1

See the changelog of this Listener type here.

Note that this Listener is only available in certain Tenants. Get in touch with us if you don't see it and want to access it.

Overview

Onum supports integration with HTTP Pull. Select HTTP Pull from the list of Listener types and click Configuration to start.

Configuration

Now you need to specify how and where to collect the data and how to establish an HTTP connection.

Metadata

Enter the basic information for the new Listener.

Parameter

Description

Name*

Enter a name for the new Listener.

Description

Optionally, enter a description for the Listener.

Tags

Add tags to easily identify your Listener. Hit the Enter key after you define each tag.

Configuration

Cloud Listeners

Note that you won't see the Socket and TLS configuration sections in the creation form if you're defining this Listener in a Cloud instance, as these are already provided by Onum. Learn more about Cloud Listeners in this article.

Parameters

Parameter

Description

Name

Enter the name of the parameter to search for in the YAML below, used later as ${parameters.name} e.g. ${parameters.domain}.

Value

Enter the value or variable to fill in when the given parameter name has been found, e.g. “domain.com”. With the name set as “domain” and the value set as “domain.com” , the expression to execute on the YAML would be: ${parameters.domain}., which will be automatically replaced by the variable. Add as many name and value pairs as required.

Secrets

Parameter

Description

Name

Enter the name of the parameter to search for in the YAML below, used later as ${secrets.name}.

Value

Select the containing the connection credentials if you have added them previously, or select New Secret to add it. This will add this value as the variable when the field name is found in the YAML. Add as many as required.

Config as YAML

Toggle ON to configure the HTTP as a YAML and paste it here.

The system supports interpolated variables throughout the HTTP request building process using the syntax:

${prefix.name} Each building block may:

Use variables depending on its role (e.g., parameters, secrets, pagination state).
Expose variables for later phases (e.g., pagination counters, temporal window bounds).

Not all variable types are available in every phase. Each block has access to a specific subset of variables.

Variables can be defined in the configuration or generated dynamically during execution. Each variable has a prefix that determines its source and scope.

Supported Prefixes:

Parameters

Secrets

temporalWindow

Pagination

Inputs

User-defined values configured manually.

Available in all phases.

Sensitive values such as credentials or tokens.

Available in all phases

Automatically generated from the Temporal Window block.

Available in Enumeration and Collection phases.

Values produced by the pagination mechanism (e.g., offset, cursor).

Available in Enumeration and Collection phases.

Values derived from the output of the Enumeration phase.

Available only in the Collection phase.

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Parameter

Description

Duration*

Add the duration in milliseconds that the window will remain open for.

Offset*

How far behind the current time the window should end (e.g., 5m behind "now").

Time Zone*

This value is usually automatically set to your current time zone. If not, select it here.

Format*

Choose between Epoch or RCF3339 for the timestamp format.

Authentication

If your connection requires authentication, enter the credentials here.

Parameter

Description

Authentication Type*

Choose the authentication type and enter the details.

Authentication credentials

The options provided will vary depending on the type chosen to authenticate your API. This is the type you have selected in the API end, so it can recognize the request.

Choose between the options below.

Basic

Username* - the user sending the request.
Password* - the password eg: ${secrets.password}

API Key

Enter the following:

API Key - API keys are usually stored in developer portals, cloud dashboards, or authentication settings. Set the a secret, eg: ${secrets.api_key}

Auth injection:
- In* - Enter the incoming format of the API: Header or Query.
- Name* - A label assigned to the API key for identification. You can find it depending on where the API key was created.
- Prefix - Enter a connection prefix if required.
- Suffix - Enter a connection suffix if required.

Token

Token Retrieve Based Authentication

Request -
- Method* - Choose between GET or POST
- URL*- Enter the URL to send the request to.
Headers - Add as many headers as required.
- Name
- Value
Query Params - Add as many query parameters as required.
- Name
- Value
Token Path* - Enter your Token Path for used to retrieve an authentication token.

Auth injection:
- In* - Enter the incoming format of the API: Header or Query.
- Name* - A label assigned to the API key for identification. You can find it depending on where the API key was created.
- Prefix - Enter a connection prefix if required.
- Suffix - Enter a connection suffix if required.

Enumeration Phase

Identify the available endpoints, methods, parameters, and resources exposed by the API. This performs initial data discovery to feed the collection phase and makes the results available to the Collection Phase via variable interpolation (inputs.*).

Can use:

${parameters.xxx}
${secrets.xxx}
${temporalWindow.xxx} (if configured)
${pagination.xxx*} Pagination variables

Parameter

Description

Pagination Type*

Select one from the drop-down. Pagination type is the method used to split and deliver large datasets in smaller, manageable parts (pages), and how those pages can be navigated during discovery.

Each pagination method manages its own state and exposes specific variables that can be interpolated in request definitions (e.g., URL, headers, query params, body).

None

Description: No pagination; only a single request is issued.
Exposed Variables: None

PageNumber/PageSize

Description: Pages are indexed using a page number and fixed size.
Configuration:
- pageSize: page size
Exposed Variables:
- ${pagination.pageNumber}
- ${pagination.pageSize}

Offset/Limit

Description: Uses offset and limit to fetch pages of data.
Configuration:
- Limit: max quantity of records per request
Exposed Variables:
- ${pagination.offset}
- ${pagination.limit}

From/To

Description: Performs pagination by increasing a window using from and to values.
Configuration: limit: max quantity of records per request
Exposed Variables:
- ${pagination.from}
- ${pagination.to}

Web Linking (RFC 5988)

Description: Parses the Link header to find the rel="next" URL.
Exposed Variables: None

Next Link at Response Header

Description: Follows a link found in a response header.
Configuration:
- headerName: header name that contains the next link
Exposed Variables: None

Next Link at Response Body

Description: Follows a link found in the response body.
Configuration:
- nextLinkSelector: path to next link sent in response payload
Exposed Variables: None

Cursor

Description: Extracts a cursor value from each response to request the next page.
Configuration:
- cursorSelector: path to the cursor sent in response payload
Exposed Variables:
- ${pagination.cursor}

Output

Parameter

Description

Select*

If your connection does not require authentication, leave as None. Otherwise, choose the authentication type and enter the details. A JSON selector expression to pick a part of the response e.g. '.data'.

Filter

A JSON expression to filter the selected elements. Example: '.films | index("Tangled")'.

Map

A JSON expression to transform each selected element into a new event. Example: '{characterName: .name}'.

Output Mode*

Choose between

Element: emits each transformed element individually as an event.
Collection: emits all transformed items as a single array/collection as an event.

Collection Phase*

The collection phase is mandatory. This is where the final data retrieval happens (either directly or using IDs/resources generated by an enumeration phase).

The collection phase involves gathering actual data from an API after the enumeration phase has mapped out endpoints, parameters, and authentication methods. It supports dynamic variable resolution via the variable resolver and can use data exported from the Enumeration Phase, such as:

${parameters.xxx}
${secrets.xxx}
${temporalWindow.xxx}
${inputs.xxx} (from Enumeration Phase)
${pagination.xxx}*

Inputs

In collection phases, you can define variables to be used elsewhere in the configuration (for example, in URLs, query parameters, or request bodies). Each variable definition has the following fields:

Parameter

Description

Name

The variable name (used later as ${inputs.name} in the configuration).

Source

Usually "input", indicating the value comes from the enumeration phase’s output.

Expression

A JSON expression applied to the input to extract or transform the needed value.

Format

Controls how the variable is converted to a string (see Variable Formatting below). Eg: json.

Parameter

Description

Pagination Type*

Choose how the API organizes and delivers large sets of data across multiple pages—and how that affects the process of systematically collecting or extracting all available records.

Output

Parameter

Description

Select*

Filter

A JSON expression to filter the selected elements. Example: '.films | index("Tangled")'.

Map

A JSON expression to transform each selected element into a new event. Example: '{characterName: .name}'.

Output Mode*

Choose between

Element: emits each transformed element individually as an event.
Collection: emits all transformed items as a single array/collection as an event.

Click Create labels to move on to the next step and define the required Labels if needed.

Ports

The HTTP Pull sink has two output ports:

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

The error message is provided in a free-text format and may change over time. Please consider this if performing any post-processing based on the message content.

Integrations

HTTP Puller integrations are parametrized and organized by vendor, categorized by product/API.

Inside each endpoint, you will find a yaml configuration. This configuration is used in the Onum HTTP Puller action in order to start feeding that information into the platform. Check the articles under this section to learn more.

Field Transformation Operations

A comprehensive list of the operations available in the Field Tranformation Action.

Operation

Description

Example

Converts a size in bytes to a human-readable string.

Input data - 134367
Output data - 131.22 KiB

Converts values from one unit of measurement to another.

Input data - 5000
Input units - Square foot (sq ft)
Output units - Square metre (sq m)
Output data - 464.515215

Converts a unit of data to another format.

Input data - 2
Input units - Megabits (Mb)
Output units - Kilobytes (KB)
Output data - 250

Converts values from one unit of length to another.

Input data - 100
Input units - Metres (m)
Output units - Yards (yd)
Output data - 109.3613298

Converts values from one unit of mass to another.

Input data - 100
Input units - Kilogram (kg)
Output units - Pound (lb)
Output data - 220.4622622

Converts values from one unit of speed to another.

Input data - 200
Input units - Kilometres per hour (km/h)
Output units - Miles per hour (mph)
Output data - 124.2841804

Counts the amount of times a given string occurs in your input data.

Input data - This is a sample test
Search - test
Search Type - simple
Output data - 1

Calculates an 8-bit Cyclic Redundancy Check (CRC) value for a given input.

Input data - hello 1234
Output data - C7

Calculates an 16-bit Cyclic Redundancy Check (CRC) value for a given input.

Input data - hello 1234
Output data - 57D4

Calculates an 24-bit Cyclic Redundancy Check (CRC) value for a given input.

Input data - hello 1234
Output data - 3B6473

Calculates an 32-bit Cyclic Redundancy Check (CRC) value for a given input.

Input data - hello 1234
Output data - 7ED8D648

Obfuscates all digits of a credit card number except for the last 4 digits.

Input data - 1111222233334444
Output data - ************4444

Converts a CSV file to JSON format.

Input data -

First name,Last name,Age,City John,Wick,20,New-York Tony,Stark,30,Madrid

Cell delimiter - ,
Format - Array of dictionaries
Output data -

[ { "First name": "John", "Last name": "Wick", "Age": "20", "City": "New-York" }, { "First name": "Tony", "Last name": "Stark", "Age": "30", "City": "Madrid" } ]

Defangs an IP address to prevent it from being recognized.

Input data - 192.168.1.1
Output data - 192[.]168[.]1[.]1

Defangs a URL to prevent it from being recognized as a clickable link.

Input data - https://example.com
Escape Dots - true
Escape HTTP - true
Escape ://* - false
Process Type - Everything
Output data - hxxps://example[.]com

Divides a list of numbers provided in the input string, separated by a specific delimiter.

Input data - 26:2:4
Delimiter - Colon
Output data - 3.25

Escapes specific characters in a string.

Input data - She said, "Hello, world!"
Escape Level - Special chars
Escape Quote - Double
JSON compatible -false
Output data - She said, \"Hello, world!\"

Extracts all the IPv4 and IPv6 addresses from a block of text or data.

Input data -

User logged in from 192.168.1.1. Another login detected from 10.0.0.5.

Output data -

192.168.1.1,10.0.0.5

Makes defanged IP addresses valid.

Input data - 192[.]168[.]1[.]1
Output data - 192.168.1.1

Makes defanged URLs valid.

Input data - hxxps://example[.]com
Escape Dots - true
Escape HTTP - true
Escape ://* - false
Process Type - Everything
Output data - https://example.com

Splits the input string using a specified delimiter and filters.

Input data -

Error: File not found Warning: Low memory Info: Operation completed Error: Disk full

Delimiter - Line feed
Regex - ^Error
Invert - false
Output data -

Error: File not found Error: Disk full

Finds values in a string and replace them with others.

Input data - The server encountered an error while processing your request.
Substring to find - error
Replacement - issue
Global Match - true
Case Insensitive - true
Multiline - false
Dot Matches All - false
Output data - The server encountered an issue while processing your request.

This operation transforms a float into a string using a Go format string.

Input data - 5.218

Radix (Base) - %.1f

Output data - 5.2

Converts a number from a specified base (or radix) into its decimal form.

Input data - 100

Radix (Base) - 2

Output data - 4

Decodes data from a Base32 string back into its raw format.

Input data - NBSWY3DP,!

Alphabet - RFC4648 (Standard)
Remove non-original chars - true

Output data - hello

Decodes data from a Base64 string back into its raw format.

Input data - SGVsbG8sIE9udW0h
Strict Mode - true
Output data - Hello, Onum!

Decodes a binary string into plain text.

Input data - 01001000 01101001

Delimiter - Space

Byte Length - 8
Output data - Hi

Converta hexadecimal-encoded data back into its original form.

Input data - 48 65 6c 6c 6f 20 57 6f 72 6c 64
Delimiter - Space
Output data - Hello World

Converts a timestamp into a human-readable date string.

Input data - 978346800
Time Unit - Seconds
Timezone Output - UTC
Format Output - Mon 2 January 2006 15:04:05 UTC
Output data - Mon 1 January 2001 11:00:00 UTC

Extracts a specific element from a list of boolean values.

Input data - true, false, true, false

Index - 1

Output data - false

Extracts a specific element from a list of float values.

Input data - 0.0, -1.0, 2.0

Index - 1

Output data - -0.1

Extracts a specific element from a list of integer values.

Input data - 0, 1, 2, 3

Index - 1

Output data - 1

Extracts a specific element from a list of strings.

Input data - test0, test1, test2

Index - 1

Output data - test1

Extracts a specific element from a list of timestamps.

Input data - 1654021200, 1700000000,1750000000

Index - 1

Output data - 1700000000

Converts an IP address (either IPv4 or IPv6) to its hexadecimal representation.

Input data - 192.168.1.1
Output data - c0a80101

Reduces the size of a JSON file by removing unnecessary characters from it.

Input data -

{ "name": "John Doe", "age": 30, "isActive": true, "address": { "city": "New York", "zip": "10001" } }

Output data -

{"name":"John Doe","age":30,"isActive":true,"address":{"city":"New York","zip":"10001"}}

Converts a JSON file to CSV format.

Input data -

[ { "First name": "John", "Last name": "Wick", "Age": "20", "City": "New-York" }, { "First name": "Tony", "Last name": "Stark", "Age": "30", "City": "Madrid" } ]

Cell delimiter - ,
Row delimiter - /n
Output data -

First name,Last name,Age,City John,Wick,20,New-York Tony,Stark,30,Madrid

Decodes the payload in a JSON Web Token string.

Input data - eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output data - {"sub":"1234567890","name":"John Doe","iat":1516239022}

Generates a Keccak cryptographic hash function from a given input.

Input data - Hello World!
Size - 256
Output data -3ea2f1d0abf3fc66cf29eebb70cbd4e7fe762ef8a09bcc06c8edf641230afec0

Returns the number of Unicode characters in your input strings.

Input data - hello world!

Output data - 12

Converts a list of comma-separated values into a string of values divided by a specific separator.

Input data - hello,my,world
Separator - /
Output data - hello/my/world

Produces a MD2 hash string from a given input.

Input data - Hello World!
Output data - 315f7c67223f01fb7cab4b95100e872e

Produces a MD4 hash string from a given input.

Input data - Hello World!
Output data -b2a5cc34fc21a764ae2fad94d56fadf6

Produces a MD5 hash string from a given input.

Input data - Hello World!
Output data -ed076287532e86365e841e92bfc50d8c

Calculates the median of given values, separated by a specific delimiter.

Input data - 10, 5, 20, 15, 25
Delimiter - ,
Output data - 15

Calculates the result of the multiplication of given values, separated by a specific delimiter.

Input data - 2, 3, 5
Delimiter - ,
Output data - 30

Pads each input line with a specified number of characters.

Input data - Apple Banana Cherry
Pad position - Start
Pad line - 7
Character - >>>
Output data -

>>> >>>Apple >>> >>>Banana >>> >>>Cherry

Parses a string and returns an integer of the specified base.

Input data - 100
Base - 2
Output data -4

Takes Unix file permission strings and converts them to code format or vice versa.

Input data - -rwxr-xr--
Output data -

Textual representation: -rwxr-xr-- Octal representation: 0754 +---------+-------+-------+-------+ | | User | Group | Other | +---------+-------+-------+-------+ | Read | X | X | X | +---------+-------+-------+-------+ | Write | X | | | +---------+-------+-------+-------+ | Execute | X | X | | +---------+-------+-------+-------+

Analyzes a URI into its individual components.

Input data -

https://user:[email protected]:8080/path/to/resource?key=value#fragment

Output data -

Scheme: https Host: example.com:8080 Path: /path/to/resource Arguments: map[key:[value]] User: user Password: pass

Converts events in Protobuf (Protocol Buffers) format into JSON.

Input data

Proto file
Message type

Output data

Extracts or manipulates parts of your input strings that match a specific regular expression pattern.

Input data - 100
Base - 2
Output data -4

Removes whitespace and other characters characters from a string.

Input data -

Hello World!

This is a test.

Spaces - true
Carriage returns - false
Line feeds - true
Tabs - false
Form feeds - false
Full stops - true
Output data -

HelloWorld!Thisisatest

Reverses the order of the characters in a string.

Input data - Hello World!
Reverse mode - Character
Output data - !dlroW olleH

Returns the SHA0 hash of a given string.

Input data - Hello World!
Output data - 1261178ff9a732aacfece0d8b8bd113255a57960

Returns the SHA1 hash of a given string.

Input data - Hello World!
Output data - 2ef7bde608ce5404e97d5f042f95f89f1c232871

Returns the SHA2 hash of a given string.

Input data - Hello World!
Size - 512
Output data - f4d54d32e3523357ff023903eaba2721e8c8cfc7702663782cb3e52faf2c56c002cc3096b5f2b6df870be665d0040e9963590eb02d03d166e52999cd1c430db1

Returns the SHA3 hash of a given string.

Input data - Hello World!
Size - 512
Output data - 32400b5e89822de254e8d5d94252c52bdcb27a3562ca593e980364d9848b8041b98eabe16c1a6797484941d2376864a1b0e248b0f7af8b1555a778c336a5bf48

Returns the SHAKE hash of a given string.

Input data - Hello World!
Capacity - 256
Size - 512
Output data - 35259d2903a1303d3115c669e2008510fc79acb50679b727ccb567cc3f786de3553052e47d4dd715cc705ce212a92908f4df9e653fa3653e8a7855724d366137

Shuffles the characters of a given string.

Input data - Hello, World!
Delimiter - Comma
Output data - eollH,ro!ld W

Returns the SM3 cryptographic hash function of a given string.

Input data - Hello World!
Length - 64
Output data - 0ac0a9fef0d212aa

Sorts a list of strings separated by a specified delimiter according to the provided sorting order.

Input data - banana,apple,orange,grape
Delimiter - Comma
Order - Alphabetical (case sensitive)
Reverse - false
Output data - apple,banana,grape,orange

Converts a string composed of values separated by a specific separator into a list of comma-separated values.

Input data - hello/my/world
Separator - /
Output data - hello,my,world

Extracts characters from a given string.

Input data - +34678987678
Start Index - 3
Length - 9
Output data - 678987678

Calculates the result of the subtraction of given values, separated by a specific delimiter.

Input data - 10, 5, 2
Delimiter - Comma
Output data - 3

Calculates the sum of given values, separated by a specific delimiter.

Input data - 10, 5, 2
Delimiter - Comma
Output data - 17

Swaps the case of a given string.

Input data - Hello World!
Output data - hELLO wORLD!

Converts a number into its representation in a specified numeric base (or radix).

Input data - 100

Radix (Base) - 2

Output data - 1100100

Encodes raw data into a Base32 string.

Input data - hello

Standard - standard

Output data - NBSWY3DP

Encodes raw data into an ASCII Base64 string.

Input data - Hello, Onum!
Output data - SGVsbG8sIE9udW0h

Converts a text string into its binary representation.

Input data - Hello

Delimiter - Comma

Byte Length - 8
Output data - 01001000,01100101,01101100,01101100,01101111

Converts a text string into its ordinal integer decimal representation.

Input data - Hello

Delimiter - Comma

Support signed values - false
Output data - 72,101,108,108,111

Converts a string to its corresponding hexadecimal code.

Output data - Hello World!
Delimiter - Space
Bytes per line - 0
Input data - 48 65 6c 6c 6f 20 57 6f 72 6c 64

Converts the characters of a string to lower case.

Input data - Hello World!
Output data - hello world!

Transforms a string representing a date into a timestamp.

Input data - 2006-01-02
Format - DateOnly
Output data - 2006-01-02T00:00:00Z

Parses a datetime string in UTC and returns the corresponding Unix timestamp.

Input data - 2006-01-02 15:04:05
Unit - Seconds
Output data - 1136214245

Converts the characters of a string to upper case.

Input data - Hello World!
Output data - HELLO WORLD!

Converts a date and time from one format to another.

Input data - 05-20-2023 10:10:45
Input Format - 01-02-2006 15:04:05
Input Timezone - UTC+1
Output Format - Mon, 2 Jan 2006 15:04:05 +0000
Output Timezone - UTC+1
Output data - Sat, 20 May 2023 10:10:45 +0000

Removes escape characters from a given string.

Input data - She said, \"Hello, world!\"
Output data - She said, "Hello, world!"

Decodes a URL and returns its corresponding URL-decoded string.

Input data - https%3A%2F%2Fexample.com%2Fsearch%3Fq%3DHello+World%21
Output data - https://example.com/search?q=Hello World!

Encodes a URL-decoded string back to its original URL format,

Input data - https://example.com/search?q=Hello World!
Output data - https://example.com/search?q=Hello%20World!

v1.692.0

Welcome

Quick Links

Most popular

Getting Started

About Onum

Overview

@ the Edge

Start with the basics

Architecture

How it works

Deployment types

Delivery methods

Deployment

Overview

Cloud Deployment

On-Premises Deployment

Hardware requirements

Access

Getting Started with Onum

Accessing Onum

Logging in

Navigating the Interface

Create Your First Listener

Create Your First Data Sink

Build Your First Pipeline

Use cases

Understanding The Essentials

The Time Range Selector

Overview

Predefined and Custom time ranges

Comparisons

Key Terminology

Action

API

Cluster

Data sink

Data source

Distributor

Event

Label

Listener

Lookup

Multitenancy

Pipeline

Role

Tag

Tenant

Worker

THE WORKSPACE

Home

Overview

Metrics

Sankey Diagram

Show Metrics

View Details

Hide/Show Columns

Add New Elements

Listeners

Overview

Narrow Down Your Data

Add Filters

Select a Time Range

Select Tags

Create a Listener

Configure a Listener

01. Type

02. Configuration

03. Labels

Cloud Listeners

Overview

Important Considerations

Listener Integrations

Google Cloud

Microsoft

Labels

Overview

What Are Labels Used For?

Creating Your First Label

Create a new label