stream

Receives stream query output in real time for a specified duration from the query start time. Returns empty results if there is no stream output during query execution. This command requires administrator permission.

Command properties

Item	Description
Command type	Driver query or Transforming
Required permission	Administrator
License usage	N/A
Parallel execution	Supported
Distributed execution	Not supported

Syntax

To receive stream output in real time:

stream window=INT{s|m|h|d|mon} STREAM_NAME [, STREAM_NAME ...]

To forward input records to a stream:

stream forward=t STREAM_NAME [, STREAM_NAME ...]

Options

window=INT{s|m|h|d|mon}: Duration to receive stream output from the query start time. Use s (second), m (minute), h (hour), d (day), or mon (month) units. The window option and forward option cannot be used together.
forward=t: Transforming query mode that forwards input records to the specified stream. When set to true, the command acts as a transforming query instead of a driver query, forwarding the previous command's output to the stream.

Target

STREAM_NAME [, STREAM_NAME ...]: Stream name. Specify multiple streams separated by commas (,). Use wildcards (*) to specify multiple streams by name pattern.

Output fields

Field	Type	Description
`_stream`	string	Stream name

Error codes

Parse errors

Error code	Message	Description
-	no-read-permission	The user does not have administrator permission.
-	missing-window-option	Neither the `window` option nor the `forward` option is specified.
11600	stream-not-found	No stream matching the specified name exists.

Runtime errors

N/A

Description

The stream command supports two operating modes.

When the window option is used, it acts as a driver query. It receives stream query output in real time for the specified duration from the query start time. The stream name is output in the _stream field.

When the forward=t option is used, it acts as a transforming query. It forwards output records from the previous command to the specified stream while also passing them to the next command.

You can use wildcards (*) in the stream name to match multiple streams by name pattern. If no streams match the specified name or pattern, an error occurs at parse time.

Examples

Receive stream output for 1 minute
```
stream window=1m my_stream
```
Receives output from the my_stream stream in real time for 1 minute.
Receive multiple streams using a wildcard
```
stream window=30s alert_*
```
Receives output from all streams whose names start with alert_ for 30 seconds.
Forward input records to a stream
```
table duration=1h web_logs
| stream forward=t my_stream
| stats count by src_ip
```
Forwards records retrieved from the web_logs table to the my_stream stream while simultaneously passing them to the next command.