from <connector> [read <format>]
All connectors have a default format. This enables a shorter syntax, e.g.,
from stdin uses the
json format, while
from file foo.csv uses the
from operator is a pipeline under the hood. For most cases, it is equal to
load <connector> | read <format>. However, for some combinations of
connectors and formats the underlying pipeline is a lot more complex. We
recommend always using
from ... read ... over the
The connector used to load bytes.
Some connectors have connector-specific options. Please refer to the documentation of the individual connectors for more information.
The format used to parse events from the loaded bytes.
Some formats have format-specific options. Please refer to the documentation of the individual formats for more information.
Read bytes from stdin and parse them as JSON.
from stdin read json
from file stdin read json
from file - read json
from - read json
Read bytes from the file
path/to/eve.json and parse them as Suricata.
Note that the
file connector automatically assigns the Suricata parser for
eve.json files when no other parser is specified.
from file path/to/eve.json
from file path/to/eve.json read suricata