Download the release on GitHub.
Features
Section titled “Features”Support `
Section titled “Support `”`-style newlines in VAST
All input parsers now support mixed \n and \r\n line endings.
Deduce types for heterogenous JSONL import
Section titled “Deduce types for heterogenous JSONL import”When importing events of a new or updated type, VAST now only requires the type
to be specified once (e.g., in a schema file). For consecutive imports, the
event type does not need to be specified again. A list of registered types can
now be viewed using vast status under the key node.type-registry.types.
When importing JSON data without knowing the type of the imported events a
priori, VAST now supports automatic event type deduction based on the JSON
object keys in the data. VAST selects a type iff the set of fields match a
known type. The --type / -t option to the import command restricts the
matching to the set of types that share the provided prefix. Omitting -t
attempts to match JSON against all known types. If only a single variant of a
type is matched, the import falls back to the old behavior and fills in nil
for mismatched keys.
By @dominiklohmann in #875.
UX improvements for read_query()
Section titled “UX improvements for read_query()”VAST now prints a message when it is waiting for user input to read a query from a terminal.
Publish Sysmon schema
Section titled “Publish Sysmon schema”VAST now ships with a schema suitable for Sysmon import.
By @dominiklohmann in #886.
PRs 873-877
Section titled “PRs 873-877”Added a new explore command to VAST that can be used to show data records
within a certain time from the results of a query.
Changes
Section titled “Changes”Rename statistics event to metrics
Section titled “Rename statistics event to metrics”The command line flag for disabling the accountant has been renamed to
--disable-metrics to more accurately reflect its intended purpose. The
internal vast.statistics event has been renamed to vast.metrics.
By @dominiklohmann in #870.
UX improvements for read_query()
Section titled “UX improvements for read_query()”Spreading a query over multiple command line arguments in commands like explore/export/pivot/etc. has been deprecated.
Bug Fixes
Section titled “Bug Fixes”Correct check for user schema in zeek reader
Section titled “Correct check for user schema in zeek reader”The parser for Zeek tsv data used to ignore attributes that were defined for the Zeek-specific types in the schema files. It has been modified to respect and prefer the specified attributes for the fields that are present in the input data.
Various config and default setting fixes
Section titled “Various config and default setting fixes”Fixed a bug that caused vast import processes to produce 'default' table
slices, despite having the 'arrow' type as the default.
Fixed a bug where setting the logger.file-verbosity in the config file would
not have an effect.