from
Produces events by combining a connector and a format.
Synopsis
from <url> [read <format>]
from <path> [read <format>]
from <connector> [read <format>]
Description
The from
operator produces events at the beginning of a pipeline by bringing
together a connector and a format.
If given something that looks like a path to a file, the connector can pick
out a format automatically based on the file extension or the file name.
This enables a shorter syntax, e.g., from https://example.com/file.yml
uses the yaml
format. All connectors also have a default format,
which will be used if the format can't be determined by the path.
For most connectors, this default format is json
. So, for example,
from stdin
uses the json
format.
Additionally, if a file extension indicating compression can be found,
decompress
is automatically used.
For example, from myfile.json.gz
is automatically gzip-decompressed
and parsed as json, i.e., load myfile.json.gz | decompress gzip | read json
.
The from
operator is a pipeline under the hood. For most cases, it is equal to
load <connector> | read <format>
. However, for some combinations of
connectors and formats the underlying pipeline is a lot more complex. We
recommend always using from ... read ...
over the load
and
read
operators.
<connector>
The connector used to load bytes.
Some connectors have connector-specific options. Please refer to the documentation of the individual connectors for more information.
<format>
The format used to parse events from the loaded bytes.
Some formats have format-specific options. Please refer to the documentation of the individual formats for more information.
Examples
Read bytes from stdin and parse them as JSON.
from stdin read json
from file stdin read json
from file - read json
from - read json
Read bytes from the file path/to/eve.json
and parse them as Suricata.
Note that the file
connector automatically assigns the Suricata parser for
eve.json
files when no other parser is specified.
Also, when directly passed a filesystem path, the file
connector is automatically used.
from path/to/eve.json
from file path/to/eve.json
from file path/to/eve.json read suricata
Read bytes from the URL https://example.com/data.json
over HTTPS and parse them as JSON.
Note that when from
is passed a URL directly, the https
connector is automatically used.
from https://example.com/data.json read json
from https example.com/data.json read json