# SynopsisCopy
parameters:
[-h | -? | --help] prints the help text
[-c | --continuous] marks a query as continuous
[-u | --unified] marks a query as unified
[-n | --max-events=] <uint64> maximum number of results
[-r | --read=] <string> path for reading the query
subcommands:
zeek exports query results in Zeek format
csv exports query results in CSV format
ascii exports query results in ASCII format
json exports query results in JSON format
null exports query without printing them (debug option)
arrow exports query results in Arrow format
pcap exports query results in PCAP format
# DocumentationThe export command retrieves a subset of data according to a given query
expression. The export format must be explicitly specified:
Copy vast export [options] <format> [options] <expr>
The export command is the dual to the import command.
# export pcap# SynopsisCopy
exports query results in PCAP format
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
[-f | --flush-interval=] <uint64> flush to disk after this many packets
# DocumentationThe PCAP export format uses libpcap to write PCAP
events as a trace.
This command only supports events of type pcap.packet. As a result, VAST
transforms a provided query expression E into #type == "pcap.packet" && E.
# export arrow# SynopsisCopy
exports query results in Arrow format
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
# DocumentationThe Arrow export format renders events in Apache
Arrow , a development platform for in-memory data
with bindings for many different programming languages.
For example, the below Python program reads Arrow-formatted data from stdin and
prints it back in a readable format batch by batch.
Copy
import sys
import pyarrow
istream = pyarrow . input_stream ( sys . stdin . buffer )
batch_count = 0
row_count = 0
try :
while True :
print ( "open next reader" )
reader = pyarrow . ipc . RecordBatchStreamReader ( istream )
try :
while True :
batch = reader . read_next_batch ( )
batch_count += 1
row_count += batch . num_rows
print ( str ( batch . schema ) )
except StopIteration :
print ( "done with current reader, rows: " + str ( row_count ) )
batch_count = 0
row_count = 0
except :
print ( "done with all readers" )
# export null# SynopsisCopy
exports query without printing them (debug option)
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
# DocumentationThe null export format does not render its results, and is used for debugging
and benchmarking only.
# export json# SynopsisCopy
exports query results in JSON format
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
# DocumentationThe JSON export format renders events in newline-delimited JSON (aka.
JSONL ).
# export ascii# SynopsisCopy
exports query results in ASCII format
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
# DocumentationThe ASCII export format renders events according to VAST's data grammar. It
merely dumps the data, without type information, and is therefore useful when
digging for specific values.
# export csv# SynopsisCopy
exports query results in CSV format
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
# DocumentationThe CSV export format renders events as comma-separated values.
# export zeek# SynopsisCopy
exports query results in Zeek format
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
# DocumentationThe Zeek export format writes events in Zeek's
tab-separated value (TSV) style.