pivot command retrieves data of a related type. It inspects each
event in a query result to find an event of the requested type. If the related
type exists in the schema, VAST will dynamically create a new query to fetch the
contextual data according to the type relationship.
VAST uses the field
community_id to pivot between logs and packets. Pivoting
is currently implemented for Suricata, Zeek (with community ID
computation enabled), and PCAP.
For Zeek specifically, the
uid field is supported as well.
For example, to get all events of type
pcap.packet that can be pivoted to over
common fields from other events that match the query
dest_ip == 126.96.36.199,
use this command:
pivot command is similar to the
explore command in that they allow for
querying additional context.
export command, the output format can be selected using
--format=<format>. The default export format is
For more information on schema pivoting, head over to docs.tenzir.com.