pivot

Synopsis

extracts related events of a given type
parameters:
[-h | -? | --help] prints the help text
[-w | --write=] <string> path to write events to
[-d | --uds] treat -w as UNIX domain socket to connect to
[-f | --flush-interval=] <uint64> flush to disk after this many packets

Documentation

The pivot command retrieves data of a related type. It inspects each event in a query result to find an event of the requested type. If the related type exists in the schema, VAST will dynamically create a new query to fetch the contextual data according to the type relationship.

vast pivot [options] <type> <expr>

VAST uses the field community_id to pivot between logs and packets. Pivoting is currently implemented for Suricata, Zeek (with community ID computation enabled), and PCAP.