Skip to main content

VAST Rest API ("0.1")

Download OpenAPI specification:Download

This API can be used to interact with a VAST Node in a RESTful manner.

All API requests must be authenticated with a valid token, which must be supplied in the X-VAST-Token request header. The token can be generated on the command-line using the vast rest generate-token command.

Update pipeline state

Update the state of the pipeline. All values that are not explicitly included in the request are left in their old state.

Authorizations:
VastToken
Request Body schema: application/json

Body for the update endpoint

id
required
string

The id of the pipeline to be updated.

state
string
Enum: "starting" "running" "stopping" "stopped"
name
string

Update the human-readable name of the pipeline to this value.

restart_with_node
boolean

Check if the pipeline should be restarted when the VAST Node is restarted.

Responses

Request samples

Content type
application/json
{
  • "id": 7,
  • "state": "running",
  • "name": "zeek-monitoring-pipeline",
  • "restart_with_node": true
}

Response samples

Content type
application/json
{ }

Create a new pipeline

Creates a new pipeline.

Authorizations:
VastToken
Request Body schema: application/json

Body for the create endpoint

definition
required
string

The pipeline definition.

autostart
boolean
Default: true
name
string
Default: "[an auto-generated id]"

The human-readable name of the pipeline.

restart_with_node
boolean
Default: false

Check if the pipeline should be restarted when the VAST Node is restarted.

Responses

Request samples

Content type
application/json
{
  • "definition": "export | where foo | publish /bar",
  • "autostart": true,
  • "name": "zeek-monitoring-pipeline",
  • "restart_with_node": false
}

Response samples

Content type
application/json
{
  • "id": "string"
}

Delete an existing pipeline

Deletes an existing pipeline.

Authorizations:
VastToken
Request Body schema: application/json

Body for the delete endpoint

id
required
string

The id of the pipeline to be deleted.

Responses

Request samples

Content type
application/json
{
  • "id": 7
}

Response samples

Content type
application/json
{ }

List all existing pipelines

Lists all existing pipelines.

Authorizations:
VastToken

Responses

Response samples

Content type
application/json
{
  • "pipelines": [
    ]
}

Return data from a pipeline

Returns events from an existing pipeline. The pipeline definition must include a serve operator.

Authorizations:
VastToken
Request Body schema: application/json

Body for the serve endpoint

serve_id
required
string

The id that was passed to the serve operator.

continuation_token
string

The continuation token that was returned with the last response. For the initial request this is null.

max_events
integer

The maximum number of events returned. If unset, the number is unlimited

timeout
string
Default: "100.0ms"

The maximum amount of time spent on the request. Hitting the timeout is not an error.

Responses

Request samples

Content type
application/json
{
  • "serve_id": "query1",
  • "continuation_token": "340ce2j",
  • "max_events": 50,
  • "timeout": "100.0ms"
}

Response samples

Content type
application/json
{
  • "next_continuation_token": "340ce2j",
  • "schemas": [
    ],
  • "data": [
    ]
}

Create new query

Create a new export query in VAST

Authorizations:
VastToken
query Parameters
query
required
string
Example: query=where :ip in 10.42.0.0/16 | head 100

The query used in the form of a pipeline.

ttl
string
Example: ttl=5.0m

The time after which a query is cancelled. Use the /query/:id/next endpoint to refresh the TTL. To refresh the TTL without requesting further events, request zero events.

expand
boolean

Whether to use the expanded output schema.

flatten
boolean
Default: false

Flatten nested elements in the response data.

omit-nulls
boolean
Default: false

Omit null elements in the response data.

numeric-durations
boolean
Default: false

Render durations as numeric values.

Responses

Response samples

Content type
application/json
{
  • "id": "c91019bf-21fe-4999-8323-4d28aeb111ab"
}

Get additional query results

Return n additional results from the specified query.

Authorizations:
VastToken
path Parameters
id
required
string
Example: e84308a2-1ba4-4559-9e0f-597dfea4fd3e

The query ID.

query Parameters
n
integer
Example: n=10

Maximum number of returned events

Responses

Response samples

Content type
application/json
{
  • "events": [
    ],
  • "schemas": [
    ]
}

Return current status

Returns the current status of the whole node.

Authorizations:
VastToken
query Parameters
component
string
Example: component=index

If specified, return the status for that component only.

verbosity
string
Default: "info"
Enum: "info" "detailed" "debug"
Example: verbosity=detailed

The verbosity level of the status response.

Responses

Response samples

Content type
application/json
{
  • "catalog": {
    },
  • "version": {
    }
}