source

Plugin

ArgDescriptionType
client_idThe client id to extractstring
flow_idA flow ID (client or server artifacts)string
hunt_idRetrieve sources from this hunt (combines all results from all clients)string
artifactThe name of the artifact collection to fetchstring
sourceAn optional named source within the artifactstring
start_timeStart return events from this date (for event sources)Any
end_timeStop end events reach this time (event sources).Any
notebook_idThe notebook to read from (should also include cell id)string
notebook_cell_idThe notebook cell read from (should also include notebook id)string
notebook_cell_versionThe notebook cell version to read from (should also include notebook id and notebook cell)string
notebook_cell_tableA notebook cell can have multiple tables.)int64
start_rowStart reading the result set from this rowint64
countMaximum number of rows to fetch (default unlimited)int64
orgsRun the query over these orgs. If empty use the current org.list of string

Required permissions:READ_RESULTS

Description

Retrieve rows from an artifact’s source.

This plugin is mostly useful in notebooks. It attempts to do the right thing automatically by inferring many parameters from its execution environment.

The goal with this plugin is to reduce the boiler plate code required by inferring many of the parameters from the notebook environment. The source() plugin serves as a proxy to other more specific plugins such as hunt_results() and flow_results().

For example, when running within a collection notebook, the GUI will automatically pass the ClientId, FlowId and Artifact parameters to the notebook environment. Therefore it is not necessary to specify those at all:

-- Artifact, ClientId and FlowId are populated from the notebook context.
SELECT * FROM source()

On the other hand, when running the above query in a hunt notebook, the HuntId will be available in the notebook context, therefore the source() plugin will be equivalent to the hunt_results() plugin.

When accessing another notebook cell, both the notebook_id and notebook_cell parameters must be explicitly specified:

SELECT * FROM source(notebook_id="N.123", notebook_cell="NC.1234")