4.4. ship Command#

Push an assessment to Elasticsearch, Splunk, or both — or write the same payloads to disk in air-gapped / pull mode.

This command (added in v2.0) is the operator-facing surface for the SIEM shippers; the wire protocol lives in src/core/integrations/siem/ and is re-used by the /api/integrations/ship web endpoint and the file exporters.

4.4.1. Usage#

flareinspect ship -i assessment.json [options]

4.4.2. Options#

Option	Description	Default
`-i, --input <file>`	Input assessment file (JSON) (required)	—
`--target <target>`	`elastic` · `splunk` · `all` · `file`	`all`
`--es-url <url>`	Elasticsearch base URL (overrides `FLAREINSPECT_ES_URL`)	env or required for `--target elastic`
`--es-api-key <key>`	Elasticsearch API key (overrides `FLAREINSPECT_ES_APIKEY`)	env or required for `--target elastic` (unless basic auth)
`--es-username <u>`	Elasticsearch basic-auth username (overrides `FLAREINSPECT_ES_USERNAME`)	env or required for `--target elastic` (unless api key)
`--es-password <p>`	Elasticsearch basic-auth password (overrides `FLAREINSPECT_ES_PASSWORD`)	env or required for `--target elastic` (unless api key)
`--index-name <name>`	Elasticsearch index name	`flareinspect-findings`
`--hec-url <url>`	Splunk HEC base URL (overrides `FLAREINSPECT_SPLUNK_HEC_URL`)	env or required for `--target splunk`
`--hec-token <tok>`	Splunk HEC token (overrides `FLAREINSPECT_SPLUNK_HEC_TOKEN`)	env or required for `--target splunk`
`--splunk-index <name>`	Splunk index	`main`
`--out-dir <dir>`	If set, write NDJSON to this directory and skip the live HTTP ship. Only valid with `--target file` (implied).	—
`--dry-run`	Build the payloads but do not POST and do not write	—

4.4.3. Env-var fallbacks#

Every flag has a matching env var. Flags take precedence over env vars. Use env vars for secrets in CI.

Flag	Env var
`--es-url`	`FLAREINSPECT_ES_URL`
`--es-api-key`	`FLAREINSPECT_ES_APIKEY`
`--es-username`	`FLAREINSPECT_ES_USERNAME`
`--es-password`	`FLAREINSPECT_ES_PASSWORD`
`--hec-url`	`FLAREINSPECT_SPLUNK_HEC_URL`
`--hec-token`	`FLAREINSPECT_SPLUNK_HEC_TOKEN`

4.4.4. Exit codes#

Code	Meaning
`0`	All requested targets succeeded (or `--dry-run` / `--out-dir` ran cleanly)
`1`	Any requested target failed (missing creds, network error, 4xx/5xx, bad input)

4.4.5. Examples#

Live ship to Elasticsearch

flareinspect ship -i assessment.json --target elastic \
  --es-url https://es.example.com --es-api-key $ES_KEY

Live ship to Splunk HEC

flareinspect ship -i assessment.json --target splunk \
  --hec-url https://splunk.example.com:8088 --hec-token $HEC_TOKEN

Ship to both in one call

flareinspect ship -i assessment.json --target all \
  --es-url https://es.example.com --es-api-key $ES_KEY \
  --hec-url https://splunk.example.com:8088 --hec-token $HEC_TOKEN

Dry-run (print the payload, do not POST)

flareinspect ship -i assessment.json --target elastic \
  --es-url https://es.example.com --es-api-key $ES_KEY --dry-run

Pull / air-gapped (write NDJSON to a directory)

flareinspect ship -i assessment.json --target file --out-dir ./out

This produces flareinspect-findings-<timestamp>.ndjson (ECS shape) and flareinspect-hec-<timestamp>.ndjson (HEC shape), plus flareinspect-index-template.json (the recommended ES template).

CI: env-var-driven

export FLAREINSPECT_ES_URL=https://es.example.com
export FLAREINSPECT_ES_APIKEY=$ES_KEY
flareinspect ship -i assessment.json --target elastic
# exit 0 on success, exit 1 on failure — CI-friendly

4.4.6. Packaged apps#

The shipped payloads are tuned for the bundled Kibana and Splunk apps under integrations/:

Elasticsearch — the ECS mapping, index template, and packaged Kibana saved-objects bundle
Splunk — the HEC envelope, packaged TA, and dashboard

4.4.7. Next steps#

SIEM — SIEM section landing page
API Reference — the POST /api/integrations/ship web endpoint
notify Command — the notify command (Slack / Teams / webhook)

ship Command

Contents