flow.record 3.15.dev16__tar.gz → 3.16__tar.gz

{flow_record-3.15.dev16/flow.record.egg-info → flow_record-3.16}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: flow.record
-Version: 3.15.dev16
+Version: 3.16
 Summary: A library for defining and creating structured data (called records) that can be streamed to disk or piped to other tools that use flow.record
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3
@@ -40,6 +40,7 @@ Requires-Dist: httpx; extra == "splunk"
 Provides-Extra: test
 Requires-Dist: flow.record[compression]; extra == "test"
 Requires-Dist: flow.record[avro]; extra == "test"
+Requires-Dist: flow.record[elastic]; extra == "test"
 Requires-Dist: duckdb; (platform_python_implementation != "PyPy" and python_version < "3.12") and extra == "test"
 Requires-Dist: pytz; (platform_python_implementation != "PyPy" and python_version < "3.12") and extra == "test"
 

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/__init__.py

@@ -17,6 +17,7 @@ from flow.record.base import (
     RecordWriter,
     dynamic_fieldtype,
     extend_record,
+    ignore_fields_for_comparison,
     iter_timestamped_records,
     open_path,
     open_path_or_stream,
@@ -57,6 +58,7 @@ __all__ = [
     "open_path_or_stream",
     "open_path",
     "open_stream",
+    "ignore_fields_for_comparison",
     "set_ignored_fields_for_comparison",
     "stream",
     "dynamic_fieldtype",

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/adapter/elastic.py

@@ -2,7 +2,7 @@ import hashlib
 import logging
 import queue
 import threading
-from typing import Iterator, Union
+from typing import Iterator, Optional, Union
 
 import elasticsearch
 import elasticsearch.helpers
@@ -22,9 +22,11 @@ Read usage: rdump elastic+[PROTOCOL]://[IP]:[PORT]?index=[INDEX]
 [PROTOCOL]: http or https. Defaults to https when "+[PROTOCOL]" is omitted
 
 Optional arguments:
+  [API_KEY]: base64 encoded api key to authenticate with (default: False)
   [INDEX]: name of the index to use (default: records)
   [VERIFY_CERTS]: verify certs of Elasticsearch instance (default: True)
   [HASH_RECORD]: make record unique by hashing record [slow] (default: False)
+  [_META_*]: record metadata fields (default: None)
 """
 
 log = logging.getLogger(__name__)
@@ -38,6 +40,7 @@ class ElasticWriter(AbstractWriter):
         verify_certs: Union[str, bool] = True,
         http_compress: Union[str, bool] = True,
         hash_record: Union[str, bool] = False,
+        api_key: Optional[str] = None,
         **kwargs,
     ) -> None:
         self.index = index
@@ -45,7 +48,17 @@ class ElasticWriter(AbstractWriter):
         verify_certs = str(verify_certs).lower() in ("1", "true")
         http_compress = str(http_compress).lower() in ("1", "true")
         self.hash_record = str(hash_record).lower() in ("1", "true")
-        self.es = elasticsearch.Elasticsearch(uri, verify_certs=verify_certs, http_compress=http_compress)
+
+        if not uri.lower().startswith(("http://", "https://")):
+            uri = "http://" + uri
+
+        self.es = elasticsearch.Elasticsearch(
+            uri,
+            verify_certs=verify_certs,
+            http_compress=http_compress,
+            api_key=api_key,
+        )
+
         self.json_packer = JsonRecordPacker()
         self.queue: queue.Queue[Union[Record, StopIteration]] = queue.Queue()
         self.event = threading.Event()
@@ -58,25 +71,34 @@ class ElasticWriter(AbstractWriter):
 
             urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
+        self.metadata_fields = {}
+        for arg_key, arg_val in kwargs.items():
+            if arg_key.startswith("_meta_"):
+                self.metadata_fields[arg_key[6:]] = arg_val
+
     def record_to_document(self, record: Record, index: str) -> dict:
         """Convert a record to a Elasticsearch compatible document dictionary"""
         rdict = record._asdict()
 
-        # Store record metadata under `_record_metadata`
+        # Store record metadata under `_record_metadata`.
         rdict_meta = {
             "descriptor": {
                 "name": record._desc.name,
                 "hash": record._desc.descriptor_hash,
             },
         }
+
         # Move all dunder fields to `_record_metadata` to avoid naming clash with ES.
         dunder_keys = [key for key in rdict if key.startswith("_")]
         for key in dunder_keys:
             rdict_meta[key.lstrip("_")] = rdict.pop(key)
-        # remove _generated field from metadata to ensure determinstic documents
+
+        # Remove _generated field from metadata to ensure determinstic documents.
         if self.hash_record:
             rdict_meta.pop("generated", None)
-        rdict["_record_metadata"] = rdict_meta
+
+        rdict["_record_metadata"] = rdict_meta.copy()
+        rdict["_record_metadata"].update(self.metadata_fields)
 
         document = {
             "_index": index,
@@ -106,6 +128,7 @@ class ElasticWriter(AbstractWriter):
         ):
             if not ok:
                 log.error("Failed to insert %r", item)
+
         self.event.set()
 
     def write(self, record: Record) -> None:
@@ -129,6 +152,7 @@ class ElasticReader(AbstractReader):
         verify_certs: Union[str, bool] = True,
         http_compress: Union[str, bool] = True,
         selector: Union[None, Selector, CompiledSelector] = None,
+        api_key: Optional[str] = None,
         **kwargs,
     ) -> None:
         self.index = index
@@ -136,7 +160,16 @@ class ElasticReader(AbstractReader):
         self.selector = selector
         verify_certs = str(verify_certs).lower() in ("1", "true")
         http_compress = str(http_compress).lower() in ("1", "true")
-        self.es = elasticsearch.Elasticsearch(uri, verify_certs=verify_certs, http_compress=http_compress)
+
+        if not uri.lower().startswith(("http://", "https://")):
+            uri = "http://" + uri
+
+        self.es = elasticsearch.Elasticsearch(
+            uri,
+            verify_certs=verify_certs,
+            http_compress=http_compress,
+            api_key=api_key,
+        )
 
         if not verify_certs:
             # Disable InsecureRequestWarning of urllib3, caused by the verify_certs flag.

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/adapter/splunk.py

@@ -28,7 +28,7 @@ Write usage: rdump -w splunk+[PROTOCOL]://[IP]:[PORT]?tag=[TAG]&token=[TOKEN]&so
 [TAG]: optional value to add as "rdtag" output field when writing
 [TOKEN]: Authentication token for sending data over HTTP(S)
 [SOURCETYPE]: Set sourcetype of data. Defaults to records, but can also be set to JSON.
-[SSL_VERIFY]: Whether to verify the server certificate when sending data over HTTP(S). Defaults to True.
+[SSL_VERIFY]: Whether to verify the server certificate when sending data over HTTPS. Defaults to True.
 """
 
 log = logging.getLogger(__package__)
@@ -36,21 +36,38 @@ log = logging.getLogger(__package__)
 # Amount of records to bundle into a single request when sending data over HTTP(S).
 RECORD_BUFFER_LIMIT = 20
 
-# https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configureindex-timefieldextraction
-RESERVED_SPLUNK_FIELDS = [
-    "_indextime",
-    "_time",
-    "index",
-    "punct",
-    "source",
-    "sourcetype",
-    "tag",
-    "type",
-]
+# List of reserved splunk fields that do not start with an `_`, as those will be escaped anyway.
+# See: https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Aboutdefaultfields
+RESERVED_SPLUNK_FIELDS = set(
+    [
+        "host",
+        "index",
+        "linecount",
+        "punct",
+        "source",
+        "sourcetype",
+        "splunk_server",
+        "timestamp",
+    ],
+)
+
+RESERVED_SPLUNK_APP_FIELDS = set(
+    [
+        "tag",
+        "type",
+    ]
+)
+
+RESERVED_RDUMP_FIELDS = set(
+    [
+        "rdtag",
+        "rdtype",
+    ],
+)
 
-RESERVED_RECORD_FIELDS = ["_classification", "_generated", "_source"]
+RESERVED_FIELDS = RESERVED_SPLUNK_FIELDS.union(RESERVED_SPLUNK_APP_FIELDS.union(RESERVED_RDUMP_FIELDS))
 
-PREFIX_WITH_RD = set(RESERVED_SPLUNK_FIELDS + RESERVED_RECORD_FIELDS)
+ESCAPE = "rd_"
 
 
 class Protocol(Enum):
@@ -64,7 +81,13 @@ class SourceType(Enum):
     RECORDS = "records"
 
 
-def splunkify_key_value(record: Record, tag: Optional[str] = None) -> str:
+def escape_field_name(field: str) -> str:
+    if field.startswith(("_", ESCAPE)) or field in RESERVED_FIELDS:
+        field = f"{ESCAPE}{field}"
+    return field
+
+
+def record_to_splunk_kv_line(record: Record, tag: Optional[str] = None) -> str:
     ret = []
 
     ret.append(f'rdtype="{record._desc.name}"')
@@ -81,8 +104,7 @@ def splunkify_key_value(record: Record, tag: Optional[str] = None) -> str:
 
         val = getattr(record, field)
 
-        if field in PREFIX_WITH_RD:
-            field = f"rd_{field}"
+        field = escape_field_name(field)
 
         if val is None:
             ret.append(f"{field}=None")
@@ -94,7 +116,25 @@ def splunkify_key_value(record: Record, tag: Optional[str] = None) -> str:
     return " ".join(ret)
 
 
-def splunkify_json(packer: JsonRecordPacker, record: Record, tag: Optional[str] = None) -> str:
+def record_to_splunk_json(packer: JsonRecordPacker, record: Record, tag: Optional[str] = None) -> dict:
+    record_as_dict = packer.pack_obj(record)
+    json_dict = {}
+
+    for field, value in record_as_dict.items():
+        # Omit the _version field as the Splunk adapter has no reader support for deserialising records back.
+        if field == "_version":
+            continue
+        escaped_field = escape_field_name(field)
+        json_dict[escaped_field] = value
+
+    # Add rdump specific fields
+    json_dict["rdtag"] = tag
+    json_dict["rdtype"] = record._desc.name
+
+    return json_dict
+
+
+def record_to_splunk_http_api_json(packer: JsonRecordPacker, record: Record, tag: Optional[str] = None) -> str:
     ret = {}
 
     indexer_fields = [
@@ -115,29 +155,13 @@ def splunkify_json(packer: JsonRecordPacker, record: Record, tag: Optional[str]
                     continue
                 ret[splunk_name] = to_str(val)
 
-    record_as_dict = packer.pack_obj(record)
-
-    # Omit the _version field as the Splunk adapter has no reader support for deserialising records back.
-    del record_as_dict["_version"]
-
-    # These fields end up in the 'event', but we have a few reserved field names. If those field names are in the
-    # record, we prefix them with 'rd_' (short for record descriptor)
-    for field in PREFIX_WITH_RD:
-        if field not in record_as_dict:
-            continue
-        new_field = f"rd_{field}"
-
-        record_as_dict[new_field] = record_as_dict[field]
-        del record_as_dict[field]
-
-    # Almost done, just have to add the tag and the type (i.e the record descriptor's name) to the event.
-    record_as_dict["rdtag"] = tag
+    ret["event"] = record_to_splunk_json(packer, record, tag)
+    return json.dumps(ret, default=packer.pack_obj)
 
-    # Yes.
-    record_as_dict["rdtype"] = record._desc.name
 
-    ret["event"] = record_as_dict
-    return json.dumps(ret, default=packer.pack_obj)
+def record_to_splunk_tcp_api_json(packer: JsonRecordPacker, record: Record, tag: Optional[str] = None) -> str:
+    record_dict = record_to_splunk_json(packer, record, tag)
+    return json.dumps(record_dict, default=packer.pack_obj)
 
 
 class SplunkWriter(AbstractWriter):
@@ -159,31 +183,31 @@ class SplunkWriter(AbstractWriter):
 
         if sourcetype is None:
             log.warning("No sourcetype provided, assuming 'records' sourcetype")
-            sourcetype = SourceType.RECORDS
+            self.sourcetype = SourceType.RECORDS
+        else:
+            self.sourcetype = SourceType(sourcetype)
 
         parsed_url = urlparse(uri)
         url_scheme = parsed_url.scheme.lower()
-
-        self.sourcetype = SourceType(sourcetype)
         self.protocol = Protocol(url_scheme)
-
-        if self.protocol == Protocol.TCP and self.sourcetype != SourceType.RECORDS:
-            raise ValueError("For sending data to Splunk over TCP, only the 'records' sourcetype is allowed")
-
         self.host = parsed_url.hostname
         self.port = parsed_url.port
+
         self.tag = tag
         self.record_buffer = []
         self._warned = False
         self.packer = None
-
-        if self.sourcetype == SourceType.JSON:
-            self.packer = JsonRecordPacker(indent=4, pack_descriptors=False)
+        self.json_converter = None
 
         if self.protocol == Protocol.TCP:
             self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.SOL_TCP)
             self.sock.connect((self.host, self.port))
             self._send = self._send_tcp
+
+            if self.sourcetype == SourceType.JSON:
+                self.packer = JsonRecordPacker(indent=None, pack_descriptors=False)
+                self.json_converter = record_to_splunk_tcp_api_json
+
         elif self.protocol in (Protocol.HTTP, Protocol.HTTPS):
             if not HAS_HTTPX:
                 raise ImportError("The httpx library is required for sending data over HTTP(S)")
@@ -214,6 +238,10 @@ class SplunkWriter(AbstractWriter):
 
             self._send = self._send_http
 
+            if self.sourcetype == SourceType.JSON:
+                self.packer = JsonRecordPacker(indent=4, pack_descriptors=False)
+                self.json_converter = record_to_splunk_http_api_json
+
     def _cache_records_for_http(self, data: Optional[bytes] = None, flush: bool = False) -> Optional[bytes]:
         # It's possible to call this function without any data, purely to flush. Hence this check.
         if data:
@@ -252,9 +280,9 @@ class SplunkWriter(AbstractWriter):
             )
 
         if self.sourcetype == SourceType.RECORDS:
-            rec = splunkify_key_value(record, self.tag)
+            rec = record_to_splunk_kv_line(record, self.tag)
         else:
-            rec = splunkify_json(self.packer, record, self.tag)
+            rec = self.json_converter(self.packer, record, self.tag)
 
         # Trail with a newline for line breaking.
         data = to_bytes(rec) + b"\n"

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/base.py

@@ -31,6 +31,7 @@ from urllib.parse import parse_qsl, urlparse
 
 from flow.record.adapter import AbstractReader, AbstractWriter
 from flow.record.exceptions import RecordAdapterNotFound, RecordDescriptorError
+from flow.record.utils import get_stdin, get_stdout
 
 try:
     import lz4.frame as lz4
@@ -812,10 +813,7 @@ def open_path(path: str, mode: str, clobber: bool = True) -> IO:
     # normal file or stdio for reading or writing
     if not fp:
         if is_stdio:
-            if binary:
-                fp = getattr(sys.stdout, "buffer", sys.stdout) if out else getattr(sys.stdin, "buffer", sys.stdin)
-            else:
-                fp = sys.stdout if out else sys.stdin
+            fp = get_stdout(binary=binary) if out else get_stdin(binary=binary)
         else:
             fp = io.open(path, mode)
         # check if we are reading a compressed stream
@@ -867,7 +865,7 @@ def RecordAdapter(
         if url in ("-", "", None) and fileobj is None:
             # For reading stdin, we cannot rely on an extension to know what sort of stream is incoming. Thus, we will
             # treat it as a 'fileobj', where we can peek into the stream and try to select the appropriate adapter.
-            fileobj = getattr(sys.stdin, "buffer", sys.stdin)
+            fileobj = get_stdin(binary=True)
         if fileobj is not None:
             # This record adapter has received a file-like object for record reading
             # We just need to find the right adapter by peeking into the first few bytes.

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/fieldtypes/__init__.py

@@ -32,8 +32,8 @@ NATIVE_UNICODE = isinstance("", str)
 
 UTC = timezone.utc
 
-PY_311 = sys.version_info >= (3, 11, 0)
-PY_312 = sys.version_info >= (3, 12, 0)
+PY_311_OR_HIGHER = sys.version_info >= (3, 11, 0)
+PY_312_OR_HIGHER = sys.version_info >= (3, 12, 0)
 
 TYPE_POSIX = 0
 TYPE_WINDOWS = 1
@@ -288,7 +288,7 @@ class datetime(_dt, FieldType):
                 # - Python 3.10 and older requires "T" between date and time in fromisoformat()
                 #
                 # There are other incompatibilities, but we don't care about those for now.
-                if not PY_311:
+                if not PY_311_OR_HIGHER:
                     # Convert Z to +00:00 so that fromisoformat() works correctly on Python 3.10 and older
                     if arg[-1] == "Z":
                         arg = arg[:-1] + "+00:00"
@@ -633,6 +633,8 @@ def _is_windowslike_path(path: Any):
 
 
 class path(pathlib.PurePath, FieldType):
+    _empty_path = False
+
     def __new__(cls, *args):
         # This is modelled after pathlib.PurePath's __new__(), which means you
         # will never get an instance of path, only instances of either
@@ -647,7 +649,7 @@ class path(pathlib.PurePath, FieldType):
             for path_part in args:
                 if isinstance(path_part, pathlib.PureWindowsPath):
                     cls = windows_path
-                    if not PY_312:
+                    if not PY_312_OR_HIGHER:
                         # For Python < 3.12, the (string) representation of a
                         # pathlib.PureWindowsPath is not round trip equivalent if a path
                         # starts with a \ or / followed by a drive letter, e.g.: \C:\...
@@ -663,15 +665,15 @@ class path(pathlib.PurePath, FieldType):
                         #
                         # This construction works around that by converting all path parts
                         # to strings first.
-                        args = (str(arg) for arg in args)
+                        args = tuple(str(arg) for arg in args)
                 elif isinstance(path_part, pathlib.PurePosixPath):
                     cls = posix_path
                 elif _is_windowslike_path(path_part):
                     # This handles any custom PurePath based implementations that have a windows
                     # like path separator (\).
                     cls = windows_path
-                    if not PY_312:
-                        args = (str(arg) for arg in args)
+                    if not PY_312_OR_HIGHER:
+                        args = tuple(str(arg) for arg in args)
                 elif _is_posixlike_path(path_part):
                     # This handles any custom PurePath based implementations that don't have a
                     # windows like path separator (\).
@@ -680,20 +682,37 @@ class path(pathlib.PurePath, FieldType):
                     continue
                 break
 
-        if PY_312:
+        if PY_312_OR_HIGHER:
             obj = super().__new__(cls)
         else:
             obj = cls._from_parts(args)
+
+        obj._empty_path = False
+        if not args or args == ("",):
+            obj._empty_path = True
         return obj
 
     def __eq__(self, other: Any) -> bool:
         if isinstance(other, str):
             return str(self) == other or self == self.__class__(other)
+        elif isinstance(other, self.__class__) and (self._empty_path or other._empty_path):
+            return self._empty_path == other._empty_path
         return super().__eq__(other)
 
+    def __str__(self) -> str:
+        if self._empty_path:
+            return ""
+        return super().__str__()
+
     def __repr__(self) -> str:
         return repr(str(self))
 
+    @property
+    def parent(self):
+        if self._empty_path:
+            return self
+        return super().parent
+
     def _pack(self):
         path_type = TYPE_WINDOWS if isinstance(self, windows_path) else TYPE_POSIX
         return (str(self), path_type)
@@ -756,7 +775,8 @@ class command(FieldType):
         #   an '%' for an environment variable
         #   r'\\' for a UNC path
         #   the strip and check for ":" on the second line is for `<drive_letter>:`
-        windows = value.startswith((r"\\", "%")) or value.lstrip("\"'")[1] == ":"
+        stripped_value = value.lstrip("\"'")
+        windows = value.startswith((r"\\", "%")) or (len(stripped_value) >= 2 and stripped_value[1] == ":")
 
         if windows:
             cls = windows_command

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/jsonpacker.py

@@ -41,15 +41,20 @@ class JsonRecordPacker:
             if obj._desc.identifier not in self.descriptors:
                 self.register(obj._desc, True)
             serial = obj._asdict()
+
             if self.pack_descriptors:
                 serial["_type"] = "record"
                 serial["_recorddescriptor"] = obj._desc.identifier
 
-            # PYTHON2: Because "bytes" are also "str" we have to handle this here
             for field_type, field_name in obj._desc.get_field_tuples():
+                # PYTHON2: Because "bytes" are also "str" we have to handle this here
                 if field_type == "bytes" and isinstance(serial[field_name], str):
                     serial[field_name] = base64.b64encode(serial[field_name]).decode()
 
+                # Boolean field types should be cast to a bool instead of staying ints
+                elif field_type == "boolean" and isinstance(serial[field_name], int):
+                    serial[field_name] = bool(serial[field_name])
+
             return serial
         if isinstance(obj, RecordDescriptor):
             serial = {

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/selector.py

@@ -17,25 +17,6 @@ except ImportError:
 
 string_types = (str, type(""))
 
-AST_NODE_S_TYPES = tuple(
-    filter(
-        None,
-        [
-            getattr(ast, "Str", None),
-            getattr(ast, "Bytes", None),
-        ],
-    ),
-)
-
-AST_NODE_VALUE_TYPES = tuple(
-    filter(
-        None,
-        [
-            getattr(ast, "NameConstant", None),
-            getattr(ast, "Constant", None),
-        ],
-    ),
-)
 
 AST_OPERATORS = {
     ast.Add: operator.add,
@@ -581,11 +562,7 @@ class RecordContextMatcher:
         return r
 
     def _eval(self, node):
-        if isinstance(node, ast.Num):
-            return node.n
-        elif isinstance(node, AST_NODE_S_TYPES):
-            return node.s
-        elif isinstance(node, AST_NODE_VALUE_TYPES):
+        if isinstance(node, ast.Constant):
             return node.value
         elif isinstance(node, ast.List):
             return list(map(self.eval, node.elts))

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/stream.py

@@ -12,6 +12,7 @@ from functools import lru_cache
 from flow.record import RECORDSTREAM_MAGIC, RecordWriter
 from flow.record.fieldtypes import fieldtype_for_value
 from flow.record.selector import make_selector
+from flow.record.utils import is_stdout
 
 from .base import RecordDescriptor, RecordReader
 from .packer import RecordPacker
@@ -70,7 +71,7 @@ class RecordStreamWriter:
         self.write(descriptor)
 
     def close(self):
-        if self.fp and self.fp != getattr(sys.stdout, "buffer", sys.stdout):
+        if self.fp and not is_stdout(self.fp):
             self.fp.close()
             self.fp = None
 

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/utils.py

@@ -1,15 +1,51 @@
+from __future__ import annotations
+
 import base64
 import os
 import sys
 from functools import wraps
+from typing import BinaryIO, TextIO
 
 _native = str
 _unicode = type("")
 _bytes = type(b"")
 
 
-def is_stdout(fp):
-    return fp in (sys.stdout, sys.stdout.buffer)
+def get_stdout(binary: bool = False) -> TextIO | BinaryIO:
+    """Return the stdout stream as binary or text stream.
+
+    This function is the preferred way to get the stdout stream in flow.record.
+
+    Arguments:
+        binary: Whether to return the stream as binary stream.
+
+    Returns:
+        The stdout stream.
+    """
+    fp = getattr(sys.stdout, "buffer", sys.stdout) if binary else sys.stdout
+    fp._is_stdout = True
+    return fp
+
+
+def get_stdin(binary: bool = False) -> TextIO | BinaryIO:
+    """Return the stdin stream as binary or text stream.
+
+    This function is the preferred way to get the stdin stream in flow.record.
+
+    Arguments:
+        binary: Whether to return the stream as binary stream.
+
+    Returns:
+        The stdin stream.
+    """
+    fp = getattr(sys.stdin, "buffer", sys.stdin) if binary else sys.stdin
+    fp._is_stdin = True
+    return fp
+
+
+def is_stdout(fp: TextIO | BinaryIO) -> bool:
+    """Returns True if ``fp`` is the stdout stream."""
+    return fp in (sys.stdout, sys.stdout.buffer) or hasattr(fp, "_is_stdout")
 
 
 def to_bytes(value):

{flow_record-3.15.dev16 → flow_record-3.16}/flow/record/version.py

@@ -12,5 +12,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '3.15.dev16'
-__version_tuple__ = version_tuple = (3, 15, 'dev16')
+__version__ = version = '3.16'
+__version_tuple__ = version_tuple = (3, 16)

{flow_record-3.15.dev16 → flow_record-3.16/flow.record.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: flow.record
-Version: 3.15.dev16
+Version: 3.16
 Summary: A library for defining and creating structured data (called records) that can be streamed to disk or piped to other tools that use flow.record
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3
@@ -40,6 +40,7 @@ Requires-Dist: httpx; extra == "splunk"
 Provides-Extra: test
 Requires-Dist: flow.record[compression]; extra == "test"
 Requires-Dist: flow.record[avro]; extra == "test"
+Requires-Dist: flow.record[elastic]; extra == "test"
 Requires-Dist: duckdb; (platform_python_implementation != "PyPy" and python_version < "3.12") and extra == "test"
 Requires-Dist: pytz; (platform_python_implementation != "PyPy" and python_version < "3.12") and extra == "test"
 

{flow_record-3.15.dev16 → flow_record-3.16}/flow.record.egg-info/SOURCES.txt

@@ -59,6 +59,7 @@ tests/test_avro_adapter.py
 tests/test_compiled_selector.py
 tests/test_csv_adapter.py
 tests/test_deprecations.py
+tests/test_elastic_adapter.py
 tests/test_fieldtype_ip.py
 tests/test_fieldtypes.py
 tests/test_json_packer.py

{flow_record-3.15.dev16 → flow_record-3.16}/flow.record.egg-info/requires.txt

@@ -29,6 +29,7 @@ httpx
 [test]
 flow.record[compression]
 flow.record[avro]
+flow.record[elastic]
 
 [test:platform_python_implementation != "PyPy" and python_version < "3.12"]
 duckdb