Export Flags
AGDS export flags control what data is exported, how much data is included, and how the export behaves operationally. These flags are especially important because some of them directly influence incremental sync behavior when exports are run manually or via scheduled via cron.
The configuration for the --target, --include_investigations, and --include_deleted flags are used to compute the MD5 hash that drives incremental and cron-based behavior. These flags for each run of the export command are stored in the config_json column of the Synchronization record.
Commonly Used Flags
The following is the most commonly used flags with the AGDS export command.
| Flag | Details |
|---|---|
--target |
Target directory where the output file should be placed. This is a relative pathway for /var/lib/threatq/agds_transfer directory. The value entered for this flag will tell ThreatQ where inside that directory the export should be placed. If this flag is not used, the default location for the export will be /var/lib/threatq/agds_transfer/tmp.
The following example will place the export tarball file in kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs
|
--start-date |
The start date for data selection. The date format should be: YYYY-MM-DD HH:MM:SS. The default setting is 1970-01-01 00:00:00 which will be used if the start date flag is not included.
The start date flag can use either the The following is an example of an export with a start date of June 1, 2025. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --start-date="2025-06-01 00:00:00"
The following is an example of an export with a date range of January 1, 2025 - November 25, 2025. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --start-date="2025-01-01 00:00:00" --end-date="2025-11-25 00:00:00"
|
--end-date |
Specifies the end date for data selection and applies only to objects, not object context or object links. The date format should be: YYYY-MM-DD HH:MM:SS.
The following is an example of an export with the default start date, January 1, 1970, (since the kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --end-date="2021-11-01 00:00:00"
|
--include-deleted |
Determines whether objects that have been soft-deleted are included in the result set. Options are Y for Yes or N for No. The default setting for this flag is No so the flag is only required if you want to include soft-deleted objects.
The following is an example of an export that includes soft-deleted files. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --include-investigations=Y
|
--include-investigations |
Determines whether ThreatQ Investigations and Tasks are included in the result set. Options are Y for Yes or N for No. The default setting for this flag is No so the flag is only required if you want to include ThreatQ Investigations and Tasks.
The following is an example of an export that includes ThreatQ Investigations and Tasks. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --include-investigations=N
|
Other AGDS Export Flags
| Flag | Details |
|---|---|
--ignore-file-types |
Defines a comma-delimited list of ThreatQ File Types for which physical files stored on the source ThreatQ installation should not be transferred to the target air gapped ThreatQ installation. Database records are still included in the export tarball.
The following is an example of an export that ignores Malware Analysis Report and Malware Sample types. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --ignore-file-types="Malware Analysis Report,Malware Sample"
|
--include-all-relationships |
Exports all related data for an object if its source matches the --sources parameter value. If so, the command exports the primary object’s relationships to any object on the system regardless of the sources of the related objects and/or the source that created the relationships.
The following is an example of an export that will include all related data for objects with the source of kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --sources=“Black Source” --include-all-relationships
|
--initial-start-date |
Controls the starting point for data selection during the first run of an AGDS export, particularly in large or long-running environments. It explicitly defines the earliest date from which data should be exported, allowing administrators to avoid exporting the entire historical dataset (“beginning of time”) in a single run. This flag is most commonly used when staging large data migrations in multiple, incremental export windows. See the CRON topic for more details. Unlike the --start-date, the --initial-start-date value is recorded separately in the synchronization record and does not participate in cron hash matching, which prevents it from interfering with ongoing scheduled or incremental exports. After the initial run completes, subsequent exports can rely on the standard incremental logic (based on prior run timestamps) without needing to reuse the --initial-start-date flag.
In this example, the initial start date is set to January 1, 2016. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --initial-start-date="2016-01-01 00:00:00" --target=export/runs --end-date="2024-01-01 00:00:00
|
--memory-limit |
Sets the PHP memory limit in megabytes or gigabytes. The default value is 2G.
The following is an example of the export command that sets the PHP memory limit to 4GB. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --memory-limit=4G
|
--meta-only |
Tells the export to only pull meta data objects (Attributes, Sources, Object Statuses etc.) from the system.
The following export command example only pulls meta data objects. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --meta-only
|
--object-limit |
Sets the limit on the number of objects selected at a time. The default value is 50,000. ThreatQuotient recommends that you set the limit to a number smaller than the default value on boxes with very large data sets.
The following is an example of setting object limit to 10,000 for an export. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --object-limit=10000
|
--sources |
Filters objects produced in the sync by the sources they include, allowing the user to send out a subset of data that contains a specific source. For objects with multiple sources, other sources are included in the filter if the object contains the user-specified source(s). Multiple sources are also supported in search parameters.
The following is an example of filtering down the export to objects with the Abyss source. kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --sources="Abyss"
Existing CRON Runs: use the kubectl exec --namespace threatq --stdin --tty deployment/api-schedule-run -- ./artisan threatq:sync-export --target=export/runs --sources="Abyss" --initial-start-date="2018-11-01 00:00:00"
|
The following is the most commonly used flags with the AGDS export command.
| Flag | Details |
|---|---|
--target |
REQUIRED - Target directory where the output file should be placed. The value entered for this flag will tell ThreatQ where inside that directory the export should be placed.
The following example will place the export tarball file in AGDS directory. sudo ./artisan threatq:sync-export --target=AGDS
|
--start-date |
REQUIRED - The start date for data selection. The date format should be: YYYY-MM-DD HH:MM:SS. The default setting is 1970-01-01 00:00:00 which will be used if the start date flag is not included.
The start date flag can use either the The following is an example of an export with a start date of June 1, 2025. sudo ./artisan threatq:sync-export --target=AGDS --start-date="2025-06-01 00:00:00"
The following is an example of an export with a date range of January 1, 2025 - November 25, 2025. sudo ./artisan threatq:sync-export --target=AGDS --start-date="2025-01-01 00:00:00" --end-date="2025-11-25 00:00:00"
|
--end-date |
REQUIRED - Specifies the end date for data selection and applies only to objects, not object context or object links. The date format should be: YYYY-MM-DD HH:MM:SS.
The following is an example of an export with the default start date, January 1, 1970, (since the sudo ./artisan threatq:sync-export --target=agds --end-date="2021-11-01 00:00:00"
|
--include-deleted |
Determines whether objects that have been soft-deleted are included in the result set. Options are Y for Yes or N for No. The default setting for this flag is No so the flag is only required if you want to include soft-deleted objects.
The following is an example of an export that includes soft-deleted files. sudo ./artisan threatq:sync-export --target=AGDS --include-investigations=Y
|
--include-investigations |
Determines whether ThreatQ Investigations and Tasks are included in the result set. Options are Y for Yes or N for No. The default setting for this flag is No so the flag is only required if you want to include ThreatQ Investigations and Tasks.
The following is an example of an export that includes ThreatQ Investigations and Tasks. sudo ./artisan threatq:sync-export --target=AGDS --include-investigations=N
|
Other AGDS Export Flags
| Flag | Details |
|---|---|
--ignore-file-types |
Defines a comma-delimited list of ThreatQ File Types for which physical files stored on the source ThreatQ installation should not be transferred to the target air gapped ThreatQ installation. Database records are still included in the export tarball.
The following is an example of an export that ignores Malware Analysis Report and Malware Sample types. sudo ./artisan threatq:sync-export --target=AGDS --ignore-file-types="Malware Analysis Report,Malware Sample"
|
--include-all-relationships |
Exports all related data for an object if its source matches the --sources parameter value. If so, the command exports the primary object’s relationships to any object on the system regardless of the sources of the related objects and/or the source that created the relationships.
The following is an example of an export that will include all related data for objects with the source of sudo ./artisan threatq:sync-export --target=AGDS --sources=“Black Source” --include-all-relationships
|
--initial-start-date |
Controls the starting point for data selection during the first run of an AGDS export, particularly in large or long-running environments. It explicitly defines the earliest date from which data should be exported, allowing administrators to avoid exporting the entire historical dataset (“beginning of time”) in a single run. This flag is most commonly used when staging large data migrations in multiple, incremental export windows. See the CRON topic for more details. Unlike the --start-date, the --initial-start-date value is recorded separately in the synchronization record and does not participate in cron hash matching, which prevents it from interfering with ongoing scheduled or incremental exports. After the initial run completes, subsequent exports can rely on the standard incremental logic (based on prior run timestamps) without needing to reuse the --initial-start-date flag.
In this example, the initial start date is set to January 1, 2016. sudo ./artisan threatq:sync-export --initial-start-date="2016-01-01 00:00:00" --target=AGDS --end-date="2024-01-01 00:00:00
|
--memory-limit |
Sets the PHP memory limit in megabytes or gigabytes. The default value is 2G.
The following is an example of the export command that sets the PHP memory limit to 4GB. sudo ./artisan threatq:sync-export --target=AGDS --memory-limit=4G
|
--meta-only |
Tells the export to only pull meta data objects (Attributes, Sources, Object Statuses etc.) from the system.
The following export command example only pulls meta data objects. sudo ./artisan threatq:sync-export --target=AGDS --meta-only
|
--object-limit |
Sets the limit on the number of objects selected at a time. The default value is 50,000. ThreatQuotient recommends that you set the limit to a number smaller than the default value on boxes with very large data sets.
The following is an example of setting object limit to 10,000 for an export. sudo ./artisan threatq:sync-export --target=AGDS --object-limit=10000
|
--sources |
Filters objects produced in the sync by the sources they include, allowing the user to send out a subset of data that contains a specific source. For objects with multiple sources, other sources are included in the filter if the object contains the user-specified source(s). Multiple sources are also supported in search parameters.
The following is an example of filtering down the export to objects with the Abyss source. sudo ./artisan threatq:sync-export --target=AGDS --sources="Abyss"
Existing CRON Runs: use the sudo ./artisan threatq:sync-export --target=AGDS --sources="Abyss" --initial-start-date="2018-11-01 00:00:00"
|