This adds the following features to Timesketch when adding dat already ingested in to Opensearch:
Prevents creation of 1500 indices limit in Opensearch
This way multiply timelines can be genereated from a single index based on an unique ID suplied by the user. For example documents with the field ID is 1 or 2 are saved in in the same index. Using the key value pair ID=1 and ID=2 both timelines can be generated in a single index
Zawadidone
commented
8 months ago
Describe the solution you'd like When using the function
generate_timeline_from_es_indexI would like to add an argument based on a single key value pair. https://github.com/google/timesketch/blob/40afb16415dc6ff67791472e56b13f0a0fef894c/api_client/python/timesketch_api_client/sketch.py#L1657 https://timesketch.org/developers/api-upload-data/#import-data-already-ingested-into-opensearchThis values can be used in the Query DSL to filter documents based on the key value pair. For example
ID=1. https://github.com/google/timesketch/blob/b7c7f428069a19564ceea7f31a2e19047848e855/timesketch/api/v1/resources/event.py#L1000This adds the following features to Timesketch when adding dat already ingested in to Opensearch:
IDis1or2are saved in in the same index. Using the key value pairID=1andID=2both timelines can be generated in a single indexDescribe alternatives you've considered Using a single index for a single timeline which is not compatible with 1500+ timelines. https://timesketch.org/guides/admin/scaling-and-limits/#opensearch-indices-limitation