Currently Timesketch always triggers analyzers for a given timeline, even if the requested analyzer was already run on the timeline and the data is already available.
This can get especially heavy on the worker resources with multi analyzers like the sigma or feature extraction.
Example: Each analyzer that depends on the feature extraction triggers about 30 workers per run only for the feature extractor, even not adding any new data to the timeline if the feature extractor already ran before.
Feature request:
Add logic that runs analyzers on a timeline only if the data did not change by default.
Have an option to force the re-run of an analyzer anyway.
Currently Timesketch always triggers analyzers for a given timeline, even if the requested analyzer was already run on the timeline and the data is already available.
This can get especially heavy on the worker resources with multi analyzers like the sigma or feature extraction. Example: Each analyzer that depends on the feature extraction triggers about 30 workers per run only for the feature extractor, even not adding any new data to the timeline if the feature extractor already ran before.
Feature request: