jaegeral
commented
1 year ago Actually this has been implemented already: https://github.com/google/timesketch/commit/fee95d83b9aa1964336c5f40c405fe2ce55eb4fe
timesketch --sketch 1 --output-format csv search -q "*" --time-range 2022-04-01 2023-06-27 --limit 200000 | wc -l
200001
When running a command like
timesketch --sketch 12345 search -q "*" --time-range 2023-06-20 2023-06-27 --output-format csvIf the number of results is really big, there might be an
ValueError: Unable to query results, with error [0] No reasonraised.Potential solutions: a) implement a hard limit and tell the user to avoid the ValueError b) mid term: add an extra option for the user to get streamed results and then append them c) use a different API method to let the backend execute the query (in most cases it would be search for *) and provide a compressed export of the whole sketch or a particular timeline.