Our infrastructure uses plaso (psort.py) to load data into OpenSearch. At the moment, we've been using the generate_timeline_from_es_index function to load the data into timesketch. We'd rather use the opensearch_ts module so we don't need another pass over the data. However, for this, we need to have a timeline id to pass along. In general, it would be nice to create searchindexes and timelines via the api client.
Having looked through the code, my suggestion would be to split out the code that creates the timeline and searchindex in the generate_timeline_from_es_index function so these functions can also be called directly. That way, a timeline can be created via the api and passed along to psort.py to send data directly to the right timeline.
I've created a PR that fits my suggestion, but it's the first time working on this codebase so I am happy to amend anything, or throw it all away if a different approach is better! Happy to contribute either way.
Our infrastructure uses plaso (psort.py) to load data into OpenSearch. At the moment, we've been using the
generate_timeline_from_es_indexfunction to load the data into timesketch. We'd rather use theopensearch_tsmodule so we don't need another pass over the data. However, for this, we need to have a timeline id to pass along. In general, it would be nice to create searchindexes and timelines via the api client.Having looked through the code, my suggestion would be to split out the code that creates the timeline and searchindex in the
generate_timeline_from_es_indexfunction so these functions can also be called directly. That way, a timeline can be created via the api and passed along to psort.py to send data directly to the right timeline.I've created a PR that fits my suggestion, but it's the first time working on this codebase so I am happy to amend anything, or throw it all away if a different approach is better! Happy to contribute either way.