When using a Plaso version that was released > 180 days (e.g. when not updating Timesketch for 6 month) Plaso will print a user warning to stdout: WARNING: the version of plaso you are using is more than 6 months old. We strongly recommend to update it.
This message on stdout does mess with the expected output format and options to process the output downstream in any automated way.
Example:
pinfo.py --output_format json /tmp/evidence.plaso | jq -r '.storage_counters.parsers' would throw an error, since jq expects json input but plaso returns the warning + json on stdout.
This PR does remove the subcommand for running pinfo and imports plaso.cli.pinfo_tool.PinfoTool as python module instead. This allows to get the storage_counter stats calculated directly by using the _CalculateStorageCounters() method.
This PR fixes the problem described in #2895 .
Problem TL;DR:
When using a Plaso version that was released > 180 days (e.g. when not updating Timesketch for 6 month) Plaso will print a user warning to stdout:
WARNING: the version of plaso you are using is more than 6 months old. We strongly recommend to update it.This message on stdout does mess with the expected output format and options to process the output downstream in any automated way.
Example:
pinfo.py --output_format json /tmp/evidence.plaso | jq -r '.storage_counters.parsers'would throw an error, sincejqexpects json input but plaso returns the warning + json on stdout.Same happens when Timesketch tries to json load the
pinfo.pystdout result while processing a timeline: https://github.com/google/timesketch/blob/f41e7d6e0a84135d9da3018fac48fe35de60d9e5/timesketch/lib/tasks.py#L649Proposed solution:
This PR does remove the subcommand for running pinfo and imports plaso.cli.pinfo_tool.PinfoTool as python module instead. This allows to get the storage_counter stats calculated directly by using the
_CalculateStorageCounters()method.Closing issues
closes #2895