startbootstrap icon indicating copy to clipboard operation
startbootstrap copied to clipboard
verified publisher icon BlackrockDigital

OpenSearch output module: add CLI option to pass predefined output field

Open joachimmetz opened this issue 3 years ago • 1 comments

use case: when exporting the contents of a Plaso storage file, add a custom (user defined) field to OpenSearch output.

Idea add custom fields option e.g. --custom_fields="hostname:MYHOST"

joachimmetz avatar Jul 12 '22 17:07 joachimmetz

Note to self

  • this might be a good/more elegant alternative to the current log2timeline.py --text (text prepend) option
  • what if a custom field is set that overlaps with a "regular" field? for now give the "regular" field precedence

joachimmetz avatar Jul 12 '22 17:07 joachimmetz

Yes, this would be perfect! I'm also looking for ways to include the hostname. I have a not-so-elegant solution which is uploading the file from a Path which includes the hostname - this way I can see the hostname in Opensearch. Let me know if you found a more elegant solution. In the meantime I will track this enhancement.

DfirJos avatar Sep 15 '22 12:09 DfirJos