flow-indexer icon indicating copy to clipboard operation
flow-indexer copied to clipboard

Published 20 hours ago verified publisher icon JustinAzoff

Search boundaries

Open jadominguez opened this issue 3 years ago • 2 comments

Is there a way to limit the search or dump to a specific date/time range. This can be useful when working on specific incidents where we understand the timeline of the event. I did not see anything specific in the examples that would allow me to do that.

I tried to follow the source code by I am not a Go programmer.

Thank you,

José.

jadominguez avatar Dec 11 '20 20:12 jadominguez

yeah.. I think that should be doable. The databases index ip address to filename, and the filename_to_time_regex option lets it turn a filename back into a time. I think I could add 'earliest' and 'latest' options to the search and dump endpoints.. would that work?

JustinAzoff avatar Dec 12 '20 02:12 JustinAzoff

Hello Justin. I think that should do the trick. Could I use both options at the same time? If so, that effectively accomplishes what I was thinking. If only one of the options is used, then we could assume that it should start at the beginning or end of the database set. Thank you.

jadominguez avatar Dec 12 '20 02:12 jadominguez