timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

Not showing fields starting with '_' (underscore)

Open n0tmyproblem opened this issue 3 years ago • 3 comments

Describe the bug If the upload is made with the timeline GUI buttom --> I can show _{fields} in the Explore view If the upload is made with the python API timesketch_import_client --> I can't show them

Example code:

ImportStreamer() as streamer:
  streamer.set_sketch(sketch)
  streamer.set_timeline_name(timeline_name)
  streamer.add_file(path)

Expected behavior I didn't expect to see this fields with any method because I think elasticsearch use _{fields} for internal working processes.

Idk if this is a bug or a feature. Anyway, I comment...

n0tmyproblem avatar Apr 17 '21 20:04 n0tmyproblem

These are scrubbed out by the importer client, but the web UI doesn't do that. The web UI imports need a serious overhaul

kiddinn avatar Apr 18 '21 10:04 kiddinn

Deletion reference in the importer client: https://github.com/google/timesketch/blob/master/importer_client/python/timesketch_import_client/importer.py#L134

n0tmyproblem avatar Apr 18 '21 15:04 n0tmyproblem

@marcobrotto do you want to add that to the CSV and JSON importer to remove columns that start with a _ e.g. _ts_star?

jaegeral avatar Aug 22 '22 12:08 jaegeral