Composite timelines: Change the behavior of uploaded data #1567
Comments
|
First phase is in, which fixes upload REST API, the importer and explore REST api and search api object. Now search works across old sketches, new and mixed. Next phase will be to fix the UI so that filtering based on individual timelines works and counting of events. Another parallel stream is to fix psort so that plaso ingestion works |
|
#1573 submitted as phase II, the first UI fixes for the new indexing. |
…d fixing build_query (#1574) * Changing __timeline_id to __ts_timeline_id and fixing build_query * More changes from last PR
|
The needed change in psort can be found here: log2timeline/plaso#3463 |
|
fixing UI counts: #1576 |
|
Adding aggregation support in #1588 |
|
What is left here is to deprecate |
|
What is also left is to update docker containers to point to the dev PPA once plaso gets a pre-release candidate out in the PPA. This would make plaso uploads work again. |
|
Now we've moved to the testing stage, we just need to test and make sure everything works again. |
|
This has been completed. Bug fixes have been made, but overall the changes required are completed. |
berggren
changed the title
Problem
Elastic has a limit on the number of open resources, which means that each deployment only has a limited amount of indices that can be open at any given time.
The current behavior of uploading data is that each and every new data gets assigned a new SearchIndex (SI) and a new Elastic Index. This means that a sketch that has 10 data sources will have 10 open indices.
Elastic has a preference for fewer and bigger indices. Therefore the solution is to change the behavior of file uploads in the following manner:
labelThis will mean that instead of each data source having it's own SI, all data sources will share the same SI in the sketch.
This will in part
solve: #1200 but it also needs to be added into this design, that is the ability to merge older timelines in a sketch.This requires multiple changes spread out over the codebase, including a major change in the UI and API client to make sure that searches can still be limited to each data source, or TO, instead of the current behavior that limits to it to hits within each SI.
A list of items to be done:
__ts_timeline_idfieldelastic_tsoutput module and move TS specific things to lib/tasks.pynew worldvs anold worldtimeline.tsctl importor uploading data viatsctlanymore, deprecate that.The text was updated successfully, but these errors were encountered: