Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update documentation for "tscli csv2ts" & "tscli json2ts" being moved into "tscli import" timeline CSV / JSONL / PLASO import feature #888

Closed
roddines opened this issue May 9, 2019 · 4 comments
Closed

Update documentation for "tscli csv2ts" & "tscli json2ts" being moved into "tscli import" timeline CSV / JSONL / PLASO import feature #888

roddines opened this issue May 9, 2019 · 4 comments
Assignees
@kiddinn
Labels
Documentation Feature Request

Comments

@roddines
Copy link

roddines commented May 9, 2019
edited
Loading

Refer to:https://github.com/google/timesketch/blob/master/docs/CreateTimelineFromJSONorCSV.md
These are outdated and effectively the new import methos is undocumented:

$ tsctl csv2ts --name my_timeline --file timeline.csv
$ tsctl jsonl2ts --name my_timeline --file timeline.jsonl

This works and automatically creates a sketch called: "sketch for: {timeline_name}"
ubuntu@ubu-srv-1804lts-timesketch:~$ sudo tsctl import --username admin --timeline_name jo-2009-12-02_v0006 --file jo-2009-12-02_v0006.csv
"Sketch for: jo-2009-12-02_v0006" is created and timeline begins to be processed

This functionality is confusing and seems to be undocumented in the online docs and even in the CLI but after some experimentation, I found MOST of what I needed as follows.

CLI Help Documentation shows:

ubuntu@ubu-srv-1804lts-timesketch:~$ sudo tsctl --help Gives basic help (like below)
usage: tsctl [-c CONFIG] [-?]
{shell,search_template,db,runserver,purge,drop_db,add_group,add_user,import,add_index,manage_group}
...

positional arguments:
{shell,search_template,db,runserver,purge,drop_db,add_group,add_user,import,add_index,manage_group}
shell Runs a Python shell inside Flask application context.
search_template Command Module to manipulate Search templates.
db Perform database migrations
runserver Runs the Flask development server i.e. app.run()
purge Delete timeline permanently from Timesketch and
Elasticsearch.
drop_db Drop all database tables.
add_group Create a new Timesketch group.
add_user Create a new Timesketch user.
import Create a new Timesketch timeline from a file.
add_index Create a new Timesketch searchindex.
manage_group Manage group memberships.

optional arguments:
-c CONFIG, --config CONFIG
-?, --help show this help message and exit

ubuntu@ubu-srv-1804lts-timesketch:~$ sudo tsctl --help import
unfortunately additional detailed command help is not available this way

However, this method works: sudo tsctl import

ubuntu@ubu-srv-1804lts-timesketch:~$ sudo tsctl import
usage: tsctl import [-?] --file FILE_PATH [--sketch_id SKETCH_ID]
[--username USERNAME] [--timeline_name TIMELINE_NAME]
tsctl import: error: argument --file/-f is required

The biggest problem is that it appears that [--sketch_id SKETCH_ID] is not documented and it is not obvious on how it is possible to associate a named sketch with a SKETCH_ID. Note: the SKETCH_ID is NOT the name that appears in the web interface and returns errors if used.

Note:
A list of SKETCH_IDs can be retrieved with a psql query as follows:
sudo psql -d timesketch -U timesketch -c "SELECT * FROM public.sketch"
Password for user timesketch:
id | created_at | updated_at | name | description | user_id
----+----------------------------+----------------------------+---------+-------------+---------
1 | 2019-05-09 07:54:52.773956 | 2019-05-09 07:56:58.749255 | sketch1 | | 1
(1 row)

A specific SKETCH_ID can be retrieved by name with a psql query as follows:
sudo psql -d timesketch -U timesketch -c "SELECT * FROM public.sketch WHERE name = 'sketch1'"
Password for user timesketch:
id | created_at | updated_at | name | description | user_id
----+----------------------------+----------------------------+---------+-------------+---------
1 | 2019-05-09 07:54:52.773956 | 2019-05-09 07:56:58.749255 | sketch1 | | 1
(1 row)

Or if you want just the SKETCH_ID (id) returned then add the "-t" option up front and restirct the select to id so as to have psql output only the tuple(s) (ie s=consider the possibility of multiple entries returned)
sudo psql -t -d timesketch -U timesketch -c "SELECT id FROM public.sketch WHERE name = 'sketch1'"
Password for user timesketch:
1
@roddines roddines changed the title Update documentation on "tscli import" timeline CSV / JSONL / PLASO import feature Update documentation for "tscli csv2ts" & "tscli json2ts" being moved into "tscli import" timeline CSV / JSONL / PLASO import feature May 13, 2019
@kiddinn
Copy link
Contributor

kiddinn commented Oct 22, 2019

yes, the documentation is considerably out of date, needs to be updated

@kiddinn kiddinn self-assigned this Oct 22, 2019
@kiddinn
Copy link
Contributor

kiddinn commented Oct 22, 2019

So regarding the sketch ID, that is the ID that you'll see in the URI of your sketch, eg:

http:/mytimesketch_server/sketch/1/timelines/

Then the sketch ID is 1.

We can maybe also add a feature into tsctl to list up all available sketches.

@kiddinn kiddinn mentioned this issue Oct 22, 2019
Merged
@kiddinn
Copy link
Contributor

kiddinn commented Oct 22, 2019

Added a "list_sketches" command to tsctl in addition to updating the documentation.

@kiddinn kiddinn closed this as completed Oct 22, 2019
@roddines
Copy link
Author

Many Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kiddinn kiddinn

Labels
Documentation Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@roddines @kiddinn