Support timeevent grouping/clustering #1864
Comments
|
Event type grouping would be declared in a config file, in JSON or XML format. |
|
Hi @lfcnassif, While waiting processing of big case for ALeappBridgeTask testing, I have done adraft to this issue. It groups time events based on prefix (not prefixed event types goes into BasicProperties). I've made a video to ilustrate it. The cache/indexing is also done on time event group base, i.e., one index/cache per timeeventgroup, so it keeps in memory only needed info to plot the corresponding time event group chosen. Although the checkbox on video, it is not yet possible to choose multiple time event groups. And I have a question on this: Could we subdivide this enhancement in others:
timeeventgroup-2024-02-21_12.59.54.mp4 |
|
Hi @patrickdalla, this seems very useful, thanks!
Would this be backwards compatible with old cases? I think this is important.
Will the user be able to plot arbitrary event types together like he/she is able today? I think it is important to keep.
This is useful, but I agree it can be implemented later. |
|
Hi @lfcnassif , The persisted indexes/cache info will be based on group of events (subdir name). So, when opening old cases, the old index with all events won't be changed, but new ones will be created for each group. It will become redundant, consuming space, but will be backward compatible. |
never selected its cache is not created/loaded.
Change timeline desing to support event types grouping, like WinEvtx, filesystem MACD , P2P etc.
This could be used for:
So the user could still view all timeevents, but for the more common, the APP would be optimized.
The text was updated successfully, but these errors were encountered: