-
Notifications
You must be signed in to change notification settings - Fork 592
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Milliseconds and microseconds are set to zero when uploading a CSV using the CLI client or importer client - Web UI unaffected #3173
Comments
can you provide a csv sample with all values including the headers? |
Sure, I've attached a small sample. I can confirm that the same behaviour is observed with this file. Versions: |
Thx. There was some previous art: 30da8aa and https://github.com/google/timesketch/blob/master/test_tools/test_events/validate_timestamp_conversion.csv might be the right place to add more variation to it. |
So can confirm, the following:
results in:
|
Based on: timesketch/timesketch/lib/utils.py Line 47 in 53b0080
|
assuming it is here:
|
So we now have unittests to reproduce the problem, stay tuned for hopefully fixing it, but we need to discuss what our expectation here is. |
Thanks @jaegeral. I have another timestamp issue which may be related - if not I can raise this separately. Importing a CSV using timesketch_importer from a different data set to the original issue results in a malformed datetime, but only with how it's displayed. Snippet of the CSV (headers/columns truncated):
The timestamp format makes no difference to the result; I've tried cutting off the offset, precision below 1 second, removing the "T". Once imported to the timeline, it appears in the correct place chronologically. The image below shows the same events, the top 3 of each section are from CLI import, the bottom 3 are from web upload. Strangely, the UNIX timestamp is correct for the CLI upload and incorrect for the web upload: Note: These were uploaded using a formatter.yaml file to define message, datetime, timestamp_desc etc., but the importer fairs no better when excluding a formatter file. |
This latest issue has been referenced here: #3084 (comment) |
Describe the bug
When uploading a Hayabusa-generated CSV timeline via the CLI client or importer client, milliseconds and microseconds are set to zero in the datetime and timestamp fields. Timestamps tested have been in RFC-3339 and ISO-8601 format.
When uploading the same CSV using the web UI, the timestamps retain their microsecond precision.
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
Microsecond precision in timestamps are preserved when uploading CSV timelines using the CLI client or importer script.
Screenshots
Snippet of timestamp in Hayabusa CSV timeline:
Timesketch fields of CSV timeline uploaded using the web UI:
Timesketch fields of CSV timeline uploaded using the CLI client:
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: