From 7c2b1b0b78620b58409a6364c8b4e63e8b897643 Mon Sep 17 00:00:00 2001
From: Johan Berggren <jberggren@gmail.com>
Date: Wed, 8 Mar 2023 09:55:26 +0100
Subject: [PATCH] Changed Timesketch output to add timeline_id per event
 (#4576)

---
 plaso/output/opensearch_ts.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/plaso/output/opensearch_ts.py b/plaso/output/opensearch_ts.py
index b04c05e3c1..dc5e53c73b 100644
--- a/plaso/output/opensearch_ts.py
+++ b/plaso/output/opensearch_ts.py
@@ -34,9 +34,11 @@ def _WriteFieldValues(self, output_mediator, field_values):
           modules and other components, such as storage and dfVFS.
       field_values (dict[str, str]): output field values per name.
     """
-    event_document = {
-        '__ts_timeline_id': self._timeline_identifier,
-        'index': {'_index': self._index_name}}
+    event_document = {'index': {'_index': self._index_name}}
+
+    # Add timeline_id on the event level. It is used in Timesketch to
+    # support shared indices.
+    field_values['__ts_timeline_id'] = self._timeline_identifier
 
     self._event_documents.append(event_document)
     self._event_documents.append(field_values)