berggren/example_sketch_analyzer.py

## example_sketch_analyzer.py
"""TheSketchAnalyzer."""
from __future__ import unicode_literals

from timesketch.lib.analyzers import interface
from timesketch.lib.analyzers import manager


class TheSketchAnalyzer(interface.BaseSketchAnalyzer):
    """The Sketch Analyzer."""

    NAME = 'TheSketchAnalyzer'

    def __init__(self, sketch_id, index_name):
        """Initialize The Sketch Analyzer.

        Args:
            sketch_id: Sketch ID
            index_name: Elasticsearch index name
        """
        self.index_name = index_name
        super(TheSketchAnalyzer, self).__init__(sketch_id, index_name)

    def run(self):
        """Entry point for the analyzer.

        Returns:
            String with summary of the analyzer result
        """
        # TODO: Add Elasticsearch query to get the events you need.
        # Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html
        query = ''

        # TODO: Specify what returned fields you need for your analyzer.
        return_fields = ['message']

        # Generator of events based on your query.
        events = self.event_stream(
            query_string=query,
            return_fields=return_fields
        )

        # TODO: Add analyzer logic here.
        # Methods available to use for sketch analyzers:
        # sketch.get_all_indices()
        # sketch.add_view(name, query_string, query_filter={})
        # event.add_attributes({'foo': 'bar'})
        # event.add_tags(['tag_name'])
        # event_add_label('label')
        # event.add_star()
        # event.add_comment('comment')
        for event in events:
            pass

        # TODO: Return a summary from the analyzer.
        return 'String to be returned'


manager.AnalysisManager.register_analyzer(TheSketchAnalyzer)
	"""TheSketchAnalyzer."""
	from __future__ import unicode_literals

	from timesketch.lib.analyzers import interface
	from timesketch.lib.analyzers import manager


	class TheSketchAnalyzer(interface.BaseSketchAnalyzer):
	"""The Sketch Analyzer."""

	NAME = 'TheSketchAnalyzer'

	def __init__(self, sketch_id, index_name):
	"""Initialize The Sketch Analyzer.

	Args:
	sketch_id: Sketch ID
	index_name: Elasticsearch index name
	"""
	self.index_name = index_name
	super(TheSketchAnalyzer, self).__init__(sketch_id, index_name)

	def run(self):
	"""Entry point for the analyzer.

	Returns:
	String with summary of the analyzer result
	"""
	# TODO: Add Elasticsearch query to get the events you need.
	# Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html
	query = ''

	# TODO: Specify what returned fields you need for your analyzer.
	return_fields = ['message']

	# Generator of events based on your query.
	events = self.event_stream(
	query_string=query,
	return_fields=return_fields
	)

	# TODO: Add analyzer logic here.
	# Methods available to use for sketch analyzers:
	# sketch.get_all_indices()
	# sketch.add_view(name, query_string, query_filter={})
	# event.add_attributes({'foo': 'bar'})
	# event.add_tags(['tag_name'])
	# event_add_label('label')
	# event.add_star()
	# event.add_comment('comment')
	for event in events:
	pass

	# TODO: Return a summary from the analyzer.
	return 'String to be returned'


	manager.AnalysisManager.register_analyzer(TheSketchAnalyzer)