Search within timeline

Search queries

Timesketch allows full text search within timelines. Good way to get started is by selecting one of pre-set search templates and adjusting them to the data in your timeline.

Simple search queries relies on Query String Query mini-language, but it is also possible to use the full potential of OpenSearch query language in Advanced queries.

Common fields

Data fields will vary depending on the source being uploaded, but here are some that are mandatory, and therefore will be present in any timeline.

Field	Description	Example query
`message`	String with information about event	`message:”This is a message”`
`timestamp`	Timestamp as microseconds since Unix epoch	`timestamp:”363420000”`
`datetime`	Date and time in ISO8601 format	`datetime:”2016-03-31T22:56:32+00:00”`
`timestamp_desc`	String explaining what type of timestamp it is	`timestamp_desc:”Content Modification Time”`

Additional fields come from the imported Plaso file and depend on source type. You can see which additional fields are available in your timeline by clicking on any event and seeing the detailed list of all fields and their values.

Field	Description	Example query
`data_type`	Data types present in timeline (depends on source)	`data_type:"windows:registry:key_value"`
`filename`	Search for particular filetypes	`filename:*.exe`
`strings:`	Search for a particular string	`strings:"PsExec"`

Search operators

Query String supports boolean search operators AND, OR and NOT.

Wildcards and regular expressions

Wildcards can be run on individual search terms using ? for a single character and * for zero or more characters. Be aware that wildcards can use a lot of memory.

Regular expression patterns can be embedded in the query string by wrapping them in forward-slashes ("/"):

Syntax:

Some characters are reserved for regular expressions and must be escaped in the pattern

. ? + * | { } [ ] ( ) " \

Below are syntax elements and example regular expressions

Sign	Meaning	Example
`"."`	Match any character	For "aaabbb": `ab... # match` `a.c.e # match`
`"+"`	One or more	For "aaabbb": `a+b+ # match` `aa+bb+ # match` `a+.+ # match` `aa+bbb+ # match`
`"*"`	Zero-or-more	For "aaabbb": `ab # match` `abc* # match` `.bbb. # match` `aaabbb # match`
`"?"`	Zero-or-one	For "aaabbb": `aaa?bbb? # match` `aaaa?bbbb? # match` `.....?.? # match` `aa?bb? # no match`
`"{}"`	Min-to-max repetitions	For "aaabbb": `a{3}b{3} # match` `a{2,4}b{2,4} # match` `a{2,}b{2,} # match` `.{3}.{3} # match` `a{4}b{4} # no match` `a{4,6}b{4,6} # no match` `a{4,}b{4,} # no match`
`"()"`	Forms sub-patterns	For "ababab" `(ab)+ # match` `ab(ab)+ # match` `ab(ab)+ # match` `(..)+ # match` `(...)+ # no match` `(ab)* # match` `abab(ab)? # match` `ab(ab)? # no match` `(ab){3} # match` `(ab){1,2} # no match`
`"\|"`	Acts as "OR" operator	For "aabb" `aabb\|bbaa # match` `aacc\|bb # no match` `aa(cc\|bb) # match` `a+\|b+ # no match` `a+b+\|b+a+ # match` `a+(b\|c)+ # match`
`"[]"`.	Sets range of potential characters	For "abcd": `ab[cd]+ # match` `[a-d]+ # match` `[^a-d]+ # no match`

Description	Example Query
Date Ranges	datetime:[2021-08-29 TO 2021-08-31]
Date prior to	datetime:[* TO 2021-08-29]
Dates after	datetime:[2021-08-31 TO *]
Either side of a range	datetime:[ TO 2021-08-29] OR datetime:[2021-08-31 TO ]

Now that we can handle dates in the query bar, we can start building more complex queries. This query will find all the potential Remote Desktop event log entries in the given date range.

data_type:"windows:evtx:record" AND event_identifier:4624 AND xml_string:"/LogonType\"\>3/" AND datetime:[2021-08-29 TO 2021-08-31]

Advanced search

Advanced search queries are in JSON format, and let you use the full power of OpenSearch. You can view your existing Query String query as an advanced OpenSearch query by clicking "Advanced" button below the query entry field.

Full query DSL guide

Saved Searches

Saved Searches are saved results of your search queries, for easier access later. A saved Search does not only include the query but also specifics like displayed columns.

To save search results, run your search query, apply filters if needed, and click the “Save” button under the query field. Now you can access this Search from “Saved Searches” drop-down menu on Explore page of your sketch.

You can further refine the data in your views by manually hiding certain events. To do it, click a small eye icon next to the icon. If you have hidden events in your view, they can be un-hidden by clicking red button “Show hidden events” in the upper right corner of your timeline.

You can save changes to your views by clicking “Save Changes” button

Search templates

Search templates allow quick creation of most commonly used views. You can browse available templates in the “Search templates” drop-down menu below search query window on “Explore page”

On “Views” page, you can quickly generate and add a view from a template to your sketch. To do so, just scroll down to the template you want to use, and click “Quick add”

Examples

Here are some common searches:

Description	Example Query	Comment
EventId 4624 and LogonType 5	event_identifier:4624 AND "LogonType\">5"
Windows File path	"C:\Users\foobar\Download\folder\ whitespace\filename.jpeg"
Events that have a value in a field that contains the name `comm`	`_exists_:"comm"`	Can be very expensive search

Common questions

There is a frequent question around Windows Event logs and how they are represented in Timesketch when imported from Plaso. For that we recommend reading up on Common misconception about Windows EventLogs