Search within timeline

Search queries

Timesketch allows full text search within timelines. Good way to get started is by selecting one of pre-set search templates and adjusting them to the data in your timeline.

Simple search queries relies on Query String Query mini-language, but it is also possible to use the full potential of OpenSearch query language in Advanced queries.

Common fields

Data fields will vary depending on the source being uploaded, but here are some that are mandatory, and therefore will be present in any timeline.

Field	Description	Example query
`message`	String with information about event	`message:”This is a message”`
`timestamp`	Timestamp as microseconds since Unix epoch	`timestamp:”363420000”`
`datetime`	Date and time in ISO8601 format	`datetime:”2016-03-31T22:56:32+00:00”`
`timestamp_desc`	String explaining what type of timestamp it is	`timestamp_desc:”Content Modification Time”`

Additional fields come from the imported Plaso file and depend on source type. You can see which additional fields are available in your timeline by clicking on any event and seeing the detailed list of all fields and their values.

Field	Description	Example query
`data_type`	Data types present in timeline (depends on source)	`data_type:"windows:registry:key_value"`
`filename`	Search for particular filetypes	`filename:*.exe`
`strings:`	Search for a particular string	`strings:"PsExec"`

Search operators

Query String supports boolean search operators AND, OR and NOT.

Wildcards and regular expressions

Wildcards can be run on individual search terms using ? for a single character and * for zero or more characters. Be aware that wildcards can use a lot of memory.

Regular expression patterns can be embedded in the query string by wrapping them in forward-slashes ("/"):

Syntax:

Some characters are reserved for regular expressions and must be escaped in the pattern

. ? + * | { } [ ] ( ) " \

Below are syntax elements and example regular expressions

Sign	Meaning	Example
`"."`	Match any character	For "aaabbb": `ab... # match` `a.c.e # match`
`"+"`	One or more	For "aaabbb": `a+b+ # match` `aa+bb+ # match` `a+.+ # match` `aa+bbb+ # match`
`"*"`	Zero-or-more	For "aaabbb": `ab # match` `abc* # match` `.bbb. # match` `aaabbb # match`
`"?"`	Zero-or-one	For "aaabbb": `aaa?bbb? # match` `aaaa?bbbb? # match` `.....?.? # match` `aa?bb? # no match`
`"{}"`	Min-to-max repetitions	For "aaabbb": `a{3}b{3} # match` `a{2,4}b{2,4} # match` `a{2,}b{2,} # match` `.{3}.{3} # match` `a{4}b{4} # no match` `a{4,6}b{4,6} # no match` `a{4,}b{4,} # no match`
`"()"`	Forms sub-patterns	For "ababab" `(ab)+ # match` `ab(ab)+ # match` `ab(ab)+ # match` `(..)+ # match` `(...)+ # no match` `(ab)* # match` `abab(ab)? # match` `ab(ab)? # no match` `(ab){3} # match` `(ab){1,2} # no match`
`"\|"`	Acts as "OR" operator	For "aabb" `aabb\|bbaa # match` `aacc\|bb # no match` `aa(cc\|bb) # match` `a+\|b+ # no match` `a+b+\|b+a+ # match` `a+(b\|c)+ # match`
`"[]"`.	Sets range of potential characters	For "abcd": `ab[cd]+ # match` `[a-d]+ # match` `[^a-d]+ # no match`

Wildcard Search Mode

Timesketch includes a dedicated Wildcard Search Mode (introduced starting with version 20260617) designed for case-insensitive substring searching. Under the hood, this mode leverages the OpenSearch wildcard field type, making queries with leading/trailing wildcards (e.g., *malicious*) significantly faster and more reliable compared to the classic query string search.

To use Wildcard Search Mode: * In the Web UI: Select the WC (Wildcard) mode from the toggle button at the left of the query bar (which otherwise defaults to QS for Query String). * In Settings: You can choose to enable "Use Wildcard Search by default" under your user settings.

Query Syntax & Examples

Wildcard mode tokenizes queries by space and parentheses, supporting standard Boolean logic and parenthetical groupings:

Global substring search: *evil* searches case-insensitively across all fields mapped with wildcard properties (string based fields by default).
Field-specific search: message:*evil* searches only within the message field.
Logical operators: *evil* AND *good* or *evil* OR *good*. The operators AND, OR, and NOT must be capitalized.
Implicit AND: Multiple terms separated by a space (e.g., *evil* *good*) are implicitly combined with AND.
Exact values with colons: If your query contains colons (such as paths, MAC addresses, or URLs), you must wrap it in double quotes (e.g., url:"http://google.com/" or "*count: 1*"), otherwise the colon is interpreted as a field separator.
No Escaping Required: You do not need to escape special characters like . or - with backslashes. Matches are literal, and escaping them (e.g. *\.com*) will actually search for a literal backslash.

Note: Wildcard Search Mode requires timeline indices to have wildcard mapping enabled. Older timelines imported before this feature was introduced do not support it and will default back to Query String mode.

Description	Example Query
Date Ranges	datetime:[2021-08-29 TO 2021-08-31]
Date prior to	datetime:[* TO 2021-08-29]
Dates after	datetime:[2021-08-31 TO *]
Either side of a range	datetime:[ TO 2021-08-29] OR datetime:[2021-08-31 TO ]

Now that we can handle dates in the query bar, we can start building more complex queries. This query will find all the potential Remote Desktop event log entries in the given date range.

data_type:"windows:evtx:record" AND event_identifier:4624 AND xml_string:"/LogonType\"\>3/" AND datetime:[2021-08-29 TO 2021-08-31]

Advanced search

Advanced search queries are in JSON format, and let you use the full power of OpenSearch. You can view your existing Query String query as an advanced OpenSearch query by clicking "Advanced" button below the query entry field.

Full query DSL guide

Saved Searches

Saved Searches are saved results of your search queries, for easier access later. A saved Search does not only include the query but also specifics like displayed columns.

To save search results, run your search query, apply filters if needed, and click the “Save” button under the query field. Now you can access this Search from “Saved Searches” drop-down menu on Explore page of your sketch.

You can further refine the data in your views by manually hiding certain events. To do it, click a small eye icon next to the icon. If you have hidden events in your view, they can be un-hidden by clicking red button “Show hidden events” in the upper right corner of your timeline.

You can save changes to your views by clicking “Save Changes” button

Search templates

Search templates allow quick creation of most commonly used views. You can browse available templates in the “Search templates” drop-down menu below search query window on “Explore page”

On “Views” page, you can quickly generate and add a view from a template to your sketch. To do so, just scroll down to the template you want to use, and click “Quick add”

Examples

Here are some common searches:

Description	Example Query	Comment
EventId 4624 and LogonType 5	event_identifier:4624 AND "LogonType\">5"
Windows File path	"C:\Users\foobar\Download\folder\ whitespace\filename.jpeg"
Events that have a value in a field that contains the name `comm`	`_exists_:"comm"`	Can be very expensive search

Common questions

There is a frequent question around Windows Event logs and how they are represented in Timesketch when imported from Plaso. For that we recommend reading up on Common misconception about Windows EventLogs