When Windows.EventLogs.Hayabusa artifact is executed, returns several errors using csv and/or jsonl outputs related to "Timestamp" field. By default, Hayabusa creates Timestamp field with the name "datetime".

Changing VQL from "SELECT *, timestamp(string=Timestamp) AS EventTime" to "SELECT *, timestamp(string=datetime) AS EventTime" solves the issue.

Just trying to replicate this but it looks like Hayabusa already adds the Timestamp field. This happens with the following binary
https://github.com/Yamato-Security/hayabusa/releases/download/v2.15.0/hayabusa-2.15.0-win-x64.zip

For me the artifact works properly.

Thanks for using Hayabusa :)
This seems to be the cause because when you choose the timesketch-verbose profile in the OutputProfile option, it is datetime instead of Timestamp.

Thanks for clarifying - is this an issue with Hayabusa not using a consistent schema, or do we need to special case this output format?

I just thought about it :-) I realized that timesketch-verbose is emitting data for consumption by timesketch so it has to produce the same schema as timesketch expects. I think we need to handle both timestamp options.

Yes, it is a schema for timesketch! I'll see if we can fix it.

I fixed this issue. Thanks for reporting and supporting :)
Velocidex/velociraptor-docs#850

Thanks for fixing it all!