Start / end date options to select events to process

Question

Start / end date options to select events to process

einarssonm opened this issue 3 years ago · comments

Request to include start / end date options, to select events to process. This would optimize processing of large event log files, such as ForwardedEvents.evtx with 10-20 GB max size. Ideally the date filters would be applied as early as possible, to avoid unnecessary processing of irrelevant events. Suggested options:

OPTIONS:
  -sd, --start-date <datetime>
           Start date for including events (UTC). Anything older than this is dropped. Format: yyyy-MM-dd HH:mm:ss

  -ed, --end-date <datetime>
           End date for including events (UTC). Anything newer than this is dropped. Format: yyyy-MM-dd HH:mm:ss

fscc-jamesd · Answer 1 · Fri Oct 22 2021 22:31:16 GMT+0800 (China Standard Time)

@einarssonm

Good idea, I'll work on adding this.

Olaf Hartong · Answer 2 · Tue Oct 26 2021 02:08:31 GMT+0800 (China Standard Time)

@einarssonm

Good idea, I'll work on adding this.

I'd love to see that too ! Great tool by the way!

fscc-jamesd · Answer 3 · Thu Nov 25 2021 21:13:21 GMT+0800 (China Standard Time)

This has been added in #29 and is now live in the latest build. Let me know if you find any issues.