Wednesday, April 20, 2011

Date-Range Specific Timelines

In the prior posts I built a timeline with the new mactime- and csv-format options in log2timeline, I used my bodyfile as input and exported to a nice csv that includes more l2t-related data (as opposed to standard mactime-generated csv). This is nice, but l2t generates one line per timestamp type and gives us a whole lot of rows. Turns out my main timeline was just too much data to be able to load in Excel or Access. Even with 64-bit Win7 and 16 GB of RAM on a Quad-Core processor. Apparently 1.2M rows is just insane. Meh.

I tried to get Kristinn to do things differently, but he just wouldn't see it "my" way. ;) However, in true form, he was extremely helpful. We walked through using grep against an l2t-generated csv to get out some specific sub-ranges that I needed to focus on, like:

head -1 csv.001 > dates.001
grep “^0[2-5]\/[0-3][0-9]\/2009,” csv.001 >> dates.001

This will split out all rows containing data originating (any timestamp type) from February through May of 2009.

Lo and behold! Kristinn also went and created a new module in the nightly build and asked me to help test it. It would automate the process, so you can feed in a date range (kind of like with mactime) and it will pull those dates out of an l2t-generated csv file. Way cool! And so the testing began.

Fortunately by that time I knew my test-set inside and out, so that was helpful in providing him statistics to help track down a few items. In the end, the process was ironed out and works very nicely. I'm not here to post all the specifics, as I know he plans to include it in the next release, and blog about it as well, so I'm leaving that to him. It's his baby, after all. I'm just trying to raise more awareness of this awesome utility, a cool developer, and get more traffic on his sites. Every time I've had a question or problem/concern, Kristinn has been extremely responsive and helpful. Twice now he's written new modules just because I asked if it could be done. Incredible!

I don't think he'll mind me saying that if you're using the nightly build, look for l2t_process; it even has its own man page.

Happy timelining!


No comments:

Post a Comment