Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Unable to use more than one tagging source
See original GitHub issuePlaso version:
1.5.0 Release
Operating system Plaso is running on:
XUbuntu 64 bit
Installation method:
Installed from GiFT
Description of problem:
I have been using the nsrlsvr analysis as well as the tagging analysis plugin. Both plugins tag events. After running both analysis plugins, tags from both plugins end up in the event_tag_data files in the dump file.
When outputting formatted data, the tags are retrieved from that dump file. When one event is tagged by both plugins, only one of the tags is exported. I’d like to see both tags in the output.
Source data:
A single tag is set in line 1565 of storage/zip_file.py:
event.tag = self._ReadEventTagByIdentifier(event.store_number, event.store_index, event.uuid)
Apart from the assignment there, _ReadEventTagByIdentifier itself would also need changes. In this function, a tag is retrieved by using event_uuid as a reference. More than one tag could be available with that reference though, so which tag would need to be read by the function is ambiguous.
Issue Analytics
- State:
- Created 7 years ago
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I think this is bug, not an FR - we should be returning both tags.
Changed tests indicate this currently working as intended: https://codereview.appspot.com/327150043