Timefilter save

[hasamba]

i imported a timeline into timesketch,
i filter by several time filters i know the attacker was on the system,
when i switch from saved search to another the filters disappear.

it would be great if i can save all those filters to use in a later queries without having to entering them again.

thanks

[jkppr]

Thanks for the input @hasamba
It is a great idea and I can see how this will help with the UX of the general analysis workflow. I'll get it on the roadmap 👍

[jkppr]

Some brainstorming ideas for this feature:

• first iteration: Have a list of last used time filters available for searches. e.g. in the search omnibox or when clicking the "Add timefilter" button as a quick selection.

  • This should the quite straightforward to implement, since we have the information already stored with the search history.
  • Something like this:
    

• second iteration: Provide the option to manually save/favorite/star/mark a timefilter for later usage.

  • This should also be exposed via API so other tools like dftimewolf can set prepared timefilters based on information it gets from other places (e.g. a case management tool).