allow reusing sketchnames to upload data

[julianghill]

Change the Timesketch worker so sketch_name reuses an existing Timesketch sketch before creating a new one.

Before this, when sketch_name was provided, the worker always called create_sketch(sketch_name). That could create duplicate sketch names, especially when workflows are rerun or when multiple outputs should land in the same sketch.

With this change, the worker now:

• looks up an existing sketch when sketch_name is provided
• creates the sketch only when no existing sketch with that name is found
• keeps sketch_id as the explicit override when an exact sketch ID is provided
• this makes it easier to use the API and route multiple timelines into a sketch based on an input file name

Example task config:

{
"sketch_name": "Case-123",
"timeline_name": "Host-A Hayabusa"
}

First run:

Timesketch sketch Case-123 does not exist
worker creates Case-123
worker uploads timeline Host-A Hayabusa
Second run:

{
"sketch_name": "Case-123",
"timeline_name": "Host-B Hayabusa"
}

worker finds existing sketch Case-123
worker uploads timeline Host-B Hayabusa into the same sketch
no duplicate Case-123 sketch is created

What do you think? We have been using this behavior in a customized version for some time, and it has made repeated/API-driven uploads easier to manage.

[hacktobeer]

@jaegeral Can you have a look at this PR. It looks like a useful addition

[jaegeral]

So from a technical perspective, the PR is fine, from a logical perspective, the Name of a sketch should not be the unique identifier. I understand the motivation. Wonder if it would be useful to make this behaviour an opt-in configuration since you suggest to change the default behaviour from create a new sketch even if the name already exists to add to the already existing sketch.

Using a config, you would not have to run it on a forked version but it would not change it for those who have their setups settled (and I am not sure how we would use it either, so having it behind a config would be neat).

in addition, it would be super neat to have unit_tests for this as well.

[julianghill]

@jaegeral

Thanks for the feedback. I updated it so reusing an existing sketch by name is now opt in instead of changing the default behavior which was indeed a good idea to do.

I also added a docstring for the sketch lookup helper and added some unit tests, I hope this is a good start.

[jaegeral]

I will have a look likely on Monday, thank you for the adjustments

[berggren]

@julianghill Thanks for contributing! Please merge main and fix conflicts. We recently refactored the folder structure of this repository. Sorry for the inconvenience.