You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here is the artifact. Mike graciously helped me get this working for any drive, but after 10 hours of trying to alter it to work for removeable medial I have not been successful. Here is the VQL that works for any drive:
LET AddedFiles = SELECT OSPath, Size, FullPath
FROM diff(
key="Key",
period=2,
query={
SELECT OSPath, Size, FullPath,
format(format="%v_%v", args=[OSPath, Size, FullPath]) AS Key
FROM glob(globs="*:/*") WHERE Data.Description =~ "Removable"
})
WHERE Diff = "added"
LET FifoQuery = SELECT * FROM fifo(flush=TRUE, query=AddedFiles, max_rows=1000, max_age=60)
SELECT * FROM foreach(row={
SELECT * FROM clock(start=1, period=25)
}, query={
SELECT enumerate(items=OSPath.Basename) AS Files, count() AS Count, FullPath() AS FullPath
FROM FifoQuery
GROUP BY 1
})
WHERE Count > 10
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Here is the artifact. Mike graciously helped me get this working for any drive, but after 10 hours of trying to alter it to work for removeable medial I have not been successful. Here is the VQL that works for any drive:
Beta Was this translation helpful? Give feedback.
All reactions