Is there a '\n' (LF) between the <hostname> and <timestamp> in generating the S3 object name while generating the entry for carved files? I see one in my setup and is blocking in generating the pre-signed URL for the item. (Format seen:- s3://<s3_name>/<prefix><year>/<month>/<day>/<hour>/<hostname>_*<LF>*_-<Time>-fleet_distributed_query_209)

Hi @Anoop K V I believe you already know that S3 is a community contribution and because of this, I’m not very familiar with it. I’m providing a link to the code for the carve functionality here: https://github.com/fleetdm/fleet/blob/master/server/datastore/s3/carves.go From what you can tell, is there anything that indicates a new line is created?

Hi @Noah Talerman, thanks for the pointer, sorry for being novice on the go lang. I see, the stmt, return fmt.Sprintf("%s%s/%s", d.prefix, simpleDateHour, metadata.Name). Could you point me where this metadata.Name is populated? If the LF appearing it is not from the fleet, we need to explore the osquery (we do have some customisation there) to see if the hostname presented has an LF accidentally.

I too am a go lang novice so I won’t be very helpful in finding where

metadata.Name

is populated. I’m attaching the PR which added the S3 file carve functionality here: https://github.com/fleetdm/fleet/commit/c89cd370d5ca9dcaf753b0ff345d6c7ef79f6729 This PR may include information on where

metaData.Name

is populated.