Drop first 2300 rows to test second block parses properly

Velocidex · Jan 18, 2025 · 8bc418a · 8bc418a
1 parent a062070
commit 8bc418a
Show file tree

Hide file tree

Showing 2 changed files with 500 additions and 397 deletions.
diff --git a/artifacts/testdata/server/testcases/macos.in.yaml b/artifacts/testdata/server/testcases/macos.in.yaml
@@ -14,8 +14,11 @@ Queries:
   - SELECT SourceFile, EntryPath, EntryId, EntryFlags, FileId
     FROM Artifact.MacOS.Forensics.FSEvents(Glob=srcDir+"/artifacts/testdata/files/fs_events_00000000007cff3d")
 
-  - SELECT SourceFile, EntryPath, EntryId, EntryFlags, FileId
+  # Test parsing on newer version fs_events file. Prior to #4018 this file could not be parsed at all.
+  # Second block starts at approximately row 2333.
+  - SELECT count() AS Row, SourceFile, EntryPath, EntryId, EntryFlags, FileId
     FROM Artifact.MacOS.Forensics.FSEvents(Glob=srcDir+"/artifacts/testdata/files/fs_events_000000002fc5e551")
+    WHERE Row > 2300
     LIMIT 100
 
   - SELECT *, OSPath.Basename AS OSPath