IBM QRadar

Hello,

I am new to writing AQL queries to pull information from logs. I am looking for an example of AQL query to collect disk usage from all the Event processor and group them with the EP processor. Eventually I will add these AQL queries to the Pulse dashboard with widgets.

Thanks in advance.

Uma.

This query should get the data from internal logs for the /store partition:

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd') as "Date", "Hostname" as "ManagedHost", LONG(MAX("Value")/(1024*1024*1024)) as "Used GB" FROM events WHERE (qid = 94000001) AND ("Metric ID" = 'DiskSpaceUsed') AND (Element = '/store') AND Hostname IN ('EPname1','EPname2','EPname3')
GROUP BY "Date", "Hostname"
ORDER BY "Date", "Hostname"
LAST 6 HOURS

(replace the EPname1 etc. with host names of interest; if you are not sure about the names, run the search without that part under WHERE, check the values you get from search, and then change the test accordingly)

Hello,

I am new to writing AQL queries to pull information from logs. I am looking for an example of AQL query to collect disk usage from all the Event processor and group them with the EP processor. Eventually I will add these AQL queries to the Pulse dashboard with widgets.

Thanks in advance.

Uma.

This query should get the data from internal logs for the /store partition:

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd') as "Date", "Hostname" as "ManagedHost", LONG(MAX("Value")/(1024*1024*1024)) as "Used GB" FROM events WHERE (qid = 94000001) AND ("Metric ID" = 'DiskSpaceUsed') AND (Element = '/store') AND Hostname IN ('EPname1','EPname2','EPname3')
GROUP BY "Date", "Hostname"
ORDER BY "Date", "Hostname"
LAST 6 HOURS

(replace the EPname1 etc. with host names of interest; if you are not sure about the names, run the search without that part under WHERE, check the values you get from search, and then change the test accordingly)

Hello,

I am new to writing AQL queries to pull information from logs. I am looking for an example of AQL query to collect disk usage from all the Event processor and group them with the EP processor. Eventually I will add these AQL queries to the Pulse dashboard with widgets.

Thanks in advance.

Uma.

Thank you, Dusan for the response to the AQL query. 

I tried the AQL query and was able to display output from one of the EP, EP-01. I have another EP, EP-02 added to the cluster, on which no logs are been sent when this query is run against it, and no output is displayed. Is it expected?

This query should get the data from internal logs for the /store partition:

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd') as "Date", "Hostname" as "ManagedHost", LONG(MAX("Value")/(1024*1024*1024)) as "Used GB" FROM events WHERE (qid = 94000001) AND ("Metric ID" = 'DiskSpaceUsed') AND (Element = '/store') AND Hostname IN ('EPname1','EPname2','EPname3')
GROUP BY "Date", "Hostname"
ORDER BY "Date", "Hostname"
LAST 6 HOURS

(replace the EPname1 etc. with host names of interest; if you are not sure about the names, run the search without that part under WHERE, check the values you get from search, and then change the test accordingly)

Hello,

I am new to writing AQL queries to pull information from logs. I am looking for an example of AQL query to collect disk usage from all the Event processor and group them with the EP processor. Eventually I will add these AQL queries to the Pulse dashboard with widgets.

Thanks in advance.

Uma.

Hello,

I am new to writing AQL queries to pull information from logs. I am looking for an example of AQL query to collect disk usage from all the Event processor and group them with the EP processor. Eventually I will add these AQL queries to the Pulse dashboard with widgets.

Thanks in advance.

Uma.

Hello Umamaheshwara,

You can use QDI (QRadar Deployment Intelligence) app, It brings some interesting metrics about the environment's health, including disk space consumption.

Regards,

Arthur Hardt

Hello,

I am new to writing AQL queries to pull information from logs. I am looking for an example of AQL query to collect disk usage from all the Event processor and group them with the EP processor. Eventually I will add these AQL queries to the Pulse dashboard with widgets.

Thanks in advance.

Uma.