IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Cannot search events from Custom Event Properties with AQL

  • 1.  Cannot search events from Custom Event Properties with AQL

    Posted Wed April 07, 2021 10:03 AM

    I am using Qradar CE 7.3

    I create some Custom Event Properties for McAfee ePO products. Example: "MA Threat Severity".

    When using the "Quick Filter" to find properties created from the rawlog, it displays the correct results. But when using AQL to search, the result is N/A.

    Example: MA Agent GUID (custom) is any of 5dc16a88-8035-11eb-033e-005056a8e7f1 will return correct results.

    But, select * FROM events where "MA Agent GUID" = '5dc16a88-8035-11eb-033e-005056a8e7f1' no results will be returned. Because, MA Agent GUID ís N/A value.



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Cannot search events from Custom Event Properties with AQL

    Posted Fri April 09, 2021 08:34 PM

    Do you have the custom property check box for "Parse in advance for rules, reports, and searches" enabled (selected)?



    #QRadar
    #Support
    #SupportMigration


Related Content