IBM QRadar

Hi there,

I need to create an aql query that uses a sub query to produce a list of computers.
So I'm using the IN() function.
However within the subquery I need to remove one of the returned columns.
How can I hide a column from the resulting aql query?

eg. here's the subquery. I need to remove the 'dcount' column from the results:

select username, UNIQUECOUNT(computername) as dcount from events where signature is NOT NULL group by signature,computer HAVING signature >= 5 last 1 DAYS

Thanks!

------------------------------
david broggy
------------------------------

Hi,

I don't understand your problem, in AQL search the subquery is not displayed only the column in the select part of the principal one are in the final result.
As you can see in the attached exemple only the MyIP and MyPort are dispayed, the IPNotDisplayed is not in the report.
Regards,

------------------------------
Thibaut Stauder
------------------------------

Original Message:
Sent: Fri June 11, 2021 09:04 AM
From: david broggy
Subject: how to remove columns from an aql query

Hi there,

I need to create an aql query that uses a sub query to produce a list of computers.
So I'm using the IN() function.
However within the subquery I need to remove one of the returned columns.
How can I hide a column from the resulting aql query?

eg. here's the subquery. I need to remove the 'dcount' column from the results:

select username, UNIQUECOUNT(computername) as dcount from events where signature is NOT NULL group by signature,computer HAVING signature >= 5 last 1 DAYS

Thanks!

------------------------------
david broggy
------------------------------

Hi Thibaut, your example of creating a subquery with just a simple select is easy since you only have 1 column returned.
Please try to show an example with UNIQECOUNT or any aggregation function in the subquery and you will understand my issue.

------------------------------
david broggy
------------------------------

Original Message:
Sent: Wed June 16, 2021 12:16 PM
From: Thibaut Stauder
Subject: how to remove columns from an aql query

Hi,

I don't understand your problem, in AQL search the subquery is not displayed only the column in the select part of the principal one are in the final result.
As you can see in the attached exemple only the MyIP and MyPort are dispayed, the IPNotDisplayed is not in the report.
Regards,

------------------------------
Thibaut Stauder

Original Message:
Sent: Fri June 11, 2021 09:04 AM
From: david broggy
Subject: how to remove columns from an aql query

Hi there,

I need to create an aql query that uses a sub query to produce a list of computers.
So I'm using the IN() function.
However within the subquery I need to remove one of the returned columns.
How can I hide a column from the resulting aql query?

eg. here's the subquery. I need to remove the 'dcount' column from the results:

select username, UNIQUECOUNT(computername) as dcount from events where signature is NOT NULL group by signature,computer HAVING signature >= 5 last 1 DAYS

Thanks!

------------------------------
david broggy
------------------------------