IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Parsing a sepecial character (eg. '{', ''') in AQL

    Posted Mon February 26, 2024 06:08 AM

    Hi team,

    We are trying to execute the below AQL query in log activity but facing error. Request you to please help to execute query ( ILIKE '{'Cisco%' )).
    and also please share a webex session to show the live scenario.

    select "ICID" from events where (LOGSOURCETYPENAME(devicetype)='Cisco IronPort' AND ICID IS NOT NULL AND ICID <>'0' ) AND "MID" IS NOT NULL AND "Rejected Mail" IS NULL  AND ( "Attachment" ILIKE '{'Cisco%' ) AND ( "Incoming Message" IS NOT NULL OR "Outgoing Message" IS NOT NULL )     GROUP BY ICID, MID START '2024-02-19 19:50' STOP '2024-02-20 19:50'..

    Need Help

    Regards,
    Alankrit



    ------------------------------
    Alankrit Mishra
    ------------------------------


  • 2.  RE: Parsing a sepecial character (eg. '{', ''') in AQL

    Posted Mon February 26, 2024 07:11 AM

    Can you please try below with regex method.

    "Attachment" IMATCHES '.*\{''Cisco.*' or "Attachment" IMATCHES '.*\{[''|""]Cisco.*'

    instead of

    "Attachment" ILIKE '{'Cisco%'



    ------------------------------
    Vishal Tangadkar
    IBM Software Support
    IBM INDIA PVT LTD
    ------------------------------

    Original Message


  • 3.  RE: Parsing a sepecial character (eg. '{', ''') in AQL

    Posted Mon February 26, 2024 04:11 PM

    Hello, 

    Please refer to my collegaue Vishal's reply. 

    Note we do not offer webExs within the forums. 
    If a webEx is required please raise a case directly with QRadar Product Support.

    Regards,



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------

    Original Message