I have a report to build on QRadar.
The focus is to get the EPS grouped by log source. This goal has been achieved, simply googling and building a query like this:
SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / X AS "EPS in Interval"
FROM events
WHERE NOT (LOGSOURCENAME ( logsourceid ) IN ('Asset Profiler-2 :: QRadar','Custom Rule Engine-8 :: QRadar', 'SIM Audit-2 :: QRadar', 'Health Metrics-2 :: QRadar', 'System Notification-2 :: QRadar', 'SIM Generic Log DSM-7 :: QRadar', 'Anomaly Detection Engine-2 :: QRadar'))
GROUP BY "Log Source"
ORDER BY "EPS in Interval"
DESC LAST Y DAYS
that, in a nutshell, exclude the internal log source of QRadar with where clause. Y is used for days and X are the seconds in Y; for example:
SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / 1209600 AS "EPS in Interval"
FROM events
WHERE NOT (LOGSOURCENAME ( logsourceid ) IN ('Asset Profiler-2 :: QRadar','Custom Rule Engine-8 :: QRadar', 'SIM Audit-2 :: QRadar', 'Health Metrics-2 :: QRadar', 'System Notification-2 :: QRadar', 'SIM Generic Log DSM-7 :: QRadar', 'Anomaly Detection Engine-2 :: QRadar'))
GROUP BY "Log Source"
ORDER BY "EPS in Interval"
DESC LAST 14 DAYS
tell us the EPS, grouped by log source, for last 2 week (Y is 14 days, X is 1209600 seconds, the ones in 2 week). The search has been tested and works fine. The chart spawned after search end are a Pie Chart and a Bar chart.
Now, the problem is this: we need a timechart. More specifically, the final graphic must have:
- Days on X-assys
- EPS on Y-assys
- The curves on graphic must be the single log source
that, in a nutshell, is something like that:
Now, if I simply go on one of spwaned chart and change it in Time series, the output is empty. So, my question is: how may I modify my search to achieve the above chart?
------------------------------
Luca Sepe
------------------------------