IBM QRadar

 View Only

 How to Have Column Names Persist on AQL "GROUP BY" Query Drilldown?

Jump to  Best Answer
Killian K's profile image
Killian K posted Mon February 10, 2025 01:05 PM

Does anyone know if it is possible to maintain the same columns from an AQL Query that has a "GROUP BY" in it once you drilldown into a specific field with in the results? Or if its possible to do or not?

As an example, if I have a search setup where I am grouping all of the Source IPs, but then I want to see events from a specific Source IP, so I click on the IP and a new window shows up with a new search for the IP, but all the specific columns are gone and replaced with a '*'. Is there a way to have the columns persist to the new search?

Original Search

SELECT
"sourceIP" AS 'Source IP',
"destinationIP" AS 'Destination IP',
"username" AS 'Username'
COUNT(*) AS 'Count'
FROM events WHERE
GROUP BY "sourceIP"
Last 5 min

Drilldown into a new IP

SELECT * FROM events WHERE sourceIP  = '0.0.0.0' Last 5 MINUTES 

Please let me know if there are any solutions for this. Thank you!

Dusan VIDOVIC's profile image
Dusan VIDOVIC posted Tue February 11, 2025 04:03 AM  Best Answer

As I understood it ...

If you start with the AQL like 

SELECT sourceIP , destinationIP, username, count(*) as "COUNT" FROM events GROUP BY sourceIP Last 5 MINUTES

and then right-click some sourceIP you are interested in, you should get the option "Filter on sourceIP"; this will add automatically (to) the WHERE line in your AQL statement something like WHERE sourceIP = 'XX.XX.XXX.XXX' and maintain the column selection in the same view. 

If on the right-click menu you select "More options > Information > Search events" you are invoking the standard search workflow and it will use the column layout you have selected for your default search. 

Related Content