IBM Security QRadar

 View Only
  • 1.  Quering reference table with AQL

    Posted Thu September 10, 2020 03:55 PM
    Is there a way to query reference tables directly using AQL, without referencing events? Or are reference tables only meant to be joined with events?

    I can only find examples of referencing reference table data through events in the documentation. For example, if I have a reference table my_table with fields time and info, is it possible to do something like this:

    SELECT time, info
    FROM my_table
    ORDER BY time
    LIMIT 10


    ------------------------------
    Wesley Agena
    ------------------------------


  • 2.  RE: Quering reference table with AQL

    Posted Fri September 11, 2020 02:53 AM
    ​Hi,

    No You can't do normal select with reference table or any other data when You use AQL. There must always be from events or flows. If You want to know if that record exist in reference table the only thing that You will get is true or false.
    If You need to see if the data in the Reference table You can use Reference Data Management app - there You can search data from the table.

    Regards

    ------------------------------
    Vedran Goricki
    ------------------------------



  • 3.  RE: Quering reference table with AQL

    Posted Fri September 11, 2020 11:59 AM
    Thank you for the confirmation, appreciate it!

    ------------------------------
    Wesley Agena
    ------------------------------