Hi,
the best way is to schedule searches that grabs a time windows (e.g. last hour), and feed the accumulators that keeps weeks of data. Then you run reports with the data accumulated. No need to run endless searches every month. Running the reports the way you do works ok in systems like splunk for instance, but in Qradar it can be quite expensive for your system ressources.
You have this page that explains how it works. You may find more tutoriel in the ibm security learning academy.
https://www-01.ibm.com/support/docview.wss?uid=swg21677942
I hope it answers your question.
Regards,
------------------------------
Anthony Gayadeen, Videotron Ltd
Montreal QC
------------------------------
Original Message:
Sent: Fri July 12, 2019 11:00 AM
From: Hemant Kumar
Subject: How to get EPS by logsource Group?
Greetings,
We want to run monthly reports to monitor EPS based on different logsource groups. These LogSOurce Groups are based of their location and are in Network Hierarchy as well.
We tried to use the AQL-
SELECT LOGSOURCEGROUPNAME(devicegrouplist) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / 2592000 AS "EPS in Interval" FROM events WHERE "Log Source" = 'Canada' GROUP BY "Log Source" ORDER BY "EPS in Interval"
This alone took over 4 hours to complete just for one Loggroup and we have ~12 of these.
Need some assistance to get the monthly evnet count by LogSurce Group
Thanks,
------------------------------
Hemant Kumar
------------------------------