Message Image

Log in

Skip to main content (Press Enter).

Skip auxiliary navigation (Press Enter).

IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community

Skip main navigation (Press Enter).

IBM Security QRadar

View Only

Expand all | Collapse all

AQL Top 3 EPS consumers per domain

1. AQL Top 3 EPS consumers per domain

0 Like
Sander Meyfroot
Posted Thu December 09, 2021 10:51 AM

Reply
Hello,

I'm trying to create an AQL that does the following:

For each tenant in our QRadar infrastructure, list the top 3 EPS consumer log sources for that particular domain, all together in one table. We use the Pulse dashboard and we would like to add this table view to the dashboard.
In my tests I created following AQL:

SELECT "domainname", "logsourcename", "EPS" FROM ( SELECT DOMAINNAME(domainid) AS "domainname", LOGSOURCENAME(logsourceid) AS "logsourcename", LONG(SUM("eventcount")/600) AS "EPS" FROM events GROUP BY logsourceid LAST 10 MINUTES ) GROUP BY "domainname", "logsourcename", "EPS" ORDER BY "EPS" DESC LAST 10 MINUTES

I can't get the results to limit on 3 per domain. How would you do this?

Best regards,
Sander Mefroot

------------------------------
Sander Meyfroot
------------------------------

Powered by Higher Logic