IBM Security SOAR

Expand all | Collapse all

QRadar Search qradar_query_all_results : yes not returning multiple entries

  • 1.  QRadar Search qradar_query_all_results : yes not returning multiple entries

    Posted Thu July 15, 2021 04:27 PM
    Hello all, I am new to Resilient, and am trying to create a work flow which returns multiple entries using the QRadar Search function. I have set qradar_query_all_results to yes. Yet I am only receiving a single incident when I know for a fact there are more.


    I have set the qradar_query_all_results to yes for both QRadar Search functions.

    Any help would be appreciated.

    ------------------------------
    Derek Hoogewerf
    ------------------------------


  • 2.  RE: QRadar Search qradar_query_all_results : yes not returning multiple entries

    Posted Mon August 02, 2021 12:10 PM
    You should check your AQL. Make sure your query runs as expected on Qradar Advanced Search first
    Specifically look out for the group by clause, and the quoting of field names

    ------------------------------
    Tan Do
    ------------------------------



  • 3.  RE: QRadar Search qradar_query_all_results : yes not returning multiple entries

    Posted Tue August 03, 2021 03:26 AM
    Thanks, I sorted the  issue.

    ------------------------------
    Derek Hoogewerf
    ------------------------------