IBM Security QRadar

 View Only
Expand all | Collapse all

Parsing a sepecial character (eg. '{', ''') in AQL

  • 1.  Parsing a sepecial character (eg. '{', ''') in AQL

    Posted Mon February 26, 2024 06:08 AM

    Hi team,

    We are trying to execute the below AQL query in log activity but facing error. Request you to please help to execute query ( ILIKE '{'Cisco%' )).
    and also please share a webex session to show the live scenario.

    select "ICID" from events where (LOGSOURCETYPENAME(devicetype)='Cisco IronPort' AND ICID IS NOT NULL AND ICID <>'0' ) AND "MID" IS NOT NULL AND "Rejected Mail" IS NULL  AND ( "Attachment" ILIKE '{'Cisco%' ) AND ( "Incoming Message" IS NOT NULL OR "Outgoing Message" IS NOT NULL )     GROUP BY ICID, MID START '2024-02-19 19:50' STOP '2024-02-20 19:50'..

    Need Help

    Regards,
    Alankrit



    ------------------------------
    Alankrit Mishra
    ------------------------------


  • 2.  RE: Parsing a sepecial character (eg. '{', ''') in AQL

    Posted Mon February 26, 2024 07:11 AM

    Can you please try below with regex method.

    "Attachment" IMATCHES '.*\{''Cisco.*' or "Attachment" IMATCHES '.*\{[''|""]Cisco.*'

    instead of

    "Attachment" ILIKE '{'Cisco%'



    ------------------------------
    Vishal Tangadkar
    IBM Software Support
    IBM INDIA PVT LTD
    ------------------------------

    Original Message


  • 3.  RE: Parsing a sepecial character (eg. '{', ''') in AQL

    Posted Mon February 26, 2024 04:11 PM

    Hello, 

    Please refer to my collegaue Vishal's reply. 

    Note we do not offer webExs within the forums. 
    If a webEx is required please raise a case directly with QRadar Product Support.

    Regards,



    ------------------------------
    Comghall Morgan
    QRadar Support Architect
    IBM
    ------------------------------

    Original Message