IBM QRadar

 View Only

 AQL Query in QRADAR SIEM that gets data for "Yesterday" - not the last 24 hours

Jump to  Best Answer
Sean Murray's profile image
Sean Murray posted Fri February 14, 2025 05:11 PM

Im trying to create queries that get data from yesterday, ie midnight to midnight.  I can get data from the last 24 hours easily. I just cant seem to specify yesterday without specifically putting the date and time. I cant seem to come up with a query that works or doesnt generate syntax errors.  AI is no help, it suggests using functions or formats that dont work in AQL. Is there a way or am I stuck with the last 24 hours and starting the report as close to midnight as possible.

UPDATE:  Dmitry's Answer Worked Perfectly - Thank you

Dmitry Berezovik's profile image
Dmitry Berezovik posted Tue February 18, 2025 01:55 AM  Best Answer

It looks like the following query works (adjust to your need):

select QIDNAME(qid) as 'Event Name', DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') as 'Start Time', username as 'Username'
from events
start PARSEDATETIME(DATEFORMAT(NOW(), 'yyyy-MM-dd 00:00:00')) - 24*60*60*1000
stop PARSEDATETIME(DATEFORMAT(NOW(), 'yyyy-MM-dd 00:00:00'))

John Dawson's profile image
John Dawson posted Mon February 17, 2025 11:21 AM

Hi Sean,

Unfortunately this is not possible.  The possible date formats are listed in the following document

https://www.ibm.com/docs/en/qsip/7.5?topic=language-time-criteria-in-aql-queries

Thanks

Related Content