IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

QRadar AQL - Aggregate Multiple Values into a single comma separated string

By MUTAZ ALSALLAL posted Thu June 18, 2020 11:52 AM

  

QRadar.jpg

I just wrote this AQL custom function to aggregate the multiple values into a single comma separated string.

The following AQL query returns multiple values:

Select XFORCE_URL_CATEGORY('motor.ru') from events limit 1


The custom AQL function will aggregate them to a comma separated string as following:


The same example with other properties like: creeventlist

Select Services::IntegerValueAggregator(creeventlist) from events limit 1


Another nice example:

Select creeventlist, Services::StringValueAggregator(RULENAME(creeventlist)) from events limit 1

 

You can download those custom AQL functions from the following X-Force Collection.

 

 

3 comments
33 views

Permalink

https://community.ibm.com/community/user/blogs/mutaz-alsallal1/2020/06/18/qradar-aql-aggregate-multiple-values-into-a-single

Comments

Borana Ferraj
Tue June 13, 2023 06:44 AM

Hello,

Your  support  will   be very helpful

Borana Ferraj
Fri June 09, 2023 04:25 AM

Hello,

We have this two custom function in our test environment, but when we do our queries, we get error. It requires Enummeration value.

Meanwhile the examples here in the blog, the query is ok, we get data.

Can you please help us for any information?

Rashid Iqbal
Sat December 19, 2020 06:48 AM

Very helpful