IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Write AQl query to sort source IP address based on total event count

    Posted 2 days ago

    Hello Experts,

    I am novice to writing AQL queries, would appreciate if you can provide me the AQL query, to sort source IP address based on total event count. I will build my other queries based on this.

    Thank you very much in advance

    Umamaheshwar



    ------------------------------
    Umamaheshwara Manekar
    ------------------------------


  • 2.  RE: Write AQl query to sort source IP address based on total event count

    Posted 20 hours ago

    If I understood the question correctly, you need a grouped search, e.g. 

    SELECT sourceip as "SRCIP", destinationip as "firstDSTIP", UNIQUECOUNT(destinationip) as (DSTIPcount), QIDNAME(qid) as "Event", COUNT() as "EventsCount"
    FROM EVENTS
    GROUP BY SRCIP 
    ORDER BY EventsCount DESC
    LAST 2 HOURS



    ------------------------------
    Dusan VIDOVIC
    ------------------------------

    Original Message


Related Content