IBM QRadar

Hello Experts,

I am novice to writing AQL queries, would appreciate if you can provide me the AQL query, to sort source IP address based on total event count. I will build my other queries based on this.

Thank you very much in advance

Umamaheshwar

If I understood the question correctly, you need a grouped search, e.g. 

SELECT sourceip as "SRCIP", destinationip as "firstDSTIP", UNIQUECOUNT(destinationip) as (DSTIPcount), QIDNAME(qid) as "Event", COUNT() as "EventsCount"
FROM EVENTS
GROUP BY SRCIP 
ORDER BY EventsCount DESC
LAST 2 HOURS

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Thu June 26, 2025 11:59 AM
From: Umamaheshwara Manekar
Subject: Write AQl query to sort source IP address based on total event count

Hello Experts,

I am novice to writing AQL queries, would appreciate if you can provide me the AQL query, to sort source IP address based on total event count. I will build my other queries based on this.

Thank you very much in advance

Umamaheshwar

------------------------------
Umamaheshwara Manekar
------------------------------

Hello Dusan ViDOVIC,

Thank you very much for your reply and the AQL query, I modified the query to print required columns, and it works.

One question in this context is, Is it possible to generate a PDF report including charts and table of this AQL query? If so, could you please share the steps on how to achieve it?

Thanks in advance.

Uma

------------------------------
Umamaheshwara Manekar

Original Message:
Sent: Fri June 27, 2025 07:31 AM
From: Dusan VIDOVIC
Subject: Write AQl query to sort source IP address based on total event count

If I understood the question correctly, you need a grouped search, e.g. 

SELECT sourceip as "SRCIP", destinationip as "firstDSTIP", UNIQUECOUNT(destinationip) as (DSTIPcount), QIDNAME(qid) as "Event", COUNT() as "EventsCount"
FROM EVENTS
GROUP BY SRCIP 
ORDER BY EventsCount DESC
LAST 2 HOURS

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Thu June 26, 2025 11:59 AM
From: Umamaheshwara Manekar
Subject: Write AQl query to sort source IP address based on total event count

Hello Experts,

I am novice to writing AQL queries, would appreciate if you can provide me the AQL query, to sort source IP address based on total event count. I will build my other queries based on this.

Thank you very much in advance

Umamaheshwar

------------------------------
Umamaheshwara Manekar
------------------------------

You need to save the search (under whichever name you like) and then use the reports wizard to create a report where you will select he search you previously saved and adjust the presentation to your preference.

Hello Dusan ViDOVIC,

Thank you very much for your reply and the AQL query, I modified the query to print required columns, and it works.

One question in this context is, Is it possible to generate a PDF report including charts and table of this AQL query? If so, could you please share the steps on how to achieve it?

Thanks in advance.

Uma

------------------------------
Umamaheshwara Manekar

Original Message:
Sent: Fri June 27, 2025 07:31 AM
From: Dusan VIDOVIC
Subject: Write AQl query to sort source IP address based on total event count

If I understood the question correctly, you need a grouped search, e.g. 

SELECT sourceip as "SRCIP", destinationip as "firstDSTIP", UNIQUECOUNT(destinationip) as (DSTIPcount), QIDNAME(qid) as "Event", COUNT() as "EventsCount"
FROM EVENTS
GROUP BY SRCIP 
ORDER BY EventsCount DESC
LAST 2 HOURS

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Thu June 26, 2025 11:59 AM
From: Umamaheshwara Manekar
Subject: Write AQl query to sort source IP address based on total event count

Hello Experts,

I am novice to writing AQL queries, would appreciate if you can provide me the AQL query, to sort source IP address based on total event count. I will build my other queries based on this.

Thank you very much in advance

Umamaheshwar

------------------------------
Umamaheshwara Manekar
------------------------------