Original Message:
Sent: Mon April 17, 2023 01:49 AM
From: Onur Tufan
Subject: Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately
Hello Karl,
Thank you for the answer. Is this expression (" <> ") excludes that log sources?
Thanks!
Best regards,
Onur
------------------------------
Onur Tufan
Original Message:
Sent: Fri April 14, 2023 12:20 PM
From: Karl Jaeger
Subject: Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately
Hi,
you need to combine your AQL searches into a dashboard using either saved searches or widgets for the new UI to combine all values you are looking for. The samples are useful. Pls follow the guidelines and use grouping and filtering to meet your specification. Different architectures may produce different results. Where is the confusion? Here is my standard test result. Modify this using AQL expressions like SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / 300 AS "EPS in Interval" FROM events WHERE "Log Source" <> 'Anomaly Detection Engine-2 :: qradar' AND "Log Source" <> 'Health Metrics-2 :: qradar' GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 24 HOURS
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
Original Message:
Sent: Mon March 20, 2023 07:01 AM
From: Onur Tufan
Subject: Best possible way to detect EPS Spikes and Average EPS based on Log sources and Collectors/Processors Seperately
Hello,
We have used few IBM links to determine our EPS spikes and EPS averages, these links started to be confusing from one architecture to another.
(These were: https://www.ibm.com/support/pages/qradar-determining-events-second-rate-each-log-source-qradar & https://www.ibm.com/support/pages/node/6406002 )
What we need most:
1 - EPS spikes & average EPS for "24 hours" according to event collector or event processor:
P.S. EPS values must be without health metrics etc.(QRadar's own logs)
2 - EPS spikes & average EPS for v according to event collector or event processor grouped by every log source (on selected event collector or event processor)
P.S. EPS values must be without health metrics etc.(QRadar's own logs)
3- How to see 1 & 2 (indicated above) with QRadar own metrics (again "24 hours")
We can use AQL queries.
May I know the must recommended and useful methods to be able to clearly see required results above?
Thanks,
Best regards,
------------------------------
Onur Tufan
------------------------------