Question & Answer
Question
Is there a way to create a search that shows the Events Per Second per Log Source in QRadar?
Answer
By default, QRadar has a quick search for Top 10 Log Sources. There is no automated method to perform an Events Per Second search per Log Source in QRadar. However you can create a new search by following the steps:
You can inspect the search when it completes to investigate the top Log Sources with the most number of events and even save the Search Criteria for later use.
This search will show you the total events coming in QRadar based on the time range selected. You will need to do some additional Math to allow you obtain the event rate per second. For example, with a 5 minute search, divide the total events count by 300 to get the average Events Per Second for a particular log source.
Alternatively you can do an Advanced Search using AQL to accomplish the same results.
Where `300` should be equivalent to the number of seconds in the interval, in this case `LAST 5 MINUTES`.
Results: You can now view the EPS of the Top 10 Log Sources.
- From the QRadar Web User Interface go to the Log Activity tab.
- Select Search > New Search.
- In the new page scroll down to Column Definition.
- Select Log Source in the list of Columns and click the < button to send it back to the main list.
- Select the Log Source in the list of available columns and click the > button to allow you to add it to Group By.
- The default entries in the Columns will now change.
- Scroll up to the Time Range section of the page and select Recent for a search on the last 5 minutes. You can choose any Time Range you like based on the time you need to search.
- Click Search
You can inspect the search when it completes to investigate the top Log Sources with the most number of events and even save the Search Criteria for later use.
This search will show you the total events coming in QRadar based on the time range selected. You will need to do some additional Math to allow you obtain the event rate per second. For example, with a 5 minute search, divide the total events count by 300 to get the average Events Per Second for a particular log source.
Alternatively you can do an Advanced Search using AQL to accomplish the same results.
SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of Events in Interval", SUM(eventcount) / 300 AS "EPS in Interval" FROM events GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 5 MINUTESWhere `300` should be equivalent to the number of seconds in the interval, in this case `LAST 5 MINUTES`.
Results: You can now view the EPS of the Top 10 Log Sources.
[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
21 September 2022
UID
swg21971018