Topic
  • 2 replies
  • Latest Post - ‏2015-01-19T21:49:04Z by lin-zhao
lin-zhao
lin-zhao
28 Posts

Pinned topic Many events missing from REST API search

‏2015-01-19T19:53:18Z |

Hi,

 

Our QRadar server is 7.2.3. I'm trying to use QRadar REST API to search for events in the system. The events I see are much much smaller than what I see from the UI.

 

The Log Activity UI shows there are 70k + events found.

With the REST API, I try to search for them by following steps:

 

>curl --user user:password -k -d "query_expression=SELECT * from events limit 1000000" https://qrdemo3/restapi/api/ariel/searches

{"processed_record_count":0,"query_execution_time":0,"progress":0,"record_count":0,"status":"EXECUTE","search_id":"cdecc451-b972-46be-9c39-d7cdcacdf2e6","save_results":false}

>curl --user user:password -k https://qrdemo3/restapi/api/ariel/searches/cdecc451-b972-46be-9c39-d7cdcacdf2e6

{"save_results":false,"progress":100,"query_execution_time":4,"search_id":"cdecc451-b972-46be-9c39-d7cdcacdf2e6","status":"COMPLETED","record_count":54,"processed_record_count":54}

 

Only 54 were found. Is this the right way to search? If not how to get comprehensive record of the events from the REST API?

  • sree_ibm
    sree_ibm
    21 Posts
    ACCEPTED ANSWER

    Re: Many events missing from REST API search

    ‏2015-01-19T21:37:45Z  

    Hi,

    Are the time frames for both the searches identical?

    The query SELECT * From events in the RESTApi uses a time frame of the last five minutes (  default Value). The search to compare against would be In Advanced Search > SELECT * from events > search executed simultaneously.

    You may also add the start and stop time frame as shown in the AQL document:

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/r_aql_selectstaement.html

    Regards,

    Sree

  • sree_ibm
    sree_ibm
    21 Posts

    Re: Many events missing from REST API search

    ‏2015-01-19T21:37:45Z  

    Hi,

    Are the time frames for both the searches identical?

    The query SELECT * From events in the RESTApi uses a time frame of the last five minutes (  default Value). The search to compare against would be In Advanced Search > SELECT * from events > search executed simultaneously.

    You may also add the start and stop time frame as shown in the AQL document:

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/r_aql_selectstaement.html

    Regards,

    Sree

  • lin-zhao
    lin-zhao
    28 Posts

    Re: Many events missing from REST API search

    ‏2015-01-19T21:49:04Z  
    • sree_ibm
    • ‏2015-01-19T21:37:45Z

    Hi,

    Are the time frames for both the searches identical?

    The query SELECT * From events in the RESTApi uses a time frame of the last five minutes (  default Value). The search to compare against would be In Advanced Search > SELECT * from events > search executed simultaneously.

    You may also add the start and stop time frame as shown in the AQL document:

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/r_aql_selectstaement.html

    Regards,

    Sree

    Thanks Sree,

     

    The time frames works.