Topic
  • 2 replies
  • Latest Post - ‏2014-11-05T13:45:10Z by Markor
Markor
Markor
2 Posts

Pinned topic API ariel query for timeframe 'last 3 hours'

‏2014-11-04T09:00:39Z | api aql ariel query

Hi all,

has anyone successfully created a query for a certain timeframe (e.g. the last 3 hours, 3 days, ...) using the API?

My first try was to define a query expression like "SELECT sourceIP, startTime from events where sourceIP like '192.168.0.%' and startTime >= 1"

There are at least two issues here:

1. the startTime works with unix time stamps (not the best solution)

2. a dynamic timeframe is not possible, e.g. I'd like to have every API call return events for the last 3 hours

I also tried to use the time parameters for the api_client.create_search(query_expression, id, time_x, time_y) but it didn't work either.

In addition, every API call returned only results for the last 60s - which is the default timeframe for this API call.

Any suggestions or solutions from your side?

Thanks.

 

  • PeterManahan
    PeterManahan
    15 Posts

    Re: API ariel query for timeframe 'last 3 hours'

    ‏2014-11-04T13:49:40Z  
    Hi, Assuming you are using the AQL v3 that is shipping with 7.2.3 you should be able to use the "LAST" keyword. 
     
    
    where sourceIP like '192.168.0.%'  LAST 3 HOURS
    

    http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.3/QRadar/EN/b_qradar_aql.pdf

     

  • Markor
    Markor
    2 Posts

    Re: API ariel query for timeframe 'last 3 hours'

    ‏2014-11-05T13:45:10Z  
    <pre dir="ltr">Hi, Assuming you are using the AQL v3 that is shipping with 7.2.3 you should be able to use the "LAST" keyword. where sourceIP like '192.168.0.%' LAST 3 HOURS </pre>

    http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.3/QRadar/EN/b_qradar_aql.pdf

     

    Thank you, exactly what I was looking for.

    ...I must have missed this option within the well structured QRadar documentation.

    Regards.