Quotation marks

In an AQL query, query terms and queried columns sometimes require single or double quotation marks so that QRadar® can parse the query.

The following table defines when to use single or double quotation marks.

Type of quotation marks When to use

Single

Table 1. Type of quotation marks to use in a query
Type of quotation marks	When to use
Single	To specify any American National Standards Institute (ANSI) VARCHAR string to SQL such as parameters for a LIKE or equals (=) operator, or any operator that expects a VARCHAR string. Examples: `SELECT * from events WHERE sourceip = '192.0.2.0'` `SELECT * from events WHERE userName LIKE '%james%'` `SELECT * from events WHERE userName = 'james'` `SELECT * FROM events WHERE INCIDR('10.45.225.14', sourceip)` `SELECT * from events WHERE TEXT SEARCH 'my search term'`
Double	Use double quotation marks for the following query items to specify table and column names that contain spaces or non-ASCII characters, and to specify custom property names that contain spaces or non-ASCII characters. Examples: `SELECT "username column" AS 'User name' FROM events` `SELECT "My custom property name" AS 'My new alias' FROM events` Use double quotation marks to define the name of a system object such as field, function, database, or an existing alias. Example: `SELECT "Application Category", sourceIP, EventCount AS 'Count of Events' FROM events GROUP BY "Count of Events"` Use double quotation marks to specify an existing alias that has a space when you use a WHERE, GROUP BY, or ORDER BY clause Examples: `SELECT sourceIP, destinationIP, sourcePort, EventCount AS 'Event Count', category, hasidentity, username, payload, UtF8(payLoad), QiD, QiDnAmE(qid) FROM events WHERE (NOT (sourcePort <= 3003 OR hasidentity = 'True')) AND (qid = 5000023 OR qid = 5000193) AND (INCIDR('192.0.2.0/4', sourceIP) OR NOT INCIDR('192.0.2.0/4', sourceIP)) ORDER BY "Event Count" DESC LAST 60 MINUTES` `SELECT sourceIP, destinationIP, sourcePort, EventCount AS 'Event Count', category, hasidentity, username, payload, UtF8(payLoad), QiD, QiDnAmE(qid) FROM events ORDER BY "Event Count" DESC LAST 60 MINUTES`
Single or double	Use single quotation marks to specify an alias for a column definition in a query. Example: `SELECT username AS 'Name of User', sourceip AS 'IP Source' FROM events` Use double quotation marks to specify an existing alias with a space when you use a WHERE, GROUP BY, or ORDER BY clause. Example: `SELECT sourceIP AS 'Source IP Address', EventCount AS 'Event Count', QiD, QiDnAmE(qid) FROM events GROUP BY "Source IP Address" LAST 60 MINUTES`

To specify any American National Standards Institute (ANSI) VARCHAR string to SQL such as parameters for a LIKE or equals (=) operator, or any operator that expects a VARCHAR string.

Examples:

SELECT * from events WHERE sourceip = '192.0.2.0'

SELECT * from events WHERE userName LIKE '%james%'

SELECT * from events WHERE userName = 'james'

SELECT * FROM events 
WHERE INCIDR('10.45.225.14', sourceip)

SELECT * from events WHERE TEXT SEARCH 'my search term'

Double

Use double quotation marks for the following query items to specify table and column names that contain spaces or non-ASCII characters, and to specify custom property names that contain spaces or non-ASCII characters.

Examples:

SELECT "username column" AS 'User name' FROM events

SELECT "My custom property name" 
AS 'My new alias' FROM events

Use double quotation marks to define the name of a system object such as field, function, database, or an existing alias.

Example:

SELECT "Application Category", sourceIP, 
EventCount AS 'Count of Events' 
FROM events GROUP BY "Count of Events"

Use double quotation marks to specify an existing alias that has a space when you use a WHERE, GROUP BY, or ORDER BY clause

Examples:

SELECT sourceIP, destinationIP, sourcePort, 
EventCount AS 'Event Count', 
category, hasidentity, username, payload, UtF8(payLoad), 
QiD, QiDnAmE(qid) FROM events 
WHERE (NOT (sourcePort <= 3003 OR hasidentity = 'True')) 
AND (qid = 5000023 OR qid = 5000193) 
AND (INCIDR('192.0.2.0/4', sourceIP) 
OR NOT INCIDR('192.0.2.0/4', sourceIP)) ORDER BY "Event Count" 
DESC LAST 60 MINUTES

SELECT sourceIP, destinationIP, sourcePort, EventCount 
AS 'Event Count', 
category, hasidentity, username, payload, UtF8(payLoad), 
QiD, QiDnAmE(qid) 
FROM events ORDER BY "Event Count" 
DESC LAST 60 MINUTES

Single or double

Use single quotation marks to specify an alias for a column definition in a query.

Example:

SELECT username AS 'Name of User', sourceip 
AS 'IP Source' FROM events

Use double quotation marks to specify an existing alias with a space when you use a WHERE, GROUP BY, or ORDER BY clause.

Example:

SELECT sourceIP AS 'Source IP Address', 
EventCount AS 'Event Count', QiD, QiDnAmE(qid)
FROM events
GROUP BY "Source IP Address"
LAST 60 MINUTES

Copying query examples from the AQL guide

If you copy and paste a query example that contains single or double quotation marks from the AQL Guide, you must retype the quotation marks to be sure that the query parses.