Use the QRadar® REST
API documentation interface to get the GLOBALVIEW database results for a given saved search name and
time range. The type of data contained in the database results corresponds to the type of saved
search queried.
Procedure
-
Find a saved search.
-
On
the navigation menu (
), click
Admin.
-
In the System Configuration section, click Aggregated Data
Management.
-
Under the Saved Search Name column, record a saved search name from the
list.
-
Query the QRadar REST API
to find a search ID.
-
Log in to the QRadar API, https://<Console IP>/api_doc, as an
administrator.
-
Click the most recent version of the QRadar API.
-
Click the /ariel/searches endpoint.
-
Click POST.
-
In the query_expression parameter field, type the following command:
select * from
GLOBALVIEW('savedsearch','timerange')
Use one of the following values for the timerange variable:
NORMAL
HOURLY
DAILY
The following example shows query for Top Log Sources with a time range of the last two
days:
select * from GLOBALVIEW('Top Log Sources','DAILY') last 2 days
-
Click Try It Out!
-
Copy the search ID from the response body.
-
Get the search results.
-
From the /ariel/searches/search{id}/results endpoint, click
GET.
-
In the search_id parameter field, enter the search ID.
-
Click Try It Out!.
-
Ensure that the search successfully completes.
-
Get the database results from the response body.