Aggregated data views are accumulated buckets of data that is used to generate reports
and dashboards. These global views are based on saved searches that accumulate the data regularly in
the background. Use the following procedure to create a time series graph for a SIM User
Authentication category.
Procedure
-
In IBM®
QRadar®, go to the
Log Activity tab and switch to the Advanced Search
field.
-
To make the global view reusable for any category, remove the "where" clause in the previous
example, enter the following AQL query, and then click Search.
select categoryname(category) as catname, category, count(category) as catcount, first(starttime) as Time
from events
group by category, starttime/60000
order by Time
last 1 hours
Note:
By default,
QRadar displays
two "Top 10" charts above the results list. You work with these charts to create the Global View. By
default, it looks something like the following example:
-
On the pie chart, click Settings to display the configuration
settings.
-
To convert the chart into a time series chart that works with Pulse, select
Time in the Value to Graph list, and then change the
chart type to Time Series.
-
From the Value to Graph list, select COUNT.
-
Select the Capture Time Series Data check box, and then click
Save. The Save Criteria page opens, where you create a
saved search and a Global View.
-
Enter Pulse Category Count in the search name.
-
Enter values for the following parameters:
Option |
Description |
Parameter |
Description |
Assign Search to Group(s) |
Select the check box for the group you want to assign this saved search. If you do not
select a group, this saved search is assigned to the Other group by default. |
Manage Groups |
Click Manage Groups to manage search groups. |
Timespan options |
Choose one of the following options:
- Last Interval (auto refresh) - Select this option to filter your search
results while in auto-refresh mode. The Log Activity and
Network Activity tabs refresh at 1-minute intervals to display the
most recent information.
- Recent - Select this option, and from this list box, select the time
range that you want to filter for.
- Specific Interval- Select this option, and from the calendar, select the
date and time range that you want to filter for.
|
-
Click OK.
Note: After the criteria is saved, the Global View is now active and ready for you to use in IBM
QRadar Pulse.