Adding a dashboard

Add a dashboard to display your IBM® Security QRadar® AQL query results. You can add panels to your dashboard to display the results of multiple queries.

About this task

Important: IBM Security QRadar AQL Plugin supports the events, flows, and globalview Ariel databases. AQL function syntax is the same for all queries.

Important:

IBM Security QRadar AQL Plugin custom column names that are used with the AS operator do not support the following characters:

Capital letters
Spaces or underscores
Special characters

Procedure

In your Grafana instance, from the navigation menu, click Dashboards.
On the Dashboards page, click New > New Dashboard.
On the New dashboard page, click Add visualization.
On the Query tab, in the Data source field, select IBM Security QRadar AQL Plugin.

Tip: You can add a dashboard panel that queries two or more data sources. To query more than one data source, select Mixed.
In the Results Range field, enter a range value for this panel query. This value overrides the data source range configuration value.

Enter your AQL query.

Important: The following AQL query formatting is required:

AQL DATEFORMAT function supports the following pattern.

yyyy-MM-dd hh:mm:ss

AQL Function	Syntax
Date / time	Unix timestamp `select starttime from events limit 5` AQL DATEFORMAT function supports the following pattern. `yyyy-MM-dd hh:mm:ss`
Numeric	Calculations on fields require an AQL formatting function. `select long(starttime/1000*60) from events limit 5`
MetaData	AQL metadata fields require double quotation marks and the AS operator, mapping to a known AQL data type. `select "Events per Second Raw - Average 1 Min" as double from events` `select “element” as str from events`
GEO::LOOKUP_TEXT	AQL GEO::LOOKUP function requires data type casting and the AS operator. `double(GEO::LOOKUP_TEXT(destinationip, 'latitude')) as latitude, double(GEO::LOOKUP_TEXT(destinationip, 'longitude')) as longitude, str(GEO::LOOKUP_TEXT(destinationip, 'country_name')) as countryname`
IF / ELSE	AQL IF conditional operator requires the '=' sign and the AS operator when used in the main query. `SELECT sourceip, IF hostname = 'some_hostname' THEN 'ADMIN' ELSE hostname AS host FROM events`

Click Run Query.
Optional: In the Title field, enter a name for your panel.
Optional: Configure the parameters for your panel.
To apply your panel changes and return to the Dashboard page, click Apply.

Important: Applying your changes does not save your dashboard.
- To add another panel to your dashboard from the Dashboard page, click the Add panel icon ().
- To save your changes from the Dashboard page, click the Save icon ().
To save your dashboard, click Save.
In the Save dashboard panel, enter a name for your dashboard.
In the Folder field, select a folder or enter a name to create a new folder, and then click Save.
A Dashboard saved message is displayed. Your dashboard is saved on the Dashboard page in the folder that you chose.
To edit your dashboard, follow these steps:
1. On the Dashboards page, click the dashboard that you want to edit.
2. On the panel that you want to edit, click the Menu icon (), and then click Edit.
3. Edit your dashboard, and then click Save.
4. In the Save dashboard panel, enter a description of your changes, and then click Save.
To delete your dashboard, follow these steps:
1. On the Dashboards page, click your dashboard and then click the Dashboard settings icon ().
2. Click Delete Dashboard.
3. In the Delete window, click Delete.

What to do next

Note: In Grafana Enterprise and Grafana Cloud versions, dashboard reports can be configured, generated, and distributed. For more information, see Create and manage reports in Grafana. Update the Grafana Cloud configuration setting (rendering_timeout) to successfully render plugin dashboard reports (contact Grafana Support).