Aggregating data to create a time series chart

In this example, you learn how to create a time series chart to show the number of events every minute for the SIM User Authentication category. You use global views to aggregate the data into a format that IBM® QRadar® Pulse can display.

The AQL query to generate the time series graph looks like the following statement:

select categoryname(category) as 'catname',
category as 'All categories',
count(category) as 'catcount',
first(starttime) as 'Time'
from events
where category = 16001
group by category, starttime/60000
order by Time
last 1 hours

The resulting graph displays the number of logins in the past hour. However, if you want to run the query for longer than 24 hours, it might be difficult to get information over a period of days. Aggregated data views, also called global views, can help. A saved search that is grouped by multiple fields generates a global view that has many unique entries. As the volume of data increases, disk usage, processing times, and search performance can be impacted. To prevent increasing the volume of data, only aggregate searches on necessary fields. You can reduce the impact on the accumulator by adding a filter to your search criteria.