In this example, you create a dynamic time series chart to track the top five most active
devices in your environment in the last ten minutes. In QRadar® Pulse V2.1.4 or later, the time series
chart has a dynamic series option that is useful when you don't know which devices you want to
track, or find it difficult to make time series charts work properly. It automatically detects
series and displays them as separate lines on the time series chart.
Procedure
-
Click Configure dashboard.
The Configure dashboard screen displays a library of available widgets,
with details about each widget.
- Click Create new widget.
- On the New Dashboard Item page, enter a name and a description for
the item.
-
Select AQL from the data source list in the Query
section, and enter the following AQL statement:
SELECT MIN(starttime) as stime,
LOGSOURCETYPENAME(devicetype) as device,
devicetype as devices,
count(*) as total
FROM events
WHERE devices IN (
SELECT devices FROM (
SELECT devicetype as devices,
count(*) as topDevices
FROM events
where devicetype <> 368
GROUP BY devices
ORDER BY topDevices DESC
LIMIT 3
LAST 10 minutes
)
)
GROUP BY starttime/(60*1000), device
ORDER BY stime asc
LAST 10 minutes
-
Keep the refresh time at every minute, and the results set at 1000.
-
Click Run Query.
-
In the Views section, call the chart Dynamic time
series, and select Time Series Chart as the chart type.
-
On the General tab, configure the following options:
-
From the Time (x-axis) list, select stime.
-
Select the Dynamic Series option.
-
Split the series by device.
-
From the Values (y-axis) list, select total.
- Set Show Legend to Yes and set the
orientation.
- Click Save.
Results
The following screen capture is an example of what the chart looks like:
