Creating widgets from an AQL data source
You can use Ariel Query Language (AQL) statements to create widgets. AQL is a structured query language that you use to extract, filter, and manipulate event and flow data that you extract from the Ariel database in IBM® QRadar®.
Before you begin
Read the following topics in the IBM QRadar Ariel Query Language Guide to learn about the Ariel Query Language that you use in QRadar Pulse to create dashboard items based on AQL data sources:
- Overview of Ariel Query Language
Within the overview section, several topics explain the statements and clauses you use. The statements and clauses appear as keywords in QRadar and QRadar Pulse when you enter them in the query field.
- Event, flow, and simarc fields for AQL queries
Use AQL to retrieve specific fields from the events, flows, and simarc tables in the Ariel database.
About this task
Click Configure dashboard.
The Configure dashboard screen displays a library of available widgets, with details about each widget.
- Click Create new widget.
- On the New Dashboard Item page, enter a name and a description for the widget.
Select AQL from the data source list in the Query
section, and enter an AQL statement. For more information, see Tips for creating AQL queries for dashboard charts.
- Insert existing parameters in the statement. Click the Insert Parameter icon, and then click Insert for each relevant parameter.
To change the default value of the parameter, click the View Parameters
icon, and click Save after you set the default value.
When you change the default value for a parameter, you're changing the value everywhere the parameter is used in your workspace, except in expanded or pinned dashboards and widgets. If you don't set the value as the default value, the updated change applies only to the current session. However, if you set the value as the default, the current session value also uses that value.Note: The predefined SYSTEM:username parameter returns the username of the user who is logged in. System parameters are read only and you cannot change the default value.
To add a parameter to your workspace, click Add, give the parameter a
name and default value, if needed, and then click Save.
Note: After you add parameters to a widget on a dashboard for the first time, the Parameters card appears on the dashboard. If you remove parameters from the widget, and no other widget in that dashboard uses the parameter, the Parameters card disappears.
Pick a refresh time for how often you poll the data source. Choose a refresh rate
that is greater than the selected query time. The default refresh rate is every 5 minutes. The
shorter the refresh time, the greater the performance impact on IBM
QRadar. The timer for the
refresh rate begins after the query is completed.
For example, if the refresh rate is every minute, and the query takes 3 minutes to complete, the refresh rate starts only after the 3-minute run ends.
Click Run Query.
When you first create the widget, you can't configure the charts when no data results are returned. Try making the criteria in the fields less strict and run the query again.
If your AQL query contains parameters without any values, enter them on the Parameters page. You must enter a value for each parameter so that the query runs successfully. If the query is successful, the results are displayed next to the statement.
Create a view in the Views section.
Because you can create multiple views and charts from the same query, give the view a unique name. By default, the chart's title and status on the title bar are displayed; to hide them, click the More options icon and switch the settings to Off.
Select a chart type and configure the relevant properties. For use cases to help you decide
which chart type to use, see Widget chart types.
Chart type Instructions Bar Creating a bar chart Big Number Creating a big number chart Geographic Creating a geographic chart Pie Creating a pie chart Scatter Creating a scatter chart Tabular Creating a tabular chart Time Series Creating a time series chart
Preview how the chart looks and then click Save.
Tip: The labels for the chart come from the queries that are used. If they are unintelligible in the preview, edit the labels in the View section.
You can edit a widget and save it without rerunning the query. For example, if a query doesn't return results, such as when the time period isn't long enough to pick up new events, or if the magnitude or severity value isn't applicable when you run the query, you can save the widget. If you edit the query, you must run the query again before you can save the widget.
Deleting a widget removes it from all of the dashboards it belongs to. If the deleted dashboard contains parameters, the parameters are not deleted.