AQL Query structure

Use Ariel Query Language (AQL) to extract, filter, and perform actions on event and flow data that you extract from the Ariel database in IBM® QRadar®. You can use AQL to get data that might not be easily accessible from the user interface.

The following diagram shows the flow of an AQL query.

Figure 1. AQL query flow
AQL query flow

Structure of an AQL statement

Use the SELECT statement to select fields from events or flows in the Ariel database, which are displayed as columns. For example, the following query returns the results that are shown in the following table:

SELECT sourceip, destinationip, username, protocolid, eventcount FROM events

Table 1. AQL query results
sourceip destinationip Username Protocolid eventcount
192.0.2.21 198.51.100.21 Joe Ariel 233 1
192.0.2.22 198.51.100.24 Jim Ariel 233 1

AQL queries begin with a SELECT statement to select event or flow data from the Ariel database. You can refine the data output of the SELECT statement by using the WHERE, GROUP BY, HAVING, ORDER BY, LIMIT, and LAST clauses.

SELECT

Use the SELECT statement to select fields from events or flows. For example, select all fields from events or flows by typing:

SELECT * FROM events, or SELECT * FROM flows

Use the following clauses to filter and manipulate the data that is returned by the SELECT statement:
WHERE

Use the WHERE clause to insert a condition that filters the output, for example, WHERE logsourceid='65'.

GROUP BY
Use the GROUP BY clause to group the results by one or more columns that you specify in the query, for example, GROUP BY logsourceid.
HAVING
Use the HAVING clause to specify a condition after the GROUP BY clause, for example, HAVING MAG > 3.
ORDER BY
Use the ORDER BY clause to order the results for a column in the AQL query in an ascending or descending order, for example, ORDER BY username DESC.
LIMIT
Use a LIMIT clause to limit the number of results that are returned to a specific number, for example LIMIT 50 to limit the output to 50 results.
LAST
Use a LAST clause to specify a time frame for the query, for example LAST 1 HOURS.

The following example incorporates all of the clauses that are described in the list:

SELECT sourceip, destinationip, username 
FROM events 
WHERE username = 'test name' 
GROUP by sourceip, destinationip 
ORDER BY sourceip DESC 
LIMIT 10 
LAST 2 DAYS