Part 3: Creating a query with the Global View in Pulse
After you verify the Global View, you can switch to IBM®
QRadar® Pulse and create a query against
this new Global View.
Procedure
Click Configure dashboard.
The Configure dashboard screen displays a library of available widgets,
with details about each widget.
Click Create new widget.
On the New Dashboard Item page, enter a name and a description for
the item.
Select AQL from the data source list in the Query
section, and enter the following AQL statement to run a query from the new Global View:
SELECT *
FROM GLOBALVIEW('Pulse Category Count','NORMAL')
LAST 7 days
Click Run Query.
The query displays the columns in the results field.
Fine-tune the AQL statement:
Add the following columns: COUNT_category, Time, and
Category. Add a WHERE Category clause and an
ORDER BY clause so that the query runs in the correct time sequence.
Global Views are accumulated in three time ranges: NORMAL (by minute), HOURLY, and DAILY. Add a
GROUP BY clause to allow the flexibility to change the query between the three
levels of accumulation. The new query looks like the following example:
SELECT SUM(COUNT_category), Time * 1000 as Time
FROM GLOBALVIEW('Pulse Category Count','NORMAL')
WHERE Category = 16001
GROUP BY Time
ORDER BY Time
LAST 7 days
Note: The HOURLY time range doesn't return any data until the Global View runs for at least 1 hour.
Similarly, the DAILY time range doesn't return any data until the Global View runs for at least 1
day.
You can now create your time series chart in Pulse like the following examples:
