AQL Query structure

Use Ariel Query Language (AQL) to extract, filter, and perform actions on event and flow data that you extract from the Ariel database in IBM® QRadar®. You can use AQL to get data that might not be easily accessible from the user interface.

The following diagram shows the flow of an AQL query.

Figure 1. AQL query flow
AQL query flow

Structure of an AQL statement

Use the SELECT statement to select fields from events or flows in the Ariel database, which are displayed as columns. For example, the following query returns the results that are shown in the following table:

SELECT sourceip, destinationip, username, protocolid, eventcount FROM events

Table 1. AQL query results
sourceip destinationip Username Protocolid eventcount Joe Ariel 233 1 Jim Ariel 233 1

AQL queries begin with a SELECT statement to select event or flow data from the Ariel database. You can refine the data output of the SELECT statement by using the WHERE, GROUP BY, HAVING, ORDER BY, LIMIT, and LAST clauses.


Use the SELECT statement to select fields from events or flows. For example, select all fields from events or flows by typing:

SELECT * FROM events, or SELECT * FROM flows

Use the following clauses to filter and manipulate the data that is returned by the SELECT statement:

Use the WHERE clause to insert a condition that filters the output, for example, WHERE logsourceid='65'.

Use the GROUP BY clause to group the results by one or more columns that you specify in the query, for example, GROUP BY logsourceid.
Use the HAVING clause to specify a condition after the GROUP BY clause, for example, HAVING MAG > 3.
Use the ORDER BY clause to order the results for a column in the AQL query in an ascending or descending order, for example, ORDER BY username DESC.
Use a LIMIT clause to limit the number of results that are returned to a specific number, for example LIMIT 50 to limit the output to 50 results.
Use a LAST clause to specify a time frame for the query, for example LAST 1 HOURS.

The following example incorporates all of the clauses that are described in the list:

SELECT sourceip, destinationip, username 
FROM events 
WHERE username = 'test name' 
GROUP by sourceip, destinationip 
ORDER BY sourceip DESC