Aggregating data to create a time series chart
In this example, you learn how to create a time series chart to show the number of events every minute for the SIM User Authentication category. You use global views to aggregate the data into a format that IBM® QRadar® Pulse can display.
select categoryname(category) as 'catname', category as 'All categories', count(category) as 'catcount', first(starttime) as 'Time' from events where category = 16001 group by category, starttime/60000 order by Time last 1 hours
The resulting graph displays the number of logins in the past hour. However, if you want to run the query for longer than 24 hours, it might be difficult to get information over a period of days. Aggregated data views, also called global views, can help. A saved search that is grouped by multiple fields generates a global view that has many unique entries. As the volume of data increases, disk usage, processing times, and search performance can be impacted. To prevent increasing the volume of data, only aggregate searches on necessary fields. You can reduce the impact on the accumulator by adding a filter to your search criteria.