Loading saved searches from QRadar

You can load your saved searches from IBM QRadar and use them as a base in IBM QRadar Event and Flow Exporter. Any modifications that you make in the app to the AQL queries in the saved searches are not reflected in QRadar.

1. From the main page in the app, click the Saved Searches tab.
2. Click Load Saved Searches.
   A window appears that lists the number of queries that were added, duplicated, or deleted from QRadar. If there's a conflict, QRadar Event and Flow Exporter skips loading the queries. You can use the IDs of the queries to search for them and take any appropriate action.

   QRadar Event and Flow Exporter does not delete any queries, but provides the ID so that you can further investigate and delete the queries yourself.

3. Review the saved searches on the Saved Searches tab.
   1. If you set up an email server during configuration, enter the email addresses to notify and select the format for the email attachment when the query completes. For more information, see Configuring QRadar Event and Flow Exporter.
   2. If you want to run your queries automatically at specific intervals, pick a schedule for running the query. You can also choose to end the schedule after a set number of query runs, such as three occurrences.
   3. To view a sample run of your added query, click Preview. The preview checks for syntax errors in your query so that queries with syntactical errors are not added to the app.
4. To edit the query string, click Copy to copy it to the clipboard and paste it into a text editor. Modify the query string in the text editor and then create a new query with the updated AQL query string. For more information, see Adding an AQL query.
   The newly created query appears on the Queries tab.
5. To delete the query from QRadar Event and Flow Exporter, select the relevant checkbox and then click the trash can icon in the menu bar.
   Any associated query results and schedules are also deleted for the query.