Custom Event Properties in the Operations app

The IBM® QRadar® Operations app includes several custom event properties. Use custom event properties to search, view, and report on information within logs that QRadar does not typically normalize and display.

The following table shows the custom event properties that are included in the Operations app.

Table 1. Custom event properties in the Operations app
Custom Event Property Regex
Ariel API Method Method=([A-Z]+)
Ariel API Path

PathInfo=(.*?)\s

\/console\/restapi\/api(.*?)\s\|\s\[Action\]\s\[RestAPI\]\s\[APIFailure\]

Ariel Aggregates Aggregates:(.*)"{1}
AQL Statement AQL:(.*)"{1}
Ariel Criteria Filters:(.*), Columns
Ariel Columns Columns:(.*)"{1}
Ariel Database DB:<(.*?)>
Ariel Username User:(.*?),Source
Ariel Cursor ID Params:Id:(.*?),
Ariel Source Source:([A-Z]*)
Ariel Criteria Time Time:<(.*?)>