Time series charts in QRadar Pulse
At first glance, creating a time series chart from relational data in QRadar® Pulse can be challenging. The amount of data that is returned by an AQL query can be unwieldy, but with some background knowledge and careful planning, you can produce relevant and meaningful time series charts.
select starttime as 'Start Time',
SUM(eventcount) as 'Event Count (Sum)'
from events
where eventcount <> NULL
GROUP BY starttime
order by starttime
LAST 60 minutes
Creating intervals in a time series query
The first step is to decide the type of interval to use for your data analysis. Do you want to look at data from a narrow interval, such as every second? Or in larger intervals of every minute or every hour? This decision is important because data points must be grouped in intervals so that a metric is calculated.
- Using the GROUP BY clause to create an interval: GROUP BY starttime/60000. Because starttime is in displayed in milliseconds, if you divide by 60,000 (60 seconds x 1000 milliseconds), you create groups or intervals of 60 seconds (1 minute).
- Changing the ORDER BY clause to use the aggregate sTime.
select starttime as 'sTime',
SUM(eventcount) as 'Event Count (Sum)'
from events
where eventcount > 0
GROUP BY starttime/60000
order by "sTime"
LAST 60 minutes
Pivoting rows to columns to create a series
SUM(IF LOGSOURCETYPENAME(devicetype) = 'System Notification' THEN 1.0 ELSE 0.0)
as system_notification
SUM(IF LOGSOURCETYPENAME(devicetype) = 'SIM Audit' THEN 1.0 ELSE 0.0) as sim_audit
SELECT starttime/(1000*60) as 'minute',
(minute * (1000*60)) as 'stime',
SUM(IF LOGSOURCETYPENAME(devicetype) = 'System Notification' THEN 1.0 ELSE 0.0)
as system_notification,
SUM(IF LOGSOURCETYPENAME(devicetype) = 'SIM Audit' THEN 1.0 ELSE 0.0) as sim_audit
FROM events
WHERE devicetype <> NULL
GROUP BY minute
ORDER BY stime asc
LAST 10 minutes
While this method is fairly efficient to transform relational data into time series data, you must know ahead of time what data you're looking for.
Creating a dynamic time series
SELECT starttime/(1000*60) as 'minute',
MIN(starttime) as 'stime',
eventcount as 'eventCount', devicetype as 'deviceType',
LOGSOURCETYPENAME(devicetype) as 'device',
count(*) as 'total'
FROM events
WHERE deviceType IN (
SELECT deviceType FROM (
SELECT devicetype as 'deviceType',
count(*) as 'total'
FROM events
GROUP BY deviceType
ORDER BY total DESC
LIMIT 8
LAST {Time_Span}
)
) and devicetype not in (18,105,147,368)
GROUP BY minute, device
ORDER BY minute asc
LAST {Time_Span}
The difference from the previous method is that the data is not pivoted into columns and contains repetitions in the time column that is caused by the secondary GROUP BY clause. By using the dynamic time series option, QRadar Pulse splits the data into a proper time series format. Select the column that contains the time (stime for the x-axis), the column that contains the data (total for the y-axis), and the column that contains the GROUP BY clause (to extract the different series by device).
Although the chart looks the same as the one that was created by the previous method, the underlying AQL query is much more dynamic. If the log sources change over time, the chart automatically updates because the values are no longer hardcoded into the query.
SELECT starttime/(1000*60) as 'minute', (minute * (1000*60)) as 'stime', LOGSOURCETYPENAME(devicetype) as 'device', count(*) as 'total'
FROM events
WHERE device IN (
SELECT deviceList FROM (
SELECT LOGSOURCETYPENAME(devicetype) as deviceList, count(*) as topDevices
FROM events
WHERE deviceList <> 'Health Metrics'
GROUP BY deviceList
ORDER BY topDevices DESC
LIMIT 3
LAST 10 minutes
)
)
GROUP BY minute, device
ORDER BY stime asc
LAST 10 minutes
The
query is more efficient, and ensures that the three rendered series correspond to the top three
active devices in the selected time span.