Using AQL can help enhance advanced searches and provide specific results.
When you use AQL queries, you can display data from all across QRadar in the Log
Activity or Network Activity tabs.
To use AQL in the search fields, consider the following functions:
In the search fields on the Log Activity or Network
Activity tabs, type Ctrl + Space to see the full list of AQL functions, fields
(properties), and keywords.
Ctrl + Enter helps you create multiline AQL queries in the user interface, which makes the
queries more readable.
By using the copy (Ctrl + C) and paste (Ctrl + V) keyboard commands, you can copy directly to
and from the Advanced search field.
Note: Ensure that you use appropriate
quotation marks when you copy queries to the search field.
The AQL categories are listed with the entered component in the user interface. The following
table lists and explains the different categories:
Table 1. Ariel Query Language categories
Category
Definition
Database
The name of an Ariel database, or table, that you can query. The database is either
events or flows.
Keyword
Typically core SQL clauses. For example, SELECT, OR,
NULL, NOT, AS, ASC (ascending),
and more.
Field
Indicates basic information that you can query from the database. Examples include
Access intent, VPC ID, and domainid.
Function
The name of a function that is used to call in more information. Functions work on all fields
and databases. Examples of functions include DATEFORMAT, HOSTNAME,
and LOWER.
