Health metrics query examples

Use the following query examples to get information about system performance in your network or edit these examples to build your own custom queries.

Get a list of all Health Metric events generated in the last 5 minutes:

SELECT DATEFORMAT (starttime,'yyyy-MM-dd HH:mm:ss') as ts, Hostname,"Component Type", "Metric
ID", Element, Value
FROM events
WHERE devicetype=368
ORDER BY ts DESC

Get the average raw (pre-licensing) deployment ingestion EPS for the last one hour:

SELECT SUM(EPS) as deployment_total_EPS FROM(SELECT sourceip,LONG(AVG("Value")) as EPS
FROM events
WHERE devicetype=368 AND "Metric ID"='EventRate'
GROUP BY sourceip
HAVING EPS>0
ORDER BY sourceip DESCLAST 1 HOURS)

Get the average and maximum raw (pre-licensing) ingestion EPS per host for each one minute for the last 5 minutes:

SELECT Hostname, DATEFORMAT(starttime,'yyyy-MM-dd HH:mm') ts, LONG(AVG("Value")) avg_raw_EPS,
LONG(MAX("Value")) max_raw_EPS
FROM events
WHERE devicetype=368 AND "Metric ID"='EventRate'
GROUP BY ts, Hostname
ORDER BY ts

Get the average and max CPU usage of all QRadar Java processes by host in the last 5 minutes:

SELECT Hostname, "Component Type", LONG(AVG("Value"*100)) CPU_usage_avg, LONG(MAX("Value"*100))
CPU_usage_max
FROM events
WHERE devicetype=368 AND "Metric ID"='ProcessCPU'
GROUP BY "Component Type",Hostname
ORDER BY CPU_usage_avg DESC