Searching for specific content items to export

You use the content management script to search for specific content in your IBM QRadar deployment. After you find the content, you can use the unique identifier to export the content item.

About this task

The following table lists the identifiers to use when you want to search for specific types of content.
Table 1. Content type identifiers for searching custom content
Custom content type Text identifier Numeric identifier
Dashboards dashboard 4
Reports report 10
Saved searches search 1
FGroups 1 fgroup 12
FGroup types fgrouptype 13
Custom rules customrule 3
Custom properties customproperty 6
Log sources sensordevice 17
Log source types sensordevicetype 24
Log source categories sensordevicecategory 18
Log source extensions deviceextension 16
Reference data collections referencedata 28
Custom QID map entries qidmap 27
Historical correlation profiles historicalsearch 25
Custom functions custom_function 77
Custom actions custom_action 78
Applications installed_application 100
1An FGroup represents a group of content, such as a log source group, reporting group, or search group.

Procedure

  1. Use SSH to log in to QRadar as the root user.
  2. Go to the /opt/qradar/bin directory and type the following command to search for custom content that matches a regular expression:
    ./contentManagement.pl -a search -c [content_type] -r [regex]
    Parameters:
    Table 2. contentManagement.pl script parameters for searching content items
    Parameter Description
    -c [content_type]

    or

    --content-type [content_type]

    Specifies the type of content to search for.

    You must specify the type of content to search for. You cannot use -c package or -c all with the search action.

    -r [regex]

    or

    --regex [regex]

    Specifies the content to search for.

    All content that matches the expression is displayed.

    Examples:
    • To search for all reports that includes Overview in the description, type the following command:
      /opt/qradar/bin/contentManagement.pl --action search 
      --content-type report --regex "Overview"
    • To list all log sources, type the following command:
      /opt/qradar/bin/contentManagement.pl -a search -c 17 -r "\w"
    The search results list details, including the unique ID, for the content items that are found.
    [INFO] Search results:
    [INFO] - [ID] - [Name] - [Description] 
    [INFO] - [67] - [Asset Profiler-2 :: hostname] - [Asset Profiler] 
    [INFO] - [62] - [SIM Generic Log DSM-7 :: hostname] - [SIM Generic Log DSM] 
    [INFO] - [63] - [Custom Rule Engine-8 :: hostname] - [Custom Rule Engine] 
    [INFO] - [71] - [Pix @ apophis] - [Pix device] 
    [INFO] - [70] - [Snort @ wolverine] - [Snort device] 
    [INFO] - [64] - [SIM Audit-2 :: hostname] - [SIM Audit] 
    [INFO] - [69] - [Health Metrics-2 :: hostname] - [Health Metrics]

What to do next

Use the unique identifier to export specific content items from QRadar. For more information, see Exporting custom content items of different types and Exporting a single custom content item.