Building AQL queries

Edit online

The Ariel Query Language (AQL) is a structured query language that you use to query and manipulate event and flow data from the Ariel database in IBM QRadar.

About this task

To learn more about AQL, see Ariel Query Language.

Tip:
  • If you receive the message “The cluster is busy processing other requests and does not respond to your queries,” wait a few minutes and try again.
  • When you use the Visual Builder, you must press Enter after you type the value. You can also press Enter and Shift to add multiple values.

Procedure

  1. Go to Menu > Data Explorer > Search.
    Tip: You can also click Start searching in the home page.
  2. From the query type drop-down list, select QRadar (AQL).
  3. In the query text field, start constructing your query in the format of the following example. 
    SELECT magnitude, sourceip, destinationip, destinationport, QIDNAME(qid) 
AS 'Event Name', LOGSOURCENAME(logsourceid) 
AS 'Log Source', CONCAT(CATEGORYNAME(highLevelCategory), '.', CATEGORYNAME(category)) 
AS 'Category Name', DATEFORMAT(startTime, 'MMM dd hh:mm a') 
AS 'Start Time' 
FROM events 
WHERE TEXT SEARCH '127.0.0.1' 
LIMIT 1000 
LAST 2 HOURS
    Important: An error might occur when a LIMIT clause is not included in your statement. Use a LIMIT clause to limit the number of results that are returned to a specific number. For example, LIMIT 20 to limit the output to 20 results.
    You must place the LIMIT clause before the START and STOP clauses, as in the following example.
    SELECT *
FROM events
LIMIT 20
START '2021-01-01 00:00'
STOP '2021-01-01 01:00'

Results

If there is a syntax error in your query, Run query is disabled until you resolve the error. Each syntax error is highlighted with a red underline, a tooltip with syntax error details, and contextual helper with syntax fix suggestions.

When a query is run, an 'active-query' card is added. Each query expires 14 days after it is created.

Example

Returns all the fields from the events table that were sent in the last 10 minutes.

SELECT * FROM events LAST 10 MINUTES

Returns the sourceip and destinationip from the events table that were sent in the last 24 hours.

SELECT sourceip,destinationip FROM events LAST 24 HOURS

Returns all the fields from the events table during that time interval.

SELECT * FROM events START '2021 01 01 9:00:00' STOP '2021 01 01
            10:20:00'

Returns all the fields in the events table sent in the last 24 hours, sorting the output from highest to lowest magnitude.

SELECT * FROM events ORDER BY magnitude DESC LAST 24 HOURS

Returns all the fields from the events table that have the specified text in the output.

SELECT * FROM events WHERE TEXT SEARCH 'firewall'

For more information, see Sample AQL queries.