Viewing grouped events
Using the Log Activity tab, you can view events that are grouped by various options. From the Display list box, you can select the parameter by which you want to group events.
About this task
The Display list box is not displayed in streaming mode because streaming mode does not support grouped events. If you entered streaming mode by using non-grouped search criteria, this option is displayed.
Group option | Description |
---|---|
Low Level Category | Displays a summarized list of events that are grouped by the low-level category of the event. For more information about categories, see the IBM® QRadar Administration Guide. |
Event Name | Displays a summarized list of events that are grouped by the normalized name of the event. |
Destination IP | Displays a summarized list of events that are grouped by the destination IP address of the event. |
Destination Port | Displays a summarized list of events that are grouped by the destination port address of the event. |
Source IP | Displays a summarized list of events that are grouped by the source IP address of the event. |
Custom Rule | Displays a summarized list of events that are grouped by the associated custom rule. |
Username | Displays a summarized list of events that are grouped by the user name that is associated with the events. |
Log Source | Displays a summarized list of events that are grouped by the log sources that sent the event to QRadar®. |
High Level Category | Displays a summarized list of events that are grouped by the high-level category of the event. |
Network | Displays a summarized list of events that are grouped by the network that is associated with the event. |
Source Port | Displays a summarized list of events that are grouped by the source port address of the event. |
Parameter | Description |
---|---|
Grouping By | Specifies the parameter that the search is grouped on. |
Current® Filters | The top of the table displays the details of the filter that is applied to the search results. To clear these filter values, click Clear Filter. |
View | From the list box, select the time range that you want to filter for. |
Current Statistics | When not in Real Time (streaming) or Last Minute
(auto refresh) mode, current statistics are displayed, including: Note: Click
the arrow next to Current Statistics to display
or hide the statistics.
|
Charts | Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the chart from your display. Each chart provides a legend, which
is a visual reference to help you associate the chart objects to the
parameters they represent. Using the legend feature, you can perform
the following actions:
|
Source IP (Unique Count) | Specifies the source IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses. |
Destination IP (Unique Count) | Specifies the destination IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses. |
Destination Port (Unique Count) | Specifies the destination ports that are associated with this event. If there are multiple ports that are associated with this event, this field specifies the term Multiple and the number of ports. |
Event Name | Specifies the normalized name of the event. |
Log Source (Unique Count) | Specifies the log sources that sent the event to QRadar. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources. |
High Level Category (Unique Count) | Specifies the high-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories. For more information about categories, see the IBM QRadar Log Manager Administration Guide. |
Low Level Category (Unique Count) | Specifies the low-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories. |
Protocol (Unique Count) | Specifies the protocol ID associated with this event. If there are multiple protocols that are associated with this event, this field specifies the term Multiple and the number of protocol IDs. |
Username (Unique Count) | Specifies the user name that is associated with this event, if available. If there are multiple user names that are associated with this event, this field specifies the term Multiple and the number of user names. |
Magnitude (Maximum) | Specifies the maximum calculated magnitude for grouped events. Variables that are used to calculate magnitude include credibility, relevance, and severity. |
Event Count (Sum) | Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short time. |
Count | Specifies the total number of normalized events in this event group. |
Procedure
- Click the Log Activity tab.
- From the View list box, select the time frame that you want to display.
-
From the Display list box, choose which parameter you want to group events on. See Table
2.
The events groups are listed. For more information about the event group details, see Table 1.
-
To view the List of Events page for a group, double-click the event group
that you want to investigate.
The List of Events page does not retain chart configurations that you might have defined on the Log Activity tab. For more information about the List of Events page parameters, see Table 1.
- To view the details of an event, double-click the event that you want to investigate. For more information about event details, see Table 2.