Troubleshooting
Problem
How does a user export custom QIDs from QRadar?
Cause
The organization from multiple administrators has created custom QID's. Since some of the list of what QIDs created has not been maintained or properly documented this is a way to create a list.
Resolving The Problem
A QID is a QRadar Identifier and is a numeric representation of a specific event. For example, QID #39750013 is a Login Failed event. Each QID includes a name, description, severity, and low level category.
To view QIDs from the user interface
To export a list of custom QIDs
To export a list of Custom QIDs:
An alternate method to view QIDs, is to use the idlist utility. This utility allows users to view existing QIDs in QRadar.
For more information on custom QID mapping look at QID map overview on IBM Documentation.
Where do you find more information?
To view QIDs from the user interface
- Log in to QRadar.
- Click the Log Activity tab.
- Click the Pause icon.
- Double-click on an event to view the detailed Event Information page.
- Click the Map Event button.
- A searchable user interface of QIDs is displayed.
To export a list of custom QIDs
To export a list of Custom QIDs:
- Using SSH, log in to the QRadar Console as the root user.
- From command line run one of the commands below.
List of Category Types:
/opt/qradar/bin/qidmap_cli.sh -l > /tmp/Category_type_CLI.txt
Export user created QIDs:
TXT:/opt/qradar/bin/qidmap_cli.sh -e -f /tmp/UserCreated_QID_CLI.txt
CSV:/opt/qradar/bin/qidmap_cli.sh -e -f /tmp/UserCreated_QID_CLI.csv
Results: The file with QID information will be in /tmp
An alternate method to view QIDs, is to use the idlist utility. This utility allows users to view existing QIDs in QRadar.
- Using SSH, log in to the QRadar Console as the root user.
- To view the full list of QIDs, type: ./opt/qradar/bin/idlist.sh -e qid
- A list of QIDs is printed to the screen.
- Press Space to page down through the list of QIDs.
- To search the list, type /search_term and then press Enter. For example, /malware.
- Press q to exit the list at any time.
For more information on custom QID mapping look at QID map overview on IBM Documentation.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
25 August 2022
UID
swg21988758