IBM Support

QRadar: How to export the QID list from all log sources

How To


Summary

Administrators who use QIDs for administrative and automated tasks often require an updated list of these IDs. This article contains a step by step of how to export the QID list for all log source types by using the command line.

Steps

  1. Execute the next command to create the path and folder where the file with the QID information is saved: 
    mkdir -p /store/IBM_Support/
  2. Run the next command to copy the QID information to a file: 
    psql -U qradar -c "\COPY (select qid, qname, devicetypedescription from qidmap q join dsmevent d on d.qidmapid = q.id join sensordevicetype sdt on sdt.id = d.devicetypeid) TO '/store/IBM_Support/QID_Export-$(date +%F).csv' WITH DELIMITER ',' CSV HEADER;"
    • The command psql -U qradar -c is used to run Postgres queries from outside of the Data Base by the use of the command line.|
    • \COPY: invokes COPY FROM STDIN or COPY TO STDOUT, and then fetches or stores the data in a file accessible to the user running the command.
    • TO 'store/IBM_Support/QID_Export-$(date +%F).csv': This section sends the output to a file called QID_Export<date>.csv located in the path /store/IBM_Support/
    • WITH DELIMITER ',' CSV HEADER: Establishes that the output file is a CSV file delimiting every column with commas.
  3. Review the <file name> in /store/IBM_Support/. The file must have comma-separated fields, where the first value is the QID, the second one is the event name and the third one the description.
    image-20220516122822-1
Result:
Administrators have a list of QIDs to run the required tasks on the system. The <filename> can be downloaded and parse it with any text editor or spreadsheet program.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
18 May 2022

UID

ibm16578683

Page Feedback