IBM Support

QRadar: How to view exported Log Activity search results

Question & Answer


Question

How do users export event or flow data to an XML File or a CSV file?

The goal of this QRadar Support team FAQ is to provide an overview of exporting events and provide users with answers to common questions for 'Notify when Done' functionality, export email limitations, and locating exported data.

Answer

From the Log Activity Tab, you can run a search for system events, such as events captured over a specific time period or from a specific IP address.
The following sections provide steps on how to run a basic search and export the results.

How to complete a Log Activity search and export the data to an XML or CSV File

Users with access to the Log Activity or Network Activity tabs can export events or flows from the user interface to a file. As export functionality is single threaded, large exports can take a significant amount of time to complete. The procedures outlined in this section inform users how to export data and update the default results limit.
Running a search to export data.
  1. Log in to the QRadar Console.
  2. To search events, click the Log Activity tab.
  3. From the Search list, select New Search.
  4. Enter your search parameters.
  5. In the Results Limit field, verify the maximum number of events to be returned in the search.
    ResultsLimit
    Note: The default Results Limit is 1,000 Events.
  6. Click Search.
    Complete

Result
When the search is complete, you can export the results.
 
Exporting data to a file
Search results can be exported to a file in CSV to XML format. Users have two options to export data based on the search results.
  1. From the Actions list box, select one of the following options Export to XML or Export to CSV.
  2. Select one of the following export options:
    • Visible Columns: Exporting visible columns writes the on-screen event or flow data to a file. The visible option allows users to export results from a custom search or query for the results displayed on screen.
    • Full Export (All Columns): Exporting all columns exports a table of all data available in the user interface for your search results, including data not displayed on screen.

      FullExport
       
  3. Click Notify When Done to send the export to the background to work on other tasks.

    notifywhendone

Result
When the export completes, a compressed file is created, and downloaded or is emailed to users who run the export task in the background.

What does 'Notify When Done' do

The notify when done feature allows users to continue running log exports in the background. Temporary data from exports in progress is written to /store/exports while the task runs in the background. If an administrator restarts Tomcat from the command line of the Console or restarts the web server from the Admin tab, then the background export is stopped and must be run again.


buttonhighlighted
After you click the Notify When Done link and when the export completes, an email is sent to the email address configured for the user who requested the export. The email address of the logged in user account can be found on the Dashboard in your User Preferences.
The email contains an attached compressed file. The attached file can be downloaded from the email.
Note: When the email is sent, the exported results file is automatically deleted from the QRadar Server.
 
Example of email
emailwithattachment

Email file size attachment limits

If the exported file exceeds the email attachment size limit, you receive an email containing the following information, and a link to download the exported results file.
"Your export job has completed. The file size exceeds the email attachment limit, you can download the results using the below link."
"Note that the link is valid for one download only."
Example email
emailwithlink
 
Clicking the link opens your web browser and displays the QRadar Console login page. When you enter your user ID and Password, the exported file is automatically downloaded. After the download, the file is automatically deleted from the QRadar Console server.

How to manually download the exported results file

Confirming the export directory location.
The Log Activity exported files are compiled and stored in a location called Log and Network Activity Data Export Temporary Directory. Confirm the path of this directory in the QRadar Console.
  1. Log in to the QRadar Console.
  2. Click Admin tab > System Settings.
  3. Click Advanced.
  4. Confirm the value in the Log and Network Activity Data Export Temporary Directory field.
    field

    Results
    The location on the QRadar Server where the exported files are stored is shown. The default location is /store/exports.
     
Manually downloading export results
Manually download the exported file by connecting to the QRadar Console server with an FTP application.
  1. From your FTP application log in to the QRadar Console as the root user.
  2. Change to the directory noted in the Log and Network Activity Data Export Temporary Directory.
  3. Transfer the exported results file to your local computer.
     
Results
You can now decompress the file and view your exported results.

The file name is composed of the following details:
  • The username of person who generated the export.
  • The first ten digits are the start date and time of the export in Epoch Time Format.
  • A series of randomly generated numbers.
     
Example
/store/exports/admin16669553121214980994393488625087.zip

If there are many exported result files within the /store/exports/ directory, you can run a search to locate your export by running the following command to return the most recently created files by a specific user.
Example of command

ls -lt - /store/exports/admin*.zip | head -5

ls -lt - Lists the files in the order Newest to Oldest.

/store/exports/admin*.zip - Location of the exported files and name of the user who performed the export.

head -5 - Displays the 10 most recently modified files

Output
-rw-r--r-- 1 nobody nobody 18482555 Oct 28 09:54 /store/exports/admin16669553121214980994393488625087.zip
-rw-r--r-- 1 nobody nobody 11762376 Oct 28 09:53 /store/exports/admin166695531212149809943160.zip
-rw-r--r-- 1 nobody nobody 11769932 Oct 28 09:51 /store/exports/admin166695531212149809943150.zip
-rw-r--r-- 1 nobody nobody 11578001 Oct 28 09:48 /store/exports/admin166695531212149809943140.zip
-rw-r--r-- 1 nobody nobody 11764397 Oct 28 09:45 /store/exports/admin166695531212149809943130.zip
 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 October 2022

UID

ibm16825559

Page Feedback