Viewing grouped events

Using the Log Activity tab, you can view events that are grouped by various options. From the Display list box, you can select the parameter by which you want to group events.

About this task

The Display list box is not displayed in streaming mode because streaming mode does not support grouped events. If you entered streaming mode by using non-grouped search criteria, this option is displayed.

The Display list box provides the following options:
Table 1. Grouped events options
Group option Description
Low Level Category

Displays a summarized list of events that are grouped by the low-level category of the event.

For more information about categories, see the IBM® QRadar Administration Guide.
Event Name Displays a summarized list of events that are grouped by the normalized name of the event.
Destination IP Displays a summarized list of events that are grouped by the destination IP address of the event.
Destination Port Displays a summarized list of events that are grouped by the destination port address of the event.
Source IP Displays a summarized list of events that are grouped by the source IP address of the event.
Custom Rule Displays a summarized list of events that are grouped by the associated custom rule.
Username Displays a summarized list of events that are grouped by the user name that is associated with the events.
Log Source Displays a summarized list of events that are grouped by the log sources that sent the event to QRadar®.
High Level Category

Displays a summarized list of events that are grouped by the high-level category of the event.

Network Displays a summarized list of events that are grouped by the network that is associated with the event.
Source Port Displays a summarized list of events that are grouped by the source port address of the event.
After you select an option from the Display list box, the column layout of the data depends on the chosen group option. Each row in the events table represents an event group. The Log Activity tab provides the following information for each event group
Table 2. Grouped event parameters
Parameter Description
Grouping By Specifies the parameter that the search is grouped on.
Current® Filters The top of the table displays the details of the filter that is applied to the search results. To clear these filter values, click Clear Filter.
View From the list box, select the time range that you want to filter for.
Current Statistics When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including:
Note: Click the arrow next to Current Statistics to display or hide the statistics.
  • Total Results - Specifies the total number of results that matched your search criteria.
  • Data Files Searched - Specifies the total number of data files searched during the specified time span.
  • Compressed Data Files Searched - Specifies the total number of compressed data files searched within the specified time span.
  • Index File Count - Specifies the total number of index files searched during the specified time span.
  • Duration - Specifies the duration of the search.
    Note: Current statistics are useful for troubleshooting. When you contact Customer Support to troubleshoot events, you might be asked to supply current statistic information.
Charts

Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the chart from your display.

Each chart provides a legend, which is a visual reference to help you associate the chart objects to the parameters they represent. Using the legend feature, you can perform the following actions:
  • Move your mouse pointer over a legend item to view more information about the parameters it represents.
  • Right-click the legend item to further investigate the item.
  • Click a legend item to hide the item in the chart. Click the legend item again to show the hidden item. You can also click the corresponding graph item to hide and show the item.
  • Click Legend if you want to remove the legend from your chart display.
    Note: The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display.
    Note: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To display charts, you must remove the ad blocker browser extension. For more information, see your browser documentation.
Source IP (Unique Count) Specifies the source IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses.
Destination IP (Unique Count) Specifies the destination IP address that is associated with this event. If there are multiple IP addresses that are associated with this event, this field specifies the term Multiple and the number of IP addresses.
Destination Port (Unique Count) Specifies the destination ports that are associated with this event. If there are multiple ports that are associated with this event, this field specifies the term Multiple and the number of ports.
Event Name Specifies the normalized name of the event.
Log Source (Unique Count) Specifies the log sources that sent the event to QRadar. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.
High Level Category (Unique Count)

Specifies the high-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories.

For more information about categories, see the IBM QRadar Log Manager Administration Guide.
Low Level Category (Unique Count)

Specifies the low-level category of this event. If there are multiple categories that are associated with this event, this field specifies the term Multiple and the number of categories.
Protocol (Unique Count) Specifies the protocol ID associated with this event. If there are multiple protocols that are associated with this event, this field specifies the term Multiple and the number of protocol IDs.
Username (Unique Count) Specifies the user name that is associated with this event, if available. If there are multiple user names that are associated with this event, this field specifies the term Multiple and the number of user names.
Magnitude (Maximum) Specifies the maximum calculated magnitude for grouped events. Variables that are used to calculate magnitude include credibility, relevance, and severity.
Event Count (Sum) Specifies the total number of events that are bundled in this normalized event. Events are bundled when many of the same type of event for the same source and destination IP address are seen within a short time.
Count Specifies the total number of normalized events in this event group.

Procedure

  1. Click the Log Activity tab.
  2. From the View list box, select the time frame that you want to display.
  3. From the Display list box, choose which parameter you want to group events on. See Table 2.
    The events groups are listed. For more information about the event group details, see Table 1.
  4. To view the List of Events page for a group, double-click the event group that you want to investigate.
    The List of Events page does not retain chart configurations that you might have defined on the Log Activity tab. For more information about the List of Events page parameters, see Table 1.
  5. To view the details of an event, double-click the event that you want to investigate. For more information about event details, see Table 2.