AQL Query structure
Use Ariel Query Language (AQL) to extract, filter, and perform actions on event and flow data that you extract from the Ariel database in IBM® QRadar®. You can use AQL to get data that might not be easily accessible from the user interface.
The following diagram shows the flow of an AQL query.
Structure of an AQL statement
Use the SELECT
statement to select fields from events or flows in the Ariel
database, which are displayed as columns. For example, the following query returns the results that
are shown in the following table:
SELECT sourceip, destinationip, username, protocolid, eventcount FROM events
sourceip |
destinationip |
Username |
Protocolid |
eventcount |
---|---|---|---|---|
192.0.2.21 | 198.51.100.21 | Joe Ariel | 233 | 1 |
192.0.2.22 | 198.51.100.24 | Jim Ariel | 233 | 1 |
AQL queries begin with a SELECT statement to select event or flow data from the Ariel database. You can refine the data output of the SELECT statement by using the WHERE, GROUP BY, HAVING, ORDER BY, LIMIT, and LAST clauses.
- SELECT
-
Use the
SELECT
statement to select fields from events or flows. For example, select all fields from events or flows by typing:SELECT * FROM events
, orSELECT * FROM flows
- WHERE
-
Use the
WHERE
clause to insert a condition that filters the output, for example,WHERE logsourceid='65'
.
- GROUP BY
- Use the
GROUP BY
clause to group the results by one or more columns that you specify in the query, for example,GROUP BY logsourceid
.
- HAVING
- Use the
HAVING
clause to specify a condition after theGROUP BY
clause, for example,HAVING MAG > 3
.
- ORDER BY
- Use the
ORDER BY
clause to order the results for a column in the AQL query in an ascending or descending order, for example,ORDER BY username DESC
.
- LIMIT
- Use a
LIMIT
clause to limit the number of results that are returned to a specific number, for exampleLIMIT 50
to limit the output to 50 results. - LAST
- Use a LAST clause to specify a time frame for the query, for example
LAST 1 HOURS
.
The following example incorporates all of the clauses that are described in the list:
SELECT sourceip, destinationip, username
FROM events
WHERE username = 'test name'
GROUP by sourceip, destinationip
ORDER BY sourceip DESC
LIMIT 10
LAST 2 DAYS