Part 1: Creating an aggregated data view in the Log Activity tab

Aggregated data views are accumulated buckets of data that is used to generate reports and dashboards. These global views are based on saved searches that accumulate the data regularly in the background. Use the following procedure to create a time series graph for a SIM User Authentication category.

Procedure

  1. In IBM® QRadar®, go to the Log Activity tab and switch to the Advanced Search field.
  2. To make the global view reusable for any category, remove the "where" clause in the previous example, enter the following AQL query, and then click Search. 
    select categoryname(category) as catname, category, count(category) as catcount, first(starttime) as Time
from events
group by category, starttime/60000 
order by Time 
last 1 hours
    Note:
    By default, QRadar displays two "Top 10" charts above the results list. You work with these charts to create the Global View. By default, it looks something like the following example:
    Top 10 Results by Time charts in Log Activity tab
  3. On the pie chart, click Settings to display the configuration settings.
    Chart configuration settings
  4. To convert the chart into a time series chart that works with Pulse, select Time in the Value to Graph list, and then change the chart type to Time Series.
    Chart settings for value to graph time series.
  5. From the Value to Graph list, select COUNT.
  6. Select the Capture Time Series Data check box, and then click Save. The Save Criteria page opens, where you create a saved search and a Global View.
  7. Enter Pulse Category Count in the search name.
  8. Enter values for the following parameters:
    Option Description
    Parameter Description
    Assign Search to Group(s) Select the check box for the group you want to assign this saved search. If you do not select a group, this saved search is assigned to the Other group by default.
    Manage Groups Click Manage Groups to manage search groups.
    Timespan options Choose one of the following options:
    • Last Interval (auto refresh) - Select this option to filter your search results while in auto-refresh mode. The Log Activity and Network Activity tabs refresh at 1-minute intervals to display the most recent information.
    • Recent - Select this option, and from this list box, select the time range that you want to filter for.
    • Specific Interval- Select this option, and from the calendar, select the date and time range that you want to filter for.
  9. Click OK.
    Note: After the criteria is saved, the Global View is now active and ready for you to use in IBM QRadar Pulse.

What to do next

Part 2: Verifying the Global View in the Admin tab