Troubleshooting
Problem
When making a AQL Search for a Threshold Rule, the following error is seen: The saved search "Test Threshold" is not a grouped search. You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again.
Cause
There is a COUNT lacking within the AQL Search
Resolving The Problem
A saved AQL Search with a Group By is not honored when trying to use within a Threshold Rule:
- Log in to the QRadar UI
- Click Log Activity tab
- Use the following AQL Query in Advanced Search:
select sourceip, destinationip, logsourceid, starttime, category, qid FROM events GROUP BY starttime last 15 MINUTES
- Click Search and View the Results.
- Click Save Criteria.
- Use the Name "Test Threshold" for 5-minute interval, Include in my Quick Searches, Share with Everyone.
- Click OK.
- Click Rules > Add Threshold Rule
- The saved search "Test Threshold" is not a grouped search. You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again.
To fix the problem, the issue is related to a lack of an aggregate field. To fix this problem the following AQL Search can be used (as an example, to include the COUNT):
- Repeat step 3 above using this AQL Query in Advanced Search
select sourceip, destinationip, logsourceid, COUNT(starttime) as starttime_count, starttime, category, qid FROM events GROUP BY starttime last 15 MINUTES
- Click Search and View the Results.
- Click Save Criteria.
- Use the Name "Test Threshold" for 5-minute interval, Include in my Quick Searches, Share with Everyone.
- Click OK.
- Click Rules > Add Threshold Rule
- Click Next.
Results: You can now create a Threshold Rule.
Where do you find more information?
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22007019