Question & Answer
Question
How to include comments in an AQL query in the Log Activity tab?
Answer
Comments can help document the AQL query with details, for example, the search fields being used, the conditions, and so on. You can add comments to an AQL query by using this syntax:
/* write your comment here */
This snippet is an example of an AQL query with comments embedded in it:
SELECT * FROM events
/* We only need to fetch results where processorid is set to 1 */
WHERE processorid=1
/* We only need to fetch results for the past 5 minutes */
last 5 MINUTES
Note: AQL comments can occur only in the body of the query and not at the beginning or the end. Adding a comment outside of the query's body causes a parsing error. This AQL query fails to parse:
/* This comment is outside the body of the query */
SELECT * FROM events
/* We only need to fetch results where processorid is set to 1 */
WHERE processorid=1
/* We only need to fetch results for the past 5 minutes */
last 5 MINUTES
/* This comment is outside the body of the query */
We can use AQL queries in QRadar Log Activity tab's Advanced Search option. This screen capture shows how an AQL query with comments, looks like in the Log Activity tab:
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
17 March 2023
UID
ibm16959337