Troubleshooting
Problem
How do I perform a search in the Log Activity tab by using OR / AND operators?
Resolving The Problem
Use the Advanced search to build an Ariel Query Language (AQL) search query to retrieve specific information about events and flows. For example, to search for values that would fall in the same column together like an event name then administrators should create a search that leverages the OR value. In this example, we are trying to find out how many events contain the QID of 94000001 OR 38750003.
TIP: If you are searching for values with a space in them, such as an event description or a custom property you would need to include single quotes around your value. For example, select * from events where QIDDESCRIPTION(qid) = 'Create or update server administrator ' OR 'VM administrator login';.
TIP: When searching data that falls in the same column of the user interface or appears only once in the event payload use OR operators in your search.
TIP: If you are searching for values with a space in them, such as an event description or a custom property you would need to include single quotes around your value. For example, select * from events where QIDDESCRIPTION(qid) = 'Create or update server administrator ' OR 'VM administrator login';.
- Incorrect: SELECT * from events where QID = 38750003 AND QID = 94000001;
- Correct: SELECT * from events where QID = 38750003 OR QID = 94000001;
TIP: When searching data that falls in the same column of the user interface or appears only once in the event payload use OR operators in your search.
Additional references on searching:
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
19 September 2022
UID
swg21902149