Skip to main content
Submits a Qradar AQL query on a Qradar database. Use the “Retrieve Ariel Search Result” action to retrieve the results.
External DocumentationTo learn more, visit the QRadar documentation.

Parameters

ParameterDescription
Query ExpressionQuery in AQL syntax to perform.

Example Output

{
	"cursor_id": "s16",
	"compressed_data_file_count": 0,
	"compressed_data_total_size": 0,
	"data_file_count": 5470,
	"data_total_size": 67183115,
	"index_file_count": 0,
	"index_total_size": 0,
	"processed_record_count": 1256462,
	"error_messages": [
		{
			"code": "String",
			"contexts": [
				"String"
			],
			"message": "String",
			"severity": "String <one of: INFO, WARN, ERROR>"
		}
	],
	"desired_retention_time_msec": 86400000,
	"progress": 46,
	"progress_details": [
		0,
		0,
		0,
		0,
		66957,
		652657,
		76594,
		89809,
		86032,
		107729
	],
	"query_execution_time": 1480,
	"query_string": "SELECT sourceip, starttime, qid, sourceport  from events into s16 where sourceip in (select destinationip from events) parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
	"record_count": 1240923,
	"save_results": false,
	"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>",
	"snapshot": {
		"events": [
			{
				"sourceip": "10.100.65.20",
				"starttime": 1467049610018,
				"qid": 10034,
				"sourceport": 13675
			},
			{
				"sourceip": "10.100.100.121",
				"starttime": 1467049610019,
				"qid": 20034,
				"sourceport": 80
			}
		]
	},
	"subsearch_ids": [
		"sub_id_1"
	],
	"search_id": "s16"
}

Workflow Library Example

Perform Ariel Search with Qradar and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop