Administration Guide › Queries and Reports › How to Create a Query

How to Create a Query

You can create custom queries using the Query Design wizard. When you create a query you must choose whether it applies to the event database or the incident database. A server's event database stores information for all events received by that server. A server's incident database stores information on incidents and elements of their component events as specified by correlation rules.

You can also delete custom queries and export query information, or copy a subscription query to create a custom query and then edit that query using the query design wizard. Only users with the Administrator or Analyst roles can create, delete, or edit queries.

Creating a query using the query design wizard involves the following steps:

1. Opening the query design wizard.
2. Adding identity and tag details.
3. Selecting query columns.
4. (Optional) Setting query conditions and filters.
5. Setting date range and result conditions.
6. (Optional) Choosing visualization options for the query display.
7. (Optional) Adding drill-down values for the query.

More information:

Open Query Design Wizard

Using Advanced Filters

Create a Query Display Visualization

Add a Drill Down Report