Administration Guide › Queries and Reports › How to Create a Query

How to Create a Query

You can create custom queries using the Query Design wizard. When you create a query you must choose whether it applies to the event database, the incident database, or to an external ODBC database. The event database stores information on all the events received by that server. The incident database stores information on incidents and elements of their component events as specified by correlation rules.

You can delete custom queries and export query information. You can also copy a subscription query to create a custom query and edit that query using the query design wizard. Only users with the Administrator or Analyst roles can create, delete, or edit queries.

Creating a query using the query design wizard involves the following steps:

1. Opening the query design wizard.
2. Adding identity and tag details, including specifying the target database.
3. Selecting query columns.
4. (Optional) Setting query conditions and filters.
5. Setting date range and result conditions.
6. (Optional) Choosing visualization options for the query display.
7. (Optional) Adding drill-down values for the query.

More information:

Open Query Design Wizard

Add Query Details

Add Query Columns

Add ODBC Query Columns

Set Query Filters

Add a Drill Down Report

Create a Query Display Visualization