Topic
  • 1 reply
  • Latest Post - ‏2015-01-26T18:00:24Z by Taylor.Osmun (IBM)
lin-zhao
lin-zhao
28 Posts

Pinned topic 500 error with payload LIKE '%EventID%' (7.2.4)

‏2015-01-23T23:42:07Z |

This query results in 500 response on 7.2.4. The same query works on 7.2.3. Please advise.

Query:

SELECT Utf8(payload) as payload from events where  payload like '%EventID=%' LAST 1 DAYS ORDER BY startTime

 

On 7.2.4:

{
  "record_count": 0,
  "query_execution_time": 0,
  "progress": 0,
  "save_results": false,
  "status": "WAIT",
  "search_id": "dad3f875-79ac-4960-8ea8-f60c12ab0a9c",
  "processed_record_count": 0
}

curl --user user:password -k https://host/api/ariel/searches/dad3f875-79ac-4960-8ea8-f60c12ab0a9c

{

"http_response": 

{

"code": 500,

"message": "Unexpected internal server error"

},

"code": 1020,

"message": "Failed to retrieve the search with id \"dad3f875-79ac-4960-8ea8-f60c12ab0a9c\": Error executing query, 0 records processed, 0 records collected by cursor",

"description": "An error occurred while attempting to retrieve the search information.",

"details": {}

}

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts
    ACCEPTED ANSWER

    Re: 500 error with payload LIKE '%EventID%' (7.2.4)

    ‏2015-01-26T18:00:24Z  

    Hi lin-zhao,

    The error you have encountered is related to a bug when comparing a payload to a string. It may be possible get your desired functionality out of a customer property. I would suggest trying that.

    You should also open a support ticket:

    1. Use this link to go to the QRadar SIEM portal:
    http://www.ibm.com/support/entry/portal/product/security_systems/ibm_security_qradar_siem?productContext=387411221
    2. Under Tools and Resources, click Open a new service request - sign in.
    3. Open your ticket and a QRadar support representative will contact you.

    - Taylor

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: 500 error with payload LIKE '%EventID%' (7.2.4)

    ‏2015-01-26T18:00:24Z  

    Hi lin-zhao,

    The error you have encountered is related to a bug when comparing a payload to a string. It may be possible get your desired functionality out of a customer property. I would suggest trying that.

    You should also open a support ticket:

    1. Use this link to go to the QRadar SIEM portal:
    http://www.ibm.com/support/entry/portal/product/security_systems/ibm_security_qradar_siem?productContext=387411221
    2. Under Tools and Resources, click Open a new service request - sign in.
    3. Open your ticket and a QRadar support representative will contact you.

    - Taylor