IBM Support

IJ05109: USING A FILTER CONTAINING A COMMA OPERATOR IN THE REGEX DOES NOT WORK WITH 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' RUL

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that when using the rule "When the event
    matches this search filter", adding a filter that uses a comma
    operator in the Regular Expression (regex) does not work as
    expected.
    
    Example
    - Rule filter "+  when the event matches this search filter"
    - Click on this search filter
    - Flow source (Custom) -> Matches any of expressions -> \d{2,3}
    or any other IP address regular expression
    - + add -> Submit
    
    An error in the Rule Wizard window is generated due to the
    comma between the 2 and 3 in the above example and appears
    similar to:
    "There are parameters in the test stack which have not been
    specified".
    
    Messages similar to the following might be visible in
    /var/log/qradar.error when this issue s occurring:
    
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]
    com.q1labs.sem.ui.util.RuleConditionUtils: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get test
    parameter option text:
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]
    com.q1labs.core.shared.ariel.validators.ValidationException:
    This is not a valid regular expression:
    
    Unclosed counted closure near index 4
    \d{2%2C3}
        ^
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.core.shared.ariel.validators.RegexValidator.validate(
    RegexValidator.java:21)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.ariel.ui.UIArielServices.formatArielFilter(UIArielSer
    vices.java:6688)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.sem.ui.util.RuleConditionUtils.getOptionText(RuleCond
    itionUtils.java:2376)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.sem.ui.util.RuleConditionUtils$1.apply(RuleConditionU
    tils.java:1842)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.sem.ui.util.RuleConditionUtils$1.apply(RuleConditionU
    tils.java:1837)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.sem.ui.util.RuleConditionUtils.parseCondition(RuleCon
    ditionUtils.java:1921)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.sem.ui.util.RuleConditionUtils.parseCondition(RuleCon
    ditionUtils.java:1835)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.sem.ui.action.SaveCustomizeConditionParameter.execute
    Action(SaveCustomizeConditionParameter.java:355)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    com.q1labs.sem.ui.action.SaveCustomizeConditionParameter.execute
    (SaveCustomizeConditionParameter.java:52)
    [tomcat.tomcat] [admin@127.0.0.1 (4819)
    /console/do/rulewizard/saveCustomizeConditionParameter]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java:484)
    

Local fix

  • Use other regex options to produce the same filter results.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 731 Patch 5.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 731 Patch 5.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ05109

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-21

  • Closed date

    2018-07-29

  • Last modified date

    2018-07-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
29 July 2018