IBM Support

IJ08960: ADVANCED SEARCH (LOG ACTIVITY) CAN FAIL WHEN CALCULATING EPS AND SORTING ON EPS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as suggestion for future release.

Error description

  • It has been identified that performing an Advanced Search (Log
    Activity) can fail when calculating EPS and sorting on EPS.  In
    previous QRadar versions when performing an operation or search
    where dividing by 0 occured, the result displayed was "N/A",
    now ariel reports a divide by zero error.
    
    Example AQL Search:
    select logsourcename(logsourceid) as LogSource, sum(eventcount)
    / ( ( max(endTime) - min(startTime) ) / 1000 ) as EPS from
    events where logsourceid=logsourceid group by logsourceid order
    by EPS desc last 7 days
    
    Expected Result:
    Results of search displayed
    Actual Result:
    Error message displayed in the User Interface, and in
    /var/log/qradar.error:
    
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]
    com.q1labs.ariel.searches.tasks.ArielQueryTaskBase: [ERROR]
    [NOT:0000003000][<ip address>/- -] [-/- -]Error executing
    query, 0 records processed, 0 records collected by cursor
    executing query:Id:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472,
    DB:<events@/store/ariel/events/records,
    /store/ariel/events/payloads>, Time:<18-08-09,09:42:00 to
    18-08-16,09:42:00>, progress details 100, Sort
    order:<DivideLong(SUM(EventCount),
    SingleArgScalarFunctionAdapter(SubtractLong(MAX(EndTime),
    MIN(StartTime)))),desc>,
    Criteria=<PredicateKeyCreator:pr=[boolean(true)]>,
    MappingFactory=com.q1labs.core.types.event.mapping.NormalizedEve
    ntMappingFactory@4ee, Transformer=GROUP BY DeviceId DISPLAY:
    DeviceId, SUM(EventCount), MAX(EndTime), MIN(StartTime),
    retentionTime=86400000, prio=NORMAL
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]
    com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
    Error calling function
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$DivideLong(3.0,
    0): java.lang.ArithmeticException
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.createExce
    ption(Metadata.java:121)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metad
    ata.java:92)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.ql.parser.ScalarFunctionKeyCreator.createKey(Sc
    alarFunctionInfo.java:1024)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.frameworks.nio.SortOrder$2.compare(SortOrder.java:174
    )
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.util.PriorityHeap.less(PriorityHeap.java:178)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.util.PriorityHeap.up(PriorityHeap.java:146)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.util.PriorityHeap.insert(PriorityHeap.java:56)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.util.PriorityHeap.add(PriorityHeap.java:40)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.util.AggBag.addEntry(AggBag.java:96)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.util.AggBag.addAll(AggBag.java:113)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.searches.out.ThreadedOutputAggregatingAdapter.s
    topExecutionSession(ThreadedOutputAggregatingAdapter.java:60)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.
    java:65)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceT
    askBase.java:89)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.
    java:69)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(Servi
    ceTaskBase.java:32)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    java.lang.Thread.run(Thread.java:811)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472] Caused by:
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]
    java.lang.ArithmeticException: divide by zero
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$DivideLong.calcul
    ate(ArithmeticFunctions.java:352)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
    nLong.calculate(ArithmeticFunctions.java:223)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
    nLong.calculate(ArithmeticFunctions.java:205)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculateValue(Ari
    thmeticFunctions.java:32)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
    icFunctions.java:39)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
    icFunctions.java:19)
    [ariel_proxy.ariel_proxy_server]
    [aqw_local_2:f25989a6-1b0a-4cb2-a6e7-9d7b2bc6d472]    at
    com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metad
    ata.java:71)
    

Local fix

  • No workaround available.
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • Thrown "ArithmeticException: divide by zero" is expected
    behaviour for this query.  This behaviour is consistent with
    industry standard SQL engines.
    The workaround is to not divide by zero.  So - in AQL like:
    ( max(endTime) - min(startTime) )
    change to:
    ( max(endTime) - min(startTime)  + 1)
    

APAR Information

  • APAR number

    IJ08960

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    731

  • Status

    CLOSED SUG

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-09-05

  • Closed date

    2018-12-18

  • Last modified date

    2018-12-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":""}]

Document Information

Modified date:
18 December 2018