IBM Support

IJ09036: AQL QUERY WITH AN AGGREGATE THAT IS RUN AGAINST A CURSOR THAT CONTAINS AN AGGREGATE FAILS WITH 'GENRAL FAILURE'

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that any aggregate clause (eg. Group By)
    used in a SELECT against a cursor that already contains an
    aggregate fails with 'General Failure', generates a
    ClassCastException in QRadar logging.
    
    For example - Query that contains an aggregate:
    select sourceip from events group by sourceip
    
    Then a query which references the above cursor:
    select first(sourceip) from "{cursor id from above}"
    
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    
    [ariel.ariel_proxy_server]
    [aqw_local_1:d25d454e-f5b4-48ee-b6aa-01c4476b2d4b]
    com.q1labs.ariel.searches.tasks.A
    rielQueryTaskBase: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]Error executing query, 0 records processed, 0 records
    collected by cursor exec
    uting query:Id:d25d454e-f5b4-48ee-b6aa-01c4476b2d4b,
    Cursor=8318ec92-829d-4d3e-aa60-fac86cc87a3d, Transformer=
    DISPLAY: SourceIP, processedRecordsLim
    it=2147483647, executionTimeLimit=9223372036854775807,
    collectedRecordsLimit=2147483647, prio=NORMAL
    [ariel.ariel_proxy_server]
    [aqw_local_1:d25d454e-f5b4-48ee-b6aa-01c4476b2d4b]
    java.lang.ClassCastException:
    com.q1labs.cve.aggregation.AggregatedRecord incompatible with
    com.q1labs.core.types.event.NormalizedEvent
        at
    com.q1labs.core.types.event.NormalizedEventProperties$SourceIP.c
    reateKey(NormalizedEventProperties.java:800)
        at
    com.q1labs.cve.aggregation.AggregatedRecordDefinition.createReco
    rdData(AggregatedRecordDefinition.java:332)
        at
    com.q1labs.cve.aggregation.AggregationRecordCollector.processRec
    ord(AggregationRecordCollector.java:91)
        at
    com.q1labs.cve.aggregation.AggregationRecordCollector.transform(
    AggregationRecordCollector.java:76)
        at
    com.q1labs.cve.aggregation.CVEAggregatorBase.transform(CVEAggreg
    atorBase.java:88)
        at
    com.q1labs.ariel.searches.out.ThreadedOutputAggregatingAdapter.c
    onsume(ThreadedOutputAggregatingAdapter.java:27)
        at
    com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.
    java:57)
        at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceT
    askBase.java:89)
        at
    com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.
    java:63)
        at
    com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(Servi
    ceTaskBase.java:32)
        at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1157)
        at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:627)
        at java.lang.Thread.run(Thread.java:798)
    

Local fix

  • No workaround available.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 731 patch 7.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 731 patch 7.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ09036

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    727

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-09-10

  • Closed date

    2018-11-30

  • Last modified date

    2018-11-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"727","Edition":""}]

Document Information

Modified date:
30 November 2018