IBM Support

IJ10924: SEARCH DATA CONFIGURED TO BE ACCUMULATED (TIME SERIES) CAN FAIL TO DISPLAY DUE TO INVALID REGEX

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • It has been identified that invalid regex filters contained
    within searches can sometimes cause the QRadar accumulator
    service to fail with a NullPointerException error generated in
    the logs.  When this occurs, search data (including time series
    Dashboard items) configured for accumulation cannot be
    displayed.
    Messages similar to the following might be visible in
    /var/log/qradar.error when this issue is occurring:
    accumulator.accumulator] [AccumulationService]
    com.q1labs.cve.accumulation.ObjectArrayAccessors: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Can't initialize
    manageable:
    com.q1labs.cve.accumulation.ObjectArrayAccessors$RecordPredicate
    @e5ee992c[]
    [accumulator.accumulator] [AccumulationService]
    java.util.regex.PatternSyntaxException: Unexpected internal
    error near index 1
    [accumulator.accumulator] [AccumulationService]    at
    java.util.regex.Pattern.error(Pattern.java:1968)
    [accumulator.accumulator] [AccumulationService]    at
    java.util.regex.Pattern.compile(Pattern.java:1715)
    [accumulator.accumulator] [AccumulationService]    at
    java.util.regex.Pattern.<init>(Pattern.java:1362)
    [accumulator.accumulator] [AccumulationService]    at
    java.util.regex.Pattern.compile(Pattern.java:1065)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.utils.IndexPredicates$IndexPredicateBase.initiali
    ze(IndexPredicates.java:126)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.utils.IndexPredicates$NullableIndexPredicate.init
    ialize(IndexPredicates.java:233)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.
    initialize(AbstractCompositePredicate.java:45)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.
    initialize(AbstractCompositePredicate.java:45)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.predicate.AbstractWrappedPredicate.in
    itialize(AbstractWrappedPredicate.java:39)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.Utils.initialize(Utils.java:466)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.ariel.IndexPredicate.initialize(IndexPredicate.java:2
    34)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.
    initialize(AbstractCompositePredicate.java:45)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.
    initialize(AbstractCompositePredicate.java:45)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.
    initialize(AbstractCompositePredicate.java:45)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.predicate.AbstractCompositePredicate.
    initialize(AbstractCompositePredicate.java:45)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.Utils.initialize(Utils.java:466)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.ObjectArrayAccessors$RecordPredicate
    .initialize(ObjectArrayAccessors.java:86)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.frameworks.util.Utils.initialize(Utils.java:485)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.ObjectArrayAccessors.createPredicate
    (ObjectArrayAccessors.java:588)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.AggregationProcessorData.processDefi
    nition(AggregationProcessorData.java:67)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.ProcessorBase.processDefinition(Proc
    essorBase.java:233)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.ProcessorBase.processUpdate(Processo
    rBase.java:323)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.ProcessorBase.initAggregatorsNoWait(
    ProcessorBase.java:359)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.AggregationService.process(Aggregati
    onService.java:128)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.AccumulationService$1.processInterva
    l(AccumulationService.java:115)
    [accumulator.accumulator] [AccumulationService]    at
    com.q1labs.cve.accumulation.IntervalProcessingThread.run(Interva
    lProcessingThread.java:154)
    [accumulator.accumulator] [AccumulationService]
    com.q1labs.cve.accumulation.AccumulationService: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Fi
    [accumulator.accumulator] [Preprocessor(events)_2]
    com.q1labs.cve.accumulation.ObjectArrayAccessors: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Unexpected error
    while building record
    [accumulator.accumulator] [Preprocessor(events)_2]
    java.lang.NullPointerException
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.cve.utils.IndexPredicates$IndexPredicateBase.evaluate
    (IndexPredicates.java:78)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.cve.utils.IndexPredicates$NullableIndexPredicate.eval
    uate(IndexPredicates.java:166)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.cve.utils.IndexPredicates$NullableIndexPredicate.eval
    uate(IndexPredicates.java:141)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.frameworks.util.predicate.OrPredicate.evaluate(OrPred
    icate.java:15)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.frameworks.util.predicate.OrPredicate.evaluate(OrPred
    icate.java:15)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.frameworks.util.predicate.NotPredicate.evaluate(NotPr
    edicate.java:15)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.ariel.IndexPredicate$DelegatedPredicate.evaluate(Inde
    xPredicate.java:142)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.ariel.IndexPredicate.evaluate(IndexPredicate.java:247
    )
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPr
    edicate.java:15)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPr
    edicate.java:15)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPr
    edicate.java:15)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.frameworks.util.predicate.AndPredicate.evaluate(AndPr
    edicate.java:15)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.cve.accumulation.ObjectArrayAccessors$RecordPredicate
    .evaluate(ObjectArrayAccessors.java:80)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.cve.accumulation.ObjectArrayAccessors.buildRecord(Obj
    ectArrayAccessors.java:237)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    com.q1labs.cve.accumulation.Preprocessor$PreprocessTask.run(Prep
    rocessor.java:26)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [accumulator.accumulator] [Preprocessor(events)_2]    at
    java.lang.Thread.run(Thread.java:811)
    

Local fix

  • No workaround available.
    

Problem summary

  • We were unable to reproduce this issue. In case it happens
    again, deleting the corrupted GV resolves the issue.
    

Problem conclusion

  • We were unable to reproduce this issue. In case it happens
    again, deleting the corrupted GV resolves the issue.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ10924

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    728

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-10-31

  • Closed date

    2019-06-11

  • Last modified date

    2019-06-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"728","Edition":""}]

Document Information

Modified date:
11 June 2019