APAR status
Closed as program error.
Error description
It has been identified that invalid AQL stored in a Saved Search can cause several issues in the QRadar User Interface windows including: - Loading the saved search from Edit Search screen results in an Application Error. - The Rule Wizard screen displays an error banner regarding failed parsing - Loading an ADE rule that uses one of the affected Saved Searches results in an empty Rule screen - Dashboards and reports that use accumulated data based on affected Saved Searches do not execute correctly - Reports based on affected saved AQL searches fail to run - Data deletion framework fails to load when any of the dependencies loaded has a dependency on affected Saved Searches Loading an ADE rule that uses one of those saved searches results in an empty Rule screen: [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] com.q1labs.ariel.ui.RuleWizardUtils: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not retrieve aggregated search result fields with UI Ariel Services. [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] java.lang.NullPointerException [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.ariel.ui.UIArielServices.getAggregatedFieldsAsOptions (UIArielServices.java:6265) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields(Ru leWizardUtils.java:162) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields(Ru leWizardUtils.java:147) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields(Ru leWizardUtils.java:116) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.sem.ui.util.RuleConditionUtils.getData(RuleConditionU tils.java:2313) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.sem.ui.util.RuleConditionUtils.getOptionTextForList(R uleConditionUtils.java:2717) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.sem.ui.util.RuleConditionUtils.getOptionText(RuleCond itionUtils.java:2573) [tomcat.tomcat] [admin@127.0.0.1 (5224) /console/JSON-RPC/qradar.getRuleText qradar.getRuleText] at com.q1labs.sem.ui.util.RuleConditionUtils$1.apply(RuleConditionU tils.java:2024) Rule Wizard screen displays an error banner regarding the failed parsing: [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] com.q1labs.ariel.ui.bean.ArielSearchForm: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error parsing AQL query [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] java.lang.Exception: Failed to parse AQL query: select username, AVG(UploadRatio) from events where eventdirection IN ( 'L2R') AND destinationip != '127.0.0.1' AND RULENAME(creeventlist)='BB:UBA : Common Event Filters' AND sum(BytesSent)>1 group by username ORDER BY AVG(UploadRatio) DESC [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.ariel.ui.AQLColumnDefinition.<init>(AQLColumnDefiniti on.java:222) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1321) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1301) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1290) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.ariel.ui.bean.ArielSearchForm.isAggregate(ArielSearch Form.java:162) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.ariel.ui.UIArielServices.getAggregateDescriptionHTML( UIArielServices.java:6718) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.ariel.ui.UIArielServices.getAggKeysForSavedSearchId(U IArielServices.java:6186) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.sem.ui.util.RuleConditionUtils.getRuleText(RuleCondit ionUtils.java:1074) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.sem.ui.semservices.RuleWizardForm.matchesSearchString (RuleWizardForm.java:4023) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.sem.ui.action.MaintainRules.getAllRules(MaintainRules .java:193) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor Impl.java:90) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod AccessorImpl.java:55) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at java.lang.reflect.Method.invoke(Method.java:508) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch Action.java:280) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at org.apache.struts.actions.DispatchAction.execute(DispatchAction. java:216) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA ction.java:64) [tomcat.tomcat] [admin@127.0.0.1 (4900) /console/do/rulewizard/maintainRules] at org.apache.struts.action.RequestProcessor.processActionPerform(R equestProcessor.java:484) Loading affected Saved Search from Edit Search screen results in an Application Error similar to: [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] com.q1labs.ariel.ui.bean.ArielSearchForm: [ERROR] [NOT:0000003000][172.16.195.250/- -] [-/- -]Error parsing AQL query [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] java.lang.Exception: Failed to parse AQL query: select username, AVG(UploadRatio) from events where eventdirection IN ('L2L' , 'R2L') AND RULENAME(creeventlist)='BB:UBA : Common Event Filters' AND sum(BytesSent)>1 group by username ORDER BY AVG(UploadRatio) DESC [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.AQLColumnDefinition.<init>(AQLColumnDefiniti on.java:222) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1321) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF orm.java:1301) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at com.q1labs.ariel.ui.bean.ArielSearchForm.getOrderBy(ArielSearchF orm.java:246) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.jsp.qradar.jsp.ArielSearch_jsp._jspService(ArielSearc h_jsp.java:415) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java :184) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWr apper.java:457) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.j ava:386) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330 ) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:231) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja va:52) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica tionFilterChain.java:166) [tomcat.tomcat] [admin@127.0.0.1 (3957) /console/do/ariel/arielSearch] at org.apache.catalina.core.ApplicationDispatcher.invoke(Applicatio nDispatcher.java:728) This issue is caused by APAR IJ13437, which is included in QRadar 7.3.2.
Local fix
A script is available for clients to correct the invalid AQL on the system. This script is delivered via daily autoupdates and is located at /opt/qradar/support/apar/aqlValidator.
Problem summary
This issue was fixed in QRadar QRM QVM release of 7.3.2 patch 2.
Problem conclusion
This issue was fixed in QRadar QRM QVM release of 7.3.2 patch 2.
Temporary fix
Comments
APAR Information
APAR number
IJ13446
Reported component name
QRADAR SOFTWARE
Reported component ID
5725QRDSW
Reported release
732
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-02-11
Closed date
2019-05-31
Last modified date
2019-05-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
QRADAR SOFTWARE
Fixed component ID
5725QRDSW
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
31 May 2019