IBM Support

IJ13446: INVALID AQL SAVED SEARCHES CAN CAUSE SEVERAL USER INTERFACE SCREENS TO FAIL TO LOAD

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • It has been identified that invalid AQL stored in a Saved
    Search can cause several issues in the QRadar User Interface
    windows including:
    - Loading the saved search from Edit Search screen results in
    an Application Error.
    - The Rule Wizard screen displays an error banner regarding
    failed parsing
    - Loading an ADE rule that uses one of the affected Saved
    Searches results in an empty Rule screen
    - Dashboards and reports that use accumulated data based on
    affected Saved Searches do not execute correctly
    - Reports based on affected saved AQL searches fail to run
    - Data deletion framework fails to load when any of the
    dependencies loaded has a dependency on affected Saved Searches
    Loading an ADE rule that uses one of those saved searches
    results in an empty Rule screen:
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]
    com.q1labs.ariel.ui.RuleWizardUtils: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not retrieve
    aggregated search result fields with UI Ariel Services.
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]
    java.lang.NullPointerException
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.ariel.ui.UIArielServices.getAggregatedFieldsAsOptions
    (UIArielServices.java:6265)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields(Ru
    leWizardUtils.java:162)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields(Ru
    leWizardUtils.java:147)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields(Ru
    leWizardUtils.java:116)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.sem.ui.util.RuleConditionUtils.getData(RuleConditionU
    tils.java:2313)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.sem.ui.util.RuleConditionUtils.getOptionTextForList(R
    uleConditionUtils.java:2717)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.sem.ui.util.RuleConditionUtils.getOptionText(RuleCond
    itionUtils.java:2573)
    [tomcat.tomcat] [admin@127.0.0.1 (5224)
    /console/JSON-RPC/qradar.getRuleText qradar.getRuleText]    at
    com.q1labs.sem.ui.util.RuleConditionUtils$1.apply(RuleConditionU
    tils.java:2024)
    Rule Wizard screen displays an error banner regarding the
    failed parsing:
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]
    com.q1labs.ariel.ui.bean.ArielSearchForm: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error parsing AQL query
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules] java.lang.Exception:
    Failed to parse AQL query: select username, AVG(UploadRatio)
    from events where eventdirection IN (
    'L2R') AND destinationip != '127.0.0.1' AND
    RULENAME(creeventlist)='BB:UBA : Common Event Filters'  AND
    sum(BytesSent)>1 group by username ORDER BY AVG(UploadRatio)
    DESC
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.ariel.ui.AQLColumnDefinition.<init>(AQLColumnDefiniti
    on.java:222)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1321)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1301)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1290)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.isAggregate(ArielSearch
    Form.java:162)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.ariel.ui.UIArielServices.getAggregateDescriptionHTML(
    UIArielServices.java:6718)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.ariel.ui.UIArielServices.getAggKeysForSavedSearchId(U
    IArielServices.java:6186)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.sem.ui.util.RuleConditionUtils.getRuleText(RuleCondit
    ionUtils.java:1074)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.sem.ui.semservices.RuleWizardForm.matchesSearchString
    (RuleWizardForm.java:4023)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.sem.ui.action.MaintainRules.getAllRules(MaintainRules
    .java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
    Action.java:280)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    org.apache.struts.actions.DispatchAction.execute(DispatchAction.
    java:216)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
    ction.java:64)
    [tomcat.tomcat] [admin@127.0.0.1 (4900)
    /console/do/rulewizard/maintainRules]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java:484)
    Loading affected Saved Search from Edit Search screen results
    in an Application Error similar to:
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]
    com.q1labs.ariel.ui.bean.ArielSearchForm: [ERROR]
    [NOT:0000003000][172.16.195.250/- -] [-/- -]Error parsing AQL
    query
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch] java.lang.Exception: Failed to
    parse AQL query: select username, AVG(UploadRatio)  from events
     where eventdirection IN ('L2L'
    , 'R2L')  AND RULENAME(creeventlist)='BB:UBA : Common Event
    Filters'  AND sum(BytesSent)>1  group by username  ORDER BY
    AVG(UploadRatio) DESC
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    com.q1labs.ariel.ui.AQLColumnDefinition.<init>(AQLColumnDefiniti
    on.java:222)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1321)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getColumns(ArielSearchF
    orm.java:1301)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.getOrderBy(ArielSearchF
    orm.java:246)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.jsp.qradar.jsp.ArielSearch_jsp._jspService(ArielSearc
    h_jsp.java:415)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    com.q1labs.uiframeworks.jsp.HttpJspBase.service(HttpJspBase.java
    :184)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWr
    apper.java:457)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.j
    ava:386)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330
    )
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:231)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
    va:52)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1 (3957)
    /console/do/ariel/arielSearch]    at
    org.apache.catalina.core.ApplicationDispatcher.invoke(Applicatio
    nDispatcher.java:728)
    
    This issue is caused by APAR IJ13437, which is included in
    QRadar 7.3.2.
    

Local fix

  • A script is available for clients to correct the invalid AQL on
    the system.  This script is delivered via daily autoupdates and
    is located at /opt/qradar/support/apar/aqlValidator.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.2 patch 2.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.2 patch 2.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ13446

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-02-11

  • Closed date

    2019-05-31

  • Last modified date

    2019-05-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":""}]

Document Information

Modified date:
31 May 2019