IBM Support

IJ18156: QRADAR ADVANCED SEARCH FAILS WHEN THERE IS MORE THAN ONE OPERATOR IN A CONDITION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as duplicate of another APAR.

Error description

  • It has been identified that the QRadar Advanced Search (AQL)
    fails with a NullPointerException when there is more than one
    operator in a condition.
    Example of an Advanced Search resulting in NullPointerException:
    SELECT LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    LOGSOURCENAME(logsourceid) AS "LogSourceName",
    SUM(IF "File Hash" IS NULL AND "PANW-file-hash" IS NULL AND
    "PANW-traps-file-hash" IS NULL THEN 1 ELSE 0 END) AS "HashCount"
    FROM events
    GROUP BY logsourceid LAST 1 HOURS
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] com.q1labs.ariel.ql.parser.Parser: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/-
    -]java.lang.NullPointerException:null
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.IndexTree.useTree(IndexTree.java:256)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java:290)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java:285)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.FieldInfoCondition.getKeyCreator(Fiel
    dInfoCondition.java:234)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.FieldInfoBase.getObjectType(FieldInfo
    Base.java:236)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.createAggregateFunctionInf
    o(ParserBase.java:885)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(Pars
    erBase.java:197)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa
    se.java:354)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa
    se.java:322)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.processColumnContext(Parse
    rBase.java:428)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(Parser
    Base.java:490)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBa
    se.java:1409)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java
    :1636)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java:156
    )
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java:6
    6)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClien
    t.java:367)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java:308)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760]    at java.lang.Thread.run(Thread.java:812)
    

Local fix

  • No workaround available.
    

Problem summary

Problem conclusion

Temporary fix

Comments

  • This APAR is marked as duplicate of IJ15627.
    

APAR Information

  • APAR number

    IJ18156

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED DUB

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-08-06

  • Closed date

    2020-02-06

  • Last modified date

    2020-02-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732","Edition":""}]

Document Information

Modified date:
06 February 2020