IBM Support

IJ25350: SAVED SEARCHES CAN GENERATE AN APPLICATION ERROR WHEN A CUSTOM EVENT PROPERTY USES A RESERVED AQL KEY NAME

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When a custom event property is named using a reserved AQL name
    in QRadar (eg. 'searchName'), Saved Searches, when run, can
    generate an Application Error in the QRadar User Interface.
    For example:
    1. Admin -> Custom Event Properties -> Add :  Property
    Definition  -> New Property : searchName,  (It doesn't matter
    what the values of the other fields are)
    2. Log activity -> Quick Searchs -> pick any saved search ->
    select to run it.
    Expected result: Load saved search successfully
    Actual result: "Application Error" is displayed.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] java.lang.RuntimeException:
    Error processing criteria searchName
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
    .java:1517)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getQueryParams(CriteriaBuil
    der.java:386)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:927)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    ... 81 more
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]
    java.lang.IllegalArgumentException: Operation Event is not
    valid. Should be one of [EQ, LT, LE, GT, GE, NEQ]
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.updateCriteria_Expression(C
    riteriaBuilder.java:1047)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.updateCriteria(CriteriaBuil
    der.java:1316)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    at
    com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
    .java:1424)
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]    ... 83 more
    [tomcat.tomcat] [admin@127.0.0.1(8847)
    /console/do/ariel/arielSearch]
    org.apache.jsp.qradar.jsp.ArielSearch_jsp: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Could not forward to
    exception page, possibly an included JSP?
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]
    com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while executing the remote method 'getGlobalViewDetails'
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails] java.lang.RuntimeException:
    java.lang.RuntimeException: Error processing criteria searchName
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:1007)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
    chForm.java:790)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getGlobalViewID(UIArielServi
    ces.java:12530)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    com.q1labs.ariel.ui.UIArielServices.getGlobalViewDetails(UIAriel
    Services.java:12253)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1(8964)
    /console/JSON-RPC/QRadar.getGlobalViewDetails
    QRadar.getGlobalViewDetails]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    

Local fix

  • Delete the Custom Event Property (disabling it does not fix the
    issue).
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    5 and 7.4.1 FixPack 1.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.3.3 FixPack
    5 and 7.4.1 FixPack 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ25350

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    730

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-06-03

  • Closed date

    2020-10-08

  • Last modified date

    2020-10-08

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"730"}]

Document Information

Modified date:
09 October 2020