IBM Support

IJ32889: AQL SEARCHES CAN BECOME CORRUPTED AFTER A CONTENT MANAGEMENT TOOL IMPORT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • AQL saved searches can become corrupted during the Content
    Management Tool (CMT) import after the
    DataExfiltration-ContentExtension-1.0.4.zip is added to QRadar
    causing an invalid AQL query. Affected searches can not be used.
    
    For example, some searches containing a specific AQL string
    pattern are affected:
    SELECT DOUBLE(sum("BytesSent")) / 1073741824 As "Bytes Sent(GB)"
    FROM events
    When a highlighted string is used as a custom column name, the
    AQL search becomes corrupted.  This also includes name
    variations with the key part being Bytes Sent followed by the
    brackets -  "Bytes Sent(Megabytes)"
    Components that use the affected search, like reports and
    accumulation, are also likely to be affected as the search(es)
    do not complete.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue occurs:
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
    com.q1labs.ariel.ql.parser.Parser: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Parse error: missing FROM
    at 'Bytes'
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
    com.q1labs.ariel.ql.parser.AQLParserException: Parse error:
    missing FROM at 'Bytes'
    ) / 1073741824 As ""Bytes Sent"(GB)" From
                       ^
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ql.parser.AQLErrorListener.syntaxError(P
    arserUtils.java:84)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at org.antlr.v4.runtime.ProxyErrorListener.syntaxError(Proxy
    ErrorListener.java:65)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.j
    ava:564)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at org.antlr.v4.runtime.DefaultErrorStrategy.reportMissingTo
    ken(DefaultErrorStrategy.java:407)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at org.antlr.v4.runtime.DefaultErrorStrategy.singleTokenInse
    rtion(DefaultErrorStrategy.java:510)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at org.antlr.v4.runtime.DefaultErrorStrategy.recoverInline(D
    efaultErrorStrategy.java:474)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at org.antlr.v4.runtime.Parser.match(Parser.java:227)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ql.parser.antlr.AQLParser.query(AQLParse
    r.java:725)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ql.parser.antlr.AQLParser.batch(AQLParse
    r.java:404)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ql.parser.ParserUtils.parse(ParserUtils.
    java:413)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBa
    se.java:1623)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.j
    ava:172)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser
    .java:67)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ConnectedClient.processStatement(Connect
    edClient.java:367)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at com.q1labs.ariel.ConnectedClient.processMessage(Connected
    Client.java:308)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java:136)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadP
    oolExecutor.java:1160)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(Thread
    PoolExecutor.java:635)
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:34766]
       at java.lang.Thread.run(Thread.java:822)
    

Local fix

  • Manually edit the affected AQL searches.  Remove the extra
    quotes from all appearances of them,
    ""Bytes Sent"(GB)"
    
    In this example, remove the second and third quotation marks.
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.3 FixPack
    4.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.3 FixPack
    4.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ32889

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    743

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-05-26

  • Closed date

    2021-11-15

  • Last modified date

    2021-11-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"743"}]

Document Information

Modified date:
16 November 2021