IBM Support

QRadar: Red exclamation mark next to reports

Troubleshooting


Problem

How to troubleshoot a red exclamation mark appearing next to a failing report?

Cause

When a red exclamation mark appears next to a report, this can be due to a specific column missing from an underlying saved search. This can happen if the saved search was modified after the report was defined. If this is confirmed to be the issue, a new report and a new aggregated data view must be used.

Diagnosing The Problem

  1. If you highlight the report with the exclamation mark, the exact time of when the error occurred will be displayed.



  2. In most cases, QRadar error log on your console appliance includes a log entry that is generated by ReportServices with the exact same timestamp. To view and search your QRadar error log for the specific error, run the following command from an SSH connection to your console:

    grep ReportServices /var/log/qradar.error | less

    If indeed a column in your underlying saved search is missing, the error message will have the following form:

    [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Unexpected error [report_runner] [main]java.sql.SQLException: ResultSet object does not contain column

Resolving The Problem

The reports display only data based on saved search at the time it was generated. After a modification has been made to a saved search, the error that is shown will be displayed. Therefore, a new report and aggregated data view must be used. The old report and aggregated data must be deleted. To resolve for each report that shows a Red Exclamation Mark next to it, you need to do the following:

  1. From the QRadar Web User Interface, click on the Admin tab > Aggregated Data Management.

  2. Search for the report that has an Exclamation Mark next to it.

  3. Highlight the report in the Aggregated Data View.

  4. From the top menu bar Click on Delete for the particular view.



  5. In the next steps, you need to Delete the report. Before doing so, save the Report Criteria.
    Example: Report name, Report Type, Layout, Search.

  6. Highlight the report that is failing.

  7. Click on Actions > Delete Report.

  8. Click on Actions > Create > Recreate the report.

The Saved Search needs to run before a Scheduled Report works, but you can still run the report on Raw Data.


Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Reports","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21983318