QRadar users might see 'General Failure. Please try again' messages in the search or offense views in the user interface due to a Java divide by zero error.
This issue is logged as APAR IJ04325. NOTE: This APAR is being published and might take up to 24 hours to be visible using the provided link.
QRadar systems with Java 8 installed that use QRadar v7.2.8, v7.3.0, or v7.3.1 software.
Diagnosing The Problem
The error message ‘java.lang.ArithmeticException: divide by zero’ is reported in /var/log/qradar.log file and generate 'General Failure' user interface messages when searching or viewing offenses. The presence of the ‘divide by zero’ message, combined with various QRadar usage errors/behaviors, indicate the QRadar deployment is affected.
- This issue might cause event collection/processing stops occurring on an appliance.
- 'General Failure. Please try again.' message in the User Interface when attempting to view the events associated with an offense.
- 'General Failure. Please try again.' message in the User Interface when attempting to perform Log Activity searches.
- A red message: ‘The server encountered an error reading one or more files’ in the User Interface when a Log Activity search is run.
- No new offenses being created in combination with System Notification messages similar to: “Magistrate: Unable to persist offense updates”.
- Rules stop updating Offense names.
How to diagnose this issue
- Log in to the QRadar Console.
- Click the Log Activity tab.
- Select Advanced Search from the search bar.
- Type the following advanced search query:
select sourceip, UTF8(payload), LOGSOURCENAME(logsourceid) from events where TEXT SEARCH 'java.lang.ArithmeticException: divide by zero' AND LOGSOURCENAME(logsourceid) like 'System Notification%' LAST 168 HOURS
Any results returned by this search indicate that you are experiencing APAR IJ04325 administrators should review the Resolving the problem section below to contact QRadar Support. If the search does not run or you experience a 'General Failure. Please try again' error, then review the Resolving the problem section below to contact QRadar Support.
How to monitor this issue in your deployment
A content pack has been created to help users diagnose this issue and generate a system notification to alert administrators and assist with monitoring their deployment. The content pack APAR_IJ04325.zip contains one rule and one custom event property to help administrators monitor for the divide by zero errors in their deployment.
|Enabled after installing APAR_04325.zip
|Custom Event Property
|Enabled after installing APAR_04325.zip
- Download the attached content pack to your workstation or laptop. Do not extract the downloaded file. It must be uploaded as APAR_IJ04325.zip to QRadar.
- Log in to the QRadar Console as an administrator.
- Click the Admin tab, then click Extensions Management.
- To upload an extension, click Add and select the zip file downloaded from Step 1.
- Select the Install immediately check box and click Add.
- Select Overwrite when prompted to add the new data to your QRadar appliance.
- After the content pack is installed, administrators can monitor for QRadar System Notifications for 'General Information Message' notifications.
Any results returned by this search indicate that you are experiencing APAR IJ04325 administrators should review the Resolving the problem section below to contact QRadar Support.
Resolving The Problem
Administrators who experience the 'divide by zero' error messages should contact QRadar Support for assistance. It is also recommended that administrators subscribe to updates in APAR IJ04325 to receive a notice for changes related to this issue.
What to do
To verify this issue, the QRadar Support representative will request a memory dump to validate the 'divide by zero' error. This will require a meeting with the support representative to ensure that the debug modes are enabled and disabled properly.
- Navigate to https://www.ibm.com/mysupport.
- Sign in using your IBMid.
- Open a ticket with QRadar Support and reference APAR IJ04325 - Divide by Zero in your case description.
- A support representative will contact you to discuss how to collect the memory dump from the impacted QRadar appliance.
- Additional information will be communicated through your QRadar Support case.
Where do you find more information?
Was this topic helpful?
10 May 2019