QRadar: Forensics: Spaces added to Boolean queries in the Recovery window of QRadar Incident Forensics return no search results

Troubleshooting

Problem

When you create queries on the Forensics tab in QRadar Incident Forensics, spaces that are automatically added to Boolean searches might cause no results to be returned.

Symptom

When you run queries in the Recovery window, spaces are sometimes added both before and after brackets in Boolean search strings:

---- Case:mrsRestricted AND ( Collection10.10.10.10_Frost OR Collection:10.10.11.10_Frost OR Collection:10.11.10.10_Frost )

If you search on certain columns, such as WebCategory, no results are returned.

Also, when Boolean queries are added for columns that do display results, when you click next page, you might not see any search results.

Resolving The Problem

To work around this issue, remove the spaces in the query that are created by the Recovery window.

Where do you find more information?

[{"Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Forensics: Spaces added to Boolean queries in the Recovery window of QRadar Incident Forensics return no search results

Troubleshooting

Problem

Symptom

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?