IBM Support

QRadar: Custom property with ID DEFAULTCUSTOMEVENT doesn't exist but it is referenced in a currently active search

Troubleshooting


Problem

Upgrading to QRadar 7.4.3 FP4 interim fix 02 might produce error "custom property with ID DEFAULTCUSTOMEVENT9 doesn't exist, but it is referenced in a currently active search".

Symptom

An error message similar to the following occurs every hour in /var/log/qradar.error after upgrade to 7.4.3 FP4 interim fix 02:
grep -i "ariel_proxy_server" /var/log/qradar.error | grep -e 'exist but it is referenced' -e 'cannot be created'
[ariel_proxy.ariel_proxy_server] [q1labs_worker_1] com.q1labs.core.shared.ariel.CustomProperty: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Custom property with ID DEFAULTCUSTOMEVENT9 doesn't exist but it is referenced in a currently active search.
[ariel_proxy.ariel_proxy_server] [q1labs_worker_1] com.q1labs.ariel.config.IndexConfig: [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]The indexer com.q1labs.core.shared.ariel.CustomKeyCreator cannot be created. It will not be used

Resolving The Problem

  1. On console, search-dependent Ariel indexes for particular custom property:
    psql -U qradar -c "select * from ariel_indexes where param='<Custom Property / Calculated Property ID>';"
    psql -U qradar -c "select * from ariel_indexes where param='DEFAULTCUSTOMEVENT9';"
  2. If ariel_indexes exists, back up the ariel_indexes table:
    pg_dump -U qradar -t ariel_indexes -f  /tmp/ariel_indexes.sql
  3. Update as follows:
    psql -U qradar -c "update ariel_indexes set deleted=true where param='<Custom Property / Calculated Property ID>'';"
    psql -U qradar -c "update ariel_indexes set deleted=true where param='DEFAULTCUSTOMEVENT9';"
  4. Restart Ariel services as follows: :
    systemctl restart ariel_proxy_server
    /opt/qradar/support/all_servers.sh "systemctl restart ariel_query_server"
    NOTE: Any running searches are cancelled. You might be required to notify users based on your business procedures.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"TS008511029","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.3"}]

Document Information

Modified date:
29 December 2022

UID

ibm16851369