Knowledge Search


×
 

[JSA] Processing reports with a red exclamation mark next to it

  [KB33255] Show Article Properties


Summary:

When a red exclamation mark appears next to a report, this is most likely due to a specific column missing from an underlying saved search. This can happen if the saved search was modified after the report was defined. If this is confirmed to be the issue, a new report and a new aggregated data view must be used.

Symptoms:

A red exclamation mark appears next to a report. What does that mean?

Diagnosing the problem

  1. Highlight the report with the exclamation mark, and the exact time when the error occurred will be displayed:

  2. In most cases, the JSA error log on your console appliance includes a log entry that is generated by ReportServices with the exact same timestamp. View and search the JSA error log for the specific error by running the following command from an SSH connection to your console:

    grep ReportServices /var/log/qradar.error | less

    A common reason for the error is that a specific column is missing from an underlying saved search. Look for the error message with the following form:

    [report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR][NOT:0000003000][127.0.0.1/- -] [-/- -]Unexpected error [report_runner] [main]java.sql.SQLException: ResultSet object does not contain column

Solution:

Resolving the problem

The reports display only data based on saved search at the time it was generated. After a modification has been made to a saved search, the error that is shown will be displayed. Therefore, a new report and aggregated data view must be used. The old aggregated data and report must be deleted.

To resolve for each report that shows a Red Exclamation Mark next to it, do the following:

Delete the view:

  1. From Web User Interface, click on the Admin tab > Aggregated Data Management.
  2. Search for the report that has an Exclamation Mark next to it.
  3. Highlight the report in the Aggregated Data View.
  4. From the top menu bar, click on Delete for the particular view.

Delete the report:

  1. In the next steps, you need to delete the report. Before doing so, note down the report criteria, such as the Report name, Report Type, Layout, Search.
  2. Highlight the report that is failing.
  3. Click on Actions > Delete Report.

Recreate the report:

  1. Click on Actions > Create > Recreate the report.
The Saved Search needs to run before a Scheduled Report works, but you can still run the report on Raw Data.
Modification History:

2019-07-20: Minor, non-technical edit.

Related Links: