Troubleshooting
Problem
When you install a content pack or an application with Custom Event Properties (CEP) from Extension Management, you might see a failure message and the name of the property conflicting. If you try the installation a second time, it fails with error: "An error occurred. See console logs for details."
Symptom
When a content pack or application is installed, a screen appears with preview about the changes it is installing. If there is a conflicting CEP, it shows a "Failed" message.
For example, "Threat Score" is the name of the CEP in conflict (this name might differ on your system). We are using the Threat Score property as an example throughout the article.
Cause
This behavior indicates that a CEP, which is being imported or installed, is in conflict with an existing property. This behavior is expected because QRadar is preserving existing data and does not let existing properties be overwritten.
Environment
grep -i conflict /var/log/qradar.log OR grep -i "Property with id" /var/log/qradar.error
Diagnosing The Problem
Log in to the console CLI where the app, content pack, or extension is being installed.
In the QRadar log, search for a more detailed error message with either of these two commands:
grep -i conflict /var/log/qradar.log
grep -i "Property with id" /var/log/qradar.error
Two types of error messages are observed based on above search:
...Conflict during the import of property [File Size], found an existing property with the same name but different type...
Or:
...Property with id [e7da1cc0-5bf0-48de-86a9-6af817266c7f] already exists but has a different name...
Resolving The Problem
Check for the property, which was mentioned in the error message, in Postgres:
psql -U qradar -c "select id,propertyname from ariel_regex_property where propertyname = 'File Size';"
id | propertyname
-------------------------------------------------+--------------
5b7b76c8-fa9d-4ad2-91bf-6d69000fbaaf | File Size
psql -U qradar -c "select id,propertyname from ariel_regex_property where id ='e7da1cc0-5bf0-48de-86a9-6af817266c7f';"
id | propertyname
--------------------------------------+------------------
e7da1cc0-5bf0-48de-86a9-6af817266c7f | Target User Name
Check whether the property is used, or has a dependency, in any DSMs, rules, or in AQL properties.
If you found no dependencies and the property is not used anywhere, the property can be deleted, or re-created with another name.
If you found no dependencies and the property is not used anywhere, the property can be deleted, or re-created with another name.
Renaming an existing CEP in the GUI
- Navigate to Admin> Custom Event Properties.
- Find the conflicting CEP, and double-click it to edit it.
- Select New Property instead of Existing Property.
- Enter a new name for the same property and click Save at the bottom-right on the page.
If there are dependencies, manually resolve the them either by removing the dependencies or by replacing them with the newly created property. Thereafter you can delete the conflicting CEP and try to install the content pack again.
Note! There might be more than one CEP conflict, you might have to repeat the process for any subsequent CEP conflicts until all naming conflicts are resolved.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
15 August 2022
UID
ibm16593143