NullPointerException in agent.out.wrapper.log of my flexmulti_db connector

Hello Experts,

I am getting below continuous error in agent.out.wrapper.log of my flexmulti_db connector :

INFO   | jvm 1    | 2018/03/22 11:47:53 | FATAL EXCEPTION:
INFO   | jvm 1    | 2018/03/22 11:47:53 | java.lang.NullPointerException
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1017)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at java.lang.Double.parseDouble(Double.java:540)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at com.arcsight.agent.parsers.operation.safeToDoubleOperation.getResult(safeToDoubleOperation.java:52)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at com.arcsight.agent.parsers.k$d_.a(k$d_.java:1395)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at com.arcsight.agent.parsers.k.a(k.java:763)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at com.arcsight.agent.sdk.d.b.k.a(k.java:596)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at com.arcsight.agent.sdk.d.b.k.h(k.java:344)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at com.arcsight.agent.sdk.d.b.k.run(k.java:800)
INFO   | jvm 1    | 2018/03/22 11:47:53 |       at java.lang.Thread.run(Thread.java:745)

 

Above error goes on for a while upon restarting the connector and then it boils down to below error flowing continuously:

INFO   | jvm 1    | 2018/03/22 12:04:32 | FATAL EXCEPTION:
INFO   | jvm 1    | 2018/03/22 12:04:32 | java.lang.NullPointerException
INFO   | jvm 1    | 2018/03/22 12:04:32 | FATAL EXCEPTION:
INFO   | jvm 1    | 2018/03/22 12:04:32 | java.lang.NullPointerException
INFO   | jvm 1    | 2018/03/22 12:04:32 | FATAL EXCEPTION:
INFO   | jvm 1    | 2018/03/22 12:04:32 | java.lang.NullPointerException
INFO   | jvm 1    | 2018/03/22 12:04:32 | FATAL EXCEPTION:
INFO   | jvm 1    | 2018/03/22 12:04:32 | java.lang.NullPointerException

 

In addtion, there are null pointer errors in agent.log file as well:

[2018-03-22 12:21:19,797][FATAL][default.com.arcsight.agent.parsers.l][constructAlertFromValues]
java.lang.NullPointerException
[2018-03-22 12:21:19,797][FATAL][default.com.arcsight.agent.parsers.l][constructAlertFromValues]
java.lang.NullPointerException
[2018-03-22 12:21:19,797][FATAL][default.com.arcsight.agent.parsers.l][constructAlertFromValues]
java.lang.NullPointerException
[2018-03-22 12:21:19,797][FATAL][default.com.arcsight.agent.parsers.l][constructAlertFromValues]
java.lang.NullPointerException

 

I think all these are connected and soething to do with the flexagent parser? I may be wrong.

Please help with solution and root cause if possible. This error is flooding my logfiles and are irritating :(

 

Regards,

Mayank

Parents Reply Children
  • Hi Shaun,

    Thank you! I removed the 4 event mappings listed above and the errors were gone.

    Also tried removing only the __safetodouble function and let the event mappings be like below, but it did not work and the errors persisted.

    event.attackerGeoLatitude=<databse field name>
    event.attackerGeoLongitude=<databse field name>

    event.targetGeoLatitude=<databse field name>
    event.targetGeoLongitude=<databse field name>

    Only when i remove the whole of above 4 lines is when the errors disappear.

    Does this mean there is somehting wrong with the format of values I am fetching from the end-device and mapping in above 4 lines? There are other values I am fetching via a sql statement in my parser and mapping them to attacker/target fields.

     

    Regards,

    Mayank

  • Hello Mayank,

    1) ArcSight Common Event Format (CEF) Guide:
    https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306?attachment-id=65537

    2) Please use field names that are noted in column "Full Name". Of course you add "event." in front of it.

    3) By doing this you will avoid using fields that SmartConnector parser will not be able to process.

    4) For example:
    a) you are using:
    event.attackerGeoLatitude=<databse field name>
    event.attackerGeoLongitude=<databse field name>
    event.targetGeoLatitude=<databse field name>
    event.targetGeoLongitude=<databse field name>

    b) in the guide there is:
    - destination is target
    event.destinationGeoLatitude
    event.destinationGeoLongitude
    - source is attacker
    event.sourceGeoLatitude
    event.sourceGeoLongitude

    Regards,

    Marijo