Frequent Contributor.
Frequent Contributor.
858 views

ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Scenario:

Run a search starting $Today - 7d and Ending $Today - 1d results = 0

Run a search starting $Today - 2d and Ending $Today - 1d results = 11

Shorter search time range is INCLUDED in longer search time range. Therefore, longer search results should INCLUDE AT LEAST AS MANY RESULTS as the shorter search.

Logs and screenshots attached.

This is a CRITICAL issue that needs to be ESCALATED ASAP.

Wed May 06 19:29:03 GMT 2015

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Hotfix/patch has been developed, see dialog here:

View solution in original post

0 Likes
20 Replies
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

As requested I have tested a different search and can confirm similar issues. I will post details for you tomorrow AM.

-Mary

Thu May 07 23:38:05 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

I performed a database defragmentation on all 30 loggers. Unfortunately the issue still exists. Attached are screenshots.

-Mary

Fri May 08 22:51:57 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Is there any update to this ticket?

Tue May 19 18:31:20 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

This is not REPORT issue but SEARCH/ANALYZE issue.

Thu May 14 16:00:27 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Mary:

My apologies for the delayed response. I am currently working with a Logger developer to see if this behavior matches a very similar defect that is in our bug system. If this is the same, then it will be addressed in v6.1 of our product. If it does not then further investigation will be necessary.

I will update as soon as I have more information.

Regards,

xxxxx

Tue May 19 21:01:14 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Mary:

I have confirmed with Development that this issue is a known bug. Its been file internally as LOG-13781. There is a patch 2 scheduled for Logger 6.0 to address this. The patch is scheduled for release within a few weeks.

Regards,

xxxxx

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

One other thing before this is closed, I also have an issue where searches never finish even tho it is obvious that the search is "done". For example, I have a query that will run in about 1min. If I add to that base query (screenshot attached) it will also finish in about a min. However, if I add on a chart or top to the query the search will return the events im looking for again in about an hour but then the search will continue to run for hours without ever stopping or finding new hits.

Is this also related?

Tue May 19 22:48:47 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Mary:

That is a completely separate bug that has been filed as LOG-13574. It was wasn't specific to the chart or top operators but otherwise the behavior you are describing is the same. Thank you for alerting me to it.

It is also fixed in v6.0 P2 as well as v6.1.

I will place this incident in 'pending internal', referencing both bug ID's.

Regards,

xxxxx

Wed May 20 21:05:51 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Hi xxxxx,

I have a copy of the patch 2 release notes and LOG-13781 is not mentioned in it.

I cannot emphasize enough how this issue makes Logger essentially useless.

Please contact me as soon as possible.

-Mary

Mon Jun 29 18:36:00 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Mary:

6.1 is currently in beta and has a tentative release date for this fall. Historically Logger major releases have arrived right around Protect 724 conference.

Regards,

xxxxx

Tue Jun 30 22:22:27 GMT 2015

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Re: ArcSight Logger provides incorrect/invalid/incomplete results for queries greater than ~4 days

Jump to solution

Mary:

I just wanted to update you today that we are still in the midst of our investigation. I've been working with xxxxx today investigating these logs and screen capture, however I don't have a specific update for you yet.

This issue is of critical importance to us and will be given the highest priority. I will update you by the close of business on Monday.

Regards,

xxxxx

Fri Jul 10 21:33:16 GMT 2015

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.