Hi All,

I have observed that in version 31 when ever we are using the query_runner to execute searches in qradar and using the results of the query when we try to populate more than one datatable it gives following error :
2019-05-09 13:04:15,896 ERROR [query_action] search_and_update error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_action.py", line 45, in search_and_update
datatable_locks, context_token)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_update.py", line 67, in update_with_results
additional_map_data=additional_map_data)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_update.py", line 457, in _do_datatable_mapping
datatable.update(incident_id, dtrow, cells_rendered, co3_context_token=context_token)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/datatable.py", line 117, in update
row_data = self.res_client.put(table_url, row, co3_context_token=co3_context_token)
File "/usr/local/lib/python2.7/site-packages/resilient/co3.py", line 530, in put
_raise_if_error(ex.get_response())
File "/usr/local/lib/python2.7/site-packages/resilient/co3.py", line 163, in _raise_if_error
raise SimpleHTTPException(response)
SimpleHTTPException: Conflict: {"success":false,"title":null,"message":"Expected version is 1; actual version is 2.","hints":[],"error_code":"generic"}


and does not process any further actions. Has anyone faced similar issue or applied some work around to address similar issue?


------------------------------
Mihir Ashar
------------------------------

Hi Mihir,

Is it possible that you have some other rule is run when a new datatable row created? The error "Expected version is 1; actual version is 2.", could be cause the incident is modified by another rule/script in a short period time after the first row is added. 

In addition, will you consider to use the new Qradar Function for Resilient(https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4) to replace query_runner?

------------------------------
LILY WANG
------------------------------

Original Message:
Sent: Thu May 09, 2019 05:59 AM
From: Mihir Ashar
Subject: Multiple Table update using query_runner

Hi All,

I have observed that in version 31 when ever we are using the query_runner to execute searches in qradar and using the results of the query when we try to populate more than one datatable it gives following error :
2019-05-09 13:04:15,896 ERROR [query_action] search_and_update error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_action.py", line 45, in search_and_update
datatable_locks, context_token)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_update.py", line 67, in update_with_results
additional_map_data=additional_map_data)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_update.py", line 457, in _do_datatable_mapping
datatable.update(incident_id, dtrow, cells_rendered, co3_context_token=context_token)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/datatable.py", line 117, in update
row_data = self.res_client.put(table_url, row, co3_context_token=co3_context_token)
File "/usr/local/lib/python2.7/site-packages/resilient/co3.py", line 530, in put
_raise_if_error(ex.get_response())
File "/usr/local/lib/python2.7/site-packages/resilient/co3.py", line 163, in _raise_if_error
raise SimpleHTTPException(response)
SimpleHTTPException: Conflict: {"success":false,"title":null,"message":"Expected version is 1; actual version is 2.","hints":[],"error_code":"generic"}


and does not process any further actions. Has anyone faced similar issue or applied some work around to address similar issue?


------------------------------
Mihir Ashar
------------------------------

Hi Lily,

I have checked the configuration, there is no rule which triggers based on these tables in observation. I have observed that once I remove one table from update there is no error observed. 
I will look into the Qradar Function for Resilient. As of now we have not tested that. 

Regards,
Mihir Ashar

------------------------------
Mihir Ashar
------------------------------

Original Message:
Sent: Thu May 09, 2019 08:46 PM
From: LILY WANG
Subject: Multiple Table update using query_runner

Hi Mihir,

Is it possible that you have some other rule is run when a new datatable row created? The error "Expected version is 1; actual version is 2.", could be cause the incident is modified by another rule/script in a short period time after the first row is added. 

In addition, will you consider to use the new Qradar Function for Resilient(https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4) to replace query_runner?

------------------------------
LILY WANG

Original Message:
Sent: Thu May 09, 2019 05:59 AM
From: Mihir Ashar
Subject: Multiple Table update using query_runner

Hi All,

I have observed that in version 31 when ever we are using the query_runner to execute searches in qradar and using the results of the query when we try to populate more than one datatable it gives following error :
2019-05-09 13:04:15,896 ERROR [query_action] search_and_update error
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_action.py", line 45, in search_and_update
datatable_locks, context_token)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_update.py", line 67, in update_with_results
additional_map_data=additional_map_data)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/query_update.py", line 457, in _do_datatable_mapping
datatable.update(incident_id, dtrow, cells_rendered, co3_context_token=context_token)
File "/usr/local/lib/python2.7/site-packages/query_runner/lib/datatable.py", line 117, in update
row_data = self.res_client.put(table_url, row, co3_context_token=co3_context_token)
File "/usr/local/lib/python2.7/site-packages/resilient/co3.py", line 530, in put
_raise_if_error(ex.get_response())
File "/usr/local/lib/python2.7/site-packages/resilient/co3.py", line 163, in _raise_if_error
raise SimpleHTTPException(response)
SimpleHTTPException: Conflict: {"success":false,"title":null,"message":"Expected version is 1; actual version is 2.","hints":[],"error_code":"generic"}


and does not process any further actions. Has anyone faced similar issue or applied some work around to address similar issue?


------------------------------
Mihir Ashar
------------------------------