Druid Exception error is displayed when viewing impacted flows for recommendation
search cancel

Druid Exception error is displayed when viewing impacted flows for recommendation

book

Article ID: 429544

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Exception may be thrown on UI while clicking on "View Impacted flow" for an existing rule which was updated by Recommendation. See screenshot below:

Druid Exception: null

 

Environment

SSP 5.1.1

Cause

The root cause is that Recommendation engine uses an incorrect Druid query filter, which attempts to match a rule path value against a numeric column, to fetch the information of a recommended rule. This returns empty results and causes the subsequent query to fail during JSON deserialization.

 

Execute the below on SSPI:

 


ssh sysadmin@SSPI-IP

#show the Druid broker pod:
k -n nsxi-platform get pod | grep druid-broker

#show the log of Druid broker pod:
k logs -f druid-broker-xxxxx-xxxx



Look for Errors message in the Druid logs as below:


org.apache.druid.query.QueryException: Cannot deserialize value of type `java.lang.String` from Null value (token `JsonToken.VALUE_NULL`)

 

Resolution

NOTE: This issue is fixed in SSP 5.1.1

Workaround:

Navigate to Policy Recommendations Page → Select the Recommendation and go to view recommendation page → update a property of the modified rule (like display name) temporarily and save it → click on "view impacted flow".

 

Steps:

1. Navigate to Policy Recommendations page.

 

2. Go to the View Recommendation page, click the three dots icon of the Recommendation then select Review & Publish.

 

3. Modify the Rule name and Save the changes.  Click the name of the rule, then it is editable.

 

4. Click view impacted flow again to see the flows.

Powered by Wolken Software