NPE on widget: Cannot invoke "org.opensearch.search.aggregations.InternalAggregations.getSerializedSize()" because "reducePhase.aggregations" is null

[damianharouff]

When attempting to build an implausible aggregation (Aggregating message by message? Sure...) for a widget, I'm noting the following in a 5.1.4 on-prem install:

OpenSearch exception [type=null_pointer_exception, reason=Cannot invoke "org.opensearch.search.aggregations.InternalAggregations.getSerializedSize()" because "reducePhase.aggregations" is null].

Per https://github.com/Graylog2/graylog2-server/issues/14386 it was stated that this was fixed so the widget should show an empty graph instead of an NPE response. Additionally, that issue lists https://github.com/opensearch-project/OpenSearch/issues/5785 as the underlying reason, which has tag v2.9.0 and is marked as complete, but I'm on Opensearch v2.9.0, and still seeing this:

$ curl -X GET "http://localhost:9200"
{
  "name" : "opensearch-single",
  "cluster_name" : "graylog",
  "cluster_uuid" : "foI5PNBFTqus17kFWyy1vQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.9.0",
    "build_type" : "deb",
    "build_hash" : "1164221ee2b8ba3560f0ff492309867beea28433",
    "build_date" : "2023-07-18T21:22:32.045158091Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

In Graylog Cloud 5.1.4 (318) I'm seeing this as an NPE with no further information:

Steps to Reproduce (for bugs)

1. Show all messages for an input
2. Leave it as All Time
3. Create an aggregation widget:
4. Group by: Fields: Messages
5. Metrics: Function: any, Field: Messages
6. Visualization: Line Chart
7. Preview or save the widget

Your Environment

• Graylog Version: Graylog 5.1.4+6fa2de3
• Java Version: Eclipse Adoptium 17.0.8
• OpenSearch Version: 2.9.0
• MongoDB Version: 5.0.18
• Operating System: Debian 12
• Browser version: Version 116.0.5845.110 (Official Build) (arm64)

Also noted in Graylog Cloud 5.1.4 (318) and Graylog Cloud 5.1.3 (298).

[ed-graylog]

@damianharouff would it make sense to tie another HS ticket to this for the same error even if the symptoms are different?

[ed-graylog]

This is also tied to HS-1930780021

[damianharouff]

@ed-graylog probably not; this one's more for regression of customer experience regarding widgets. HS-1930780021 looks more like their search is invalid for the range or query they're selecting.

[jpasher-lazor]

I'm actually facing this exact same issue, although I really do want an aggregate on the message field (I'm using it to group the messages by count into a Data Table to get the "Top X error messages"). I'm running Graylog 5.1.11 and OpenSearch 2.12.

Is OpenSearch just not made for this type of query?