search

opensearch-project / OpenSearch

🔎 Open source distributed and RESTful search engine.
https://opensearch.org/docs/latest/opensearch/index/
Apache License 2.0
9.46k stars 1.74k forks source link

[BUG] Searching for a non IP string literal may cause an error #15331

Open KarstenSchnitter opened 3 weeks ago

KarstenSchnitter commented 3 weeks ago

Describe the bug

When searching for a non IP string literal in OpenSearch dashboards, an error message occurs. This is caused by an underlying error in the search, that only surfaces under the very particular circumstances of the dashboard query.

Related component

Search

To Reproduce

  1. Go to Discovery in OpenSearch dashboards
  2. Enter search string not src_ip:"-" where src_ip is a field of type IP.
  3. Start the search
  4. Receive an error message indicating a null pointer exception

Expected behavior

An error message explaining the incorrect use of "-" as value for an IP. Alternatively, OS dashboards could formulate the query for this particular value to be an exists query.

Additional Details

Plugins Not sure, how to determine that. Security and ML are disabled for sure.

Screenshots

opensearch_error_ip_search

Host/Environment (please complete the following information):

Additional context I have extracted the query and analyzed it with the Dev Tools. I can reduced it to the following form:

{
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "string"
      }
    }
  ],
  "size": 2,
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "30s",
        "time_zone": "UTC",
        "min_doc_count": 1
      }
    }
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "must_not": {
              "bool": {
                "should": [
                  {
                    "match_phrase": {
                      "src_ip": "-"
                    }
                  }
                ],
                "minimum_should_match": 1
              }
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-1h",
              "lte": "now",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

With this query, I get the same error as below. However, if I remove any of the following the search will not return an error, but a response indicating the wrong value for the field src_ip:

Only if all these three parts are part of the query, the error response occurs.

Full error response:

{
  "error": {
    "root_cause": [
      {
        "type": "query_shard_exception",
        "reason": "failed to create query: '-' is not an IP string literal.",
        "index": "logstash-2024.08.21",
        "index_uuid": "wh0lN0yPSvCxZdiLmkQVPQ"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "",
    "phase": "fetch",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 1,
        "index": "logstash-2024.08.21",
        "node": "gnWTbYpcQ_q2lsPMg1L5Aw",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: '-' is not an IP string literal.",
          "index": "logstash-2024.08.21",
          "index_uuid": "wh0lN0yPSvCxZdiLmkQVPQ",
          "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "'-' is not an IP string literal."
          }
        }
      }
    ],
    "caused_by": {
      "type": "null_pointer_exception",
      "reason": "Cannot invoke \"org.opensearch.search.aggregations.InternalAggregations.getSerializedSize()\" because \"reducePhase.aggregations\" is null"
    }
  },
  "status": 400
}

Failure response without sort clause:

{
  "took": 14,
  "timed_out": false,
  "_shards": {
    "total": 42,
    "successful": 38,
    "skipped": 0,
    "failed": 4,
    "failures": [
      {
        "shard": 0,
        "index": "logstash-2024.08.21",
        "node": "gnWTbYpcQ_q2lsPMg1L5Aw",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: '-' is not an IP string literal.",
          "index": "logstash-2024.08.21",
          "index_uuid": "wh0lN0yPSvCxZdiLmkQVPQ",
          "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "'-' is not an IP string literal."
          }
        }
      }
    ]
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "2": {
      "buckets": []
    }
  }
}

OpenSearch Dashboards Discover error message:

null_pointer_exception
Cannot invoke "org.opensearch.search.aggregations.InternalAggregations.getSerializedSize()" because "reducePhase.aggregations" is null
Error
    at fetch_Fetch.fetchResponse (https://cflogs.cf.stagingaws.hanavlab.ondemand.com/7749/bundles/core/core.entry.js:15:243178)
    at async interceptResponse (https://cflogs.cf.stagingaws.hanavlab.ondemand.com/7749/bundles/core/core.entry.js:15:237932)
    at async https://cflogs.cf.stagingaws.hanavlab.ondemand.com/7749/bundles/core/core.entry.js:15:240899
mch2 commented 3 weeks ago

@KarstenSchnitter Thanks for reporting! removing untriaged and we will take a look.

lukas-vlcek commented 3 weeks ago

I can have a look. Feel free to assign me. //cc @mch2