[BUG] Searching for a non IP string literal may cause an error

[KarstenSchnitter]

Describe the bug

When searching for a non IP string literal in OpenSearch dashboards, an error message occurs. This is caused by an underlying error in the search, that only surfaces under the very particular circumstances of the dashboard query.

Related component

Search

To Reproduce

1. Go to Discovery in OpenSearch dashboards
2. Enter search string not src_ip:"-" where src_ip is a field of type IP.
3. Start the search
4. Receive an error message indicating a null pointer exception

Expected behavior

An error message explaining the incorrect use of "-" as value for an IP.
Alternatively, OS dashboards could formulate the query for this particular value to be an exists query.

Additional Details

Plugins
Not sure, how to determine that. Security and ML are disabled for sure.

Screenshots

Host/Environment (please complete the following information):

• OS: Linux
• Version: 2.15.0

Additional context
I have extracted the query and analyzed it with the Dev Tools. I can reduced it to the following form:

{
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "string"
      }
    }
  ],
  "size": 2,
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "30s",
        "time_zone": "UTC",
        "min_doc_count": 1
      }
    }
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "bool": {
            "must_not": {
              "bool": {
                "should": [
                  {
                    "match_phrase": {
                      "src_ip": "-"
                    }
                  }
                ],
                "minimum_should_match": 1
              }
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-1h",
              "lte": "now",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

With this query, I get the same error as below. However, if I remove any of the following the search will not return an error, but a response indicating the wrong value for the field src_ip:

• sort clause
• aggs clause
• range filter for `@timestamp``

Only if all these three parts are part of the query, the error response occurs.

Full error response:

{
  "error": {
    "root_cause": [
      {
        "type": "query_shard_exception",
        "reason": "failed to create query: '-' is not an IP string literal.",
        "index": "logstash-2024.08.21",
        "index_uuid": "wh0lN0yPSvCxZdiLmkQVPQ"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "",
    "phase": "fetch",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 1,
        "index": "logstash-2024.08.21",
        "node": "gnWTbYpcQ_q2lsPMg1L5Aw",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: '-' is not an IP string literal.",
          "index": "logstash-2024.08.21",
          "index_uuid": "wh0lN0yPSvCxZdiLmkQVPQ",
          "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "'-' is not an IP string literal."
          }
        }
      }
    ],
    "caused_by": {
      "type": "null_pointer_exception",
      "reason": "Cannot invoke \"org.opensearch.search.aggregations.InternalAggregations.getSerializedSize()\" because \"reducePhase.aggregations\" is null"
    }
  },
  "status": 400
}

Failure response without sort clause:

{
  "took": 14,
  "timed_out": false,
  "_shards": {
    "total": 42,
    "successful": 38,
    "skipped": 0,
    "failed": 4,
    "failures": [
      {
        "shard": 0,
        "index": "logstash-2024.08.21",
        "node": "gnWTbYpcQ_q2lsPMg1L5Aw",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: '-' is not an IP string literal.",
          "index": "logstash-2024.08.21",
          "index_uuid": "wh0lN0yPSvCxZdiLmkQVPQ",
          "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "'-' is not an IP string literal."
          }
        }
      }
    ]
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "2": {
      "buckets": []
    }
  }
}

OpenSearch Dashboards Discover error message:

null_pointer_exception
Cannot invoke "org.opensearch.search.aggregations.InternalAggregations.getSerializedSize()" because "reducePhase.aggregations" is null
Error
    at fetch_Fetch.fetchResponse (https://cflogs.cf.stagingaws.hanavlab.ondemand.com/7749/bundles/core/core.entry.js:15:243178)
    at async interceptResponse (https://cflogs.cf.stagingaws.hanavlab.ondemand.com/7749/bundles/core/core.entry.js:15:237932)
    at async https://cflogs.cf.stagingaws.hanavlab.ondemand.com/7749/bundles/core/core.entry.js:15:240899

[mch2]

@KarstenSchnitter Thanks for reporting! removing untriaged and we will take a look.

[lukas-vlcek]

I can have a look. Feel free to assign me. //cc @mch2

[KarstenSchnitter]

Hi, any progress on this issue?