Error with SQL Subquery in OpenSearch: NullPointerException in FieldMappings

NewOne · November 26, 2024, 11:12am

Hello,

I’m encountering an issue that I can’t figure out the source of. According to the SQL subquery documentation, it’s possible to use queries like this:

SELECT a1.firstname, a1.lastname, a1.balance
FROM accounts a1
WHERE a1.account_number IN (
  SELECT a2.account_number
  FROM accounts a2
  WHERE a2.balance > 10000
)

However, when I attempt to apply a similar query in my use case:

POST _plugins/_sql
{
  "query": """
  SELECT a1.winlog.event_data.SubjectLogonId
  FROM winlogbeat-* a1
  WHERE a1.event.code = '4697' AND a1.winlog.event_data.SubjectLogonId IN (
    SELECT a2.winlog.event_data.TargetLogonId
    FROM winlogbeat-* a2
    WHERE a2.event.code = '4624'
  )
  """
}

I receive this error:

{
  "error": {
    "reason": "Invalid SQL query",
    "details": "Cannot invoke \"org.opensearch.sql.legacy.esdomain.mapping.FieldMappings.has(String)\" because \"fieldMappings\" is null",
    "type": "NullPointerException"
  },
  "status": 400
}

Could you help me understand what’s causing this issue?

FYI: i use opensearch v 2.12.0

Topic		Replies	Views
SQL Subquery not working SQL	1	1034	February 7, 2023
A community call: share your mappings SQL discuss , configure	4	601	February 24, 2023
Simple query using date_add SQL	11	1483	July 15, 2021
SQL equivalents OpenSearch	1	169	April 8, 2024
Subdate/date_sub query method not supported SQL troubleshoot	9	1753	February 2, 2024

Error with SQL Subquery in OpenSearch: NullPointerException in FieldMappings

Related topics