Grouping aggregated results with multi_term leads to NullPointerException

General Feedback
1

Hi OpenSearch Community,

we want to use OpenSearch for querying our systems to get aggregated system information like CPU and RAM usage.
Therefore we use date historgram aggregation. Since we want to have those measures for different hosts / containers / processes we need also a kind of grouping mechanism which we tried to realize with the multi_terms feature.

Our initial query was looking like this:

{
  "aggs": {
    "xLCAggPerTime": {
      "aggs": {
        "MyGroupingAggregate": {
          "aggs": {
            "CPU": {
              "avg": {
                "field": "system.cpu.total.norm.pct"
              }
            },
            "Memory": {
              "avg": {
                "field": "system.memory.actual.used.bytes"
              }
            }
          }, 
          "multi_terms": {
            "terms": [
                {"field": "host.name.keyword"},
                {"field": "agent.type.keyword"}
              ]
          }
        },
        "xLCAggBucketSort": {
          "bucket_sort": {
            "from": 0,
            "size": 1000
          }
        }
      },
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "1s"
      }
    }
  },
  "from": 0,
  "query": {
    "range": {
      "ObservedTimestamp": {
        "gte": "2023-02-09T12:15:47Z",
        "lt": "2023-02-09T12:16:47Z"
      }
    }
  },
  "size": 0,
  "sort": [
    {
      "ObservedTimestamp": {
        "unmapped_type": "date",
        "order": "asc"
      }
    }
  ]
}

However this query results in the following execption:

java.lang.NullPointerException: Cannot invoke \"org.opensearch.common.io.stream.NamedWriteable.getWriteableName()\" because \"namedWriteable\" is null

If needed I can also provide the full error response, but for me it seems not to contain much more meaningful information.

I also tried to minimize the query in order to isolate the issue and it came out that the following query will still produce the error:

GET _search
{
  "aggs": {
    "xLCAggPerTime": {
      "aggs": {
        "MyGroupingAggregate": {
          "multi_terms": {
            "terms": [
                {"field": "host.name"},
                {"field": "agent.type"}
              ]
          }
        }
      },
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "60s"
      }
    }
  }
}

Can someone support here? Are we doing something wrong?
What would be the best way to aggregate CPU measures and group it by different fields like hostname and process name?

IMPORTANT: Both queries DO work and provide the results perfectly if I just use the terms block and remove the surrounding multi_terms! However then I am restricted to one single field for grouping, which is not sufficient for my usecase.

Thank you already in advance for your help! :slight_smile:

Additional information:
OpenSearch Version used: 2.2.0 & 2.6.0
MetricBeat: 2.7.12.1

2

@StefanHP8em Were you able to solve the issue?

3

The issue got fixed in 2.9.0