Thanks to visit codestin.com
Credit goes to github.com

Skip to content

malcolm ISO install results in one failed opensearch shard (arkime / null_pointer_exception) #754

New issue
New issue
Closed
Bug
Closed
malcolm ISO install results in one failed opensearch shard (arkime / null_pointer_exception)#754
Bug
Assignees
mmguero
Labels
bugSomething isn't workingdashboardsRelating to Malcolm's OpenSearch Dashboards interfaceopensearchRelating to Malcolm's use of OpenSearch
Milestone
v25.09.0
@hdm

Description

@hdm
hdm
opened on Aug 24, 2025

Hello! I've been playing with Malcolm (via full install from the 2025 August ISO) and after three installation attempts, I keep running into the following error. The exception makes it look like something on the indexing side going wrong. I've tried a few VMs with various sizes, the current VM has 32 cores and 128GiB of RAM and SSD storage. The machine is ingesting data via span port.

Image Image

The details are:

{
  "took": 23,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 4,
    "skipped": 0,
    "failed": 1,
    "failures": [
      {
        "shard": 0,
        "index": "arkime_sessions3-250824",
        "node": "f4_s5fW-Sp21gjLlEhZU-A",
        "reason": {
          "type": "null_pointer_exception",
          "reason": "Cannot invoke \"String.endsWith(String)\" because \"field\" is null",
          "suppressed": [
            {
              "type": "null_pointer_exception",
              "reason": "Cannot invoke \"String.endsWith(String)\" because \"field\" is null"
            },
            {
              "type": "null_pointer_exception",
              "reason": "Cannot invoke \"String.endsWith(String)\" because \"field\" is null"
            },
            {
              "type": "null_pointer_exception",
              "reason": "Cannot invoke \"String.endsWith(String)\" because \"field\" is null"
            }
          ]
        }
      }
    ]
  },
  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "2": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": []
    }
  }
}

To Reproduce

Steps to reproduce the behavior:

  1. Install Malcolm from the August 2025 ISO
  2. Run through the normal setup
  3. Connect a firehose of data to an interface
  4. Browse the dashboard and observe the error

Expected behavior

No failed shard and no exception as a result.

Malcolm Version:

root@malcolm:~# cat /etc/os-release
BUG_REPORT_URL="https://github.com/cisagov/malcolm/issues"
BUILD_ID="2025-08-06-25.08.0"
DOCUMENTATION_URL="https://idaholab.github.io/Malcolm"
HOME_URL="https://idaholab.github.io/Malcolm"
ID=debian
ID_LIKE="debian"
NAME="Debian GNU/Linux"
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
SUPPORT_URL="https://github.com/idaholab"
VARIANT="Hedgehog Linux (Malcolm) v25.08.0"
VARIANT_ID="hedgehog-malcolm"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
VERSION_ID="12"

How are you running Malcolm?

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingdashboardsRelating to Malcolm's OpenSearch Dashboards interfaceopensearchRelating to Malcolm's use of OpenSearch

Type

Bug

Projects

Malcolm

Status

Released

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions