Integration Name
Elasticsearch [elasticsearch]
Dataset Name
elasticsearch
Integration Version
9.2.2
Agent Version
9.2.2
Agent Output Type
elasticsearch
Elasticsearch Version
9.2.2
OS Version and Architecture
redhat 9.x
Software/API Version
No response
Error Message
cannot access method/field [server] from a null def reference
Event Original
{
"type": "server",
"timestamp": "2026-01-01T00:00:00Z",
"level": "WARN",
"component": "o.e.x.i.IndexLifecycleService",
"cluster.name": "REDACTED",
"node.name": "REDACTED",
"message": "async action execution failed during policy trigger for index [REDACTED_INDEX] with policy [REDACTED_POLICY] in step [{\"phase\":\"hot\",\"action\":\"rollover\",\"name\":\"ERROR\"}]",
"cluster.uuid": "REDACTED",
"node.id": "REDACTED",
"stacktrace": [
"java.lang.IllegalStateException: unable to parse steps for policy [REDACTED_POLICY] as it doesn't exist",
"at org.elasticsearch.xpack.ilm.PolicyStepsRegistry.parseStepsFromPhase(PolicyStepsRegistry.java:297)",
"at org.elasticsearch.xpack.ilm.PolicyStepsRegistry.getStep(PolicyStepsRegistry.java:389)",
"at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.onErrorMaybeRetryFailedStep(IndexLifecycleRunner.java:271)",
"at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.runPeriodicStep(IndexLifecycleRunner.java:215)",
"at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggerPolicies(IndexLifecycleService.java:535)",
"at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggerPolicies(IndexLifecycleService.java:475)",
"at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggered(IndexLifecycleService.java:456)",
"at org.elasticsearch.common.scheduler.SchedulerEngine.notifyListeners(SchedulerEngine.java:209) ~[elasticsearch]",
"at org.elasticsearch.common.scheduler.SchedulerEngine$ActiveSchedule.run(SchedulerEngine.java:243) ~[elasticsearch]",
"at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:545)",
"at java.util.concurrent.FutureTask.run(FutureTask.java:328)",
"at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:309)",
"at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1090)",
"at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:614)",
"at java.lang.Thread.run(Thread.java:1474)"
]
}Worth noting many stacktrace logs may not have the expected field as well
What did you do?
Logging ingestion
What did you see?
The attached error message, as ingest pipeline couldn't get expected server field
What did you expect to see?
The parsed document with all available fields
Anything else?
The ingest pipeline assumes nested fields under elasticsearch.server.gc exist and dereferences them without null-checks, causing runtime script errors that appear in error.message for otherwise-normal logs.
Ingest pipeline for reference
Integration Name
Elasticsearch [elasticsearch]
Dataset Name
elasticsearch
Integration Version
9.2.2
Agent Version
9.2.2
Agent Output Type
elasticsearch
Elasticsearch Version
9.2.2
OS Version and Architecture
redhat 9.x
Software/API Version
No response
Error Message
cannot access method/field [server] from a null def reference
Event Original
{ "type": "server", "timestamp": "2026-01-01T00:00:00Z", "level": "WARN", "component": "o.e.x.i.IndexLifecycleService", "cluster.name": "REDACTED", "node.name": "REDACTED", "message": "async action execution failed during policy trigger for index [REDACTED_INDEX] with policy [REDACTED_POLICY] in step [{\"phase\":\"hot\",\"action\":\"rollover\",\"name\":\"ERROR\"}]", "cluster.uuid": "REDACTED", "node.id": "REDACTED", "stacktrace": [ "java.lang.IllegalStateException: unable to parse steps for policy [REDACTED_POLICY] as it doesn't exist", "at org.elasticsearch.xpack.ilm.PolicyStepsRegistry.parseStepsFromPhase(PolicyStepsRegistry.java:297)", "at org.elasticsearch.xpack.ilm.PolicyStepsRegistry.getStep(PolicyStepsRegistry.java:389)", "at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.onErrorMaybeRetryFailedStep(IndexLifecycleRunner.java:271)", "at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.runPeriodicStep(IndexLifecycleRunner.java:215)", "at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggerPolicies(IndexLifecycleService.java:535)", "at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggerPolicies(IndexLifecycleService.java:475)", "at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggered(IndexLifecycleService.java:456)", "at org.elasticsearch.common.scheduler.SchedulerEngine.notifyListeners(SchedulerEngine.java:209) ~[elasticsearch]", "at org.elasticsearch.common.scheduler.SchedulerEngine$ActiveSchedule.run(SchedulerEngine.java:243) ~[elasticsearch]", "at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:545)", "at java.util.concurrent.FutureTask.run(FutureTask.java:328)", "at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:309)", "at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1090)", "at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:614)", "at java.lang.Thread.run(Thread.java:1474)" ] }Worth noting many stacktrace logs may not have the expected field as well
What did you do?
Logging ingestion
What did you see?
The attached error message, as ingest pipeline couldn't get expected
serverfieldWhat did you expect to see?
The parsed document with all available fields
Anything else?
The ingest pipeline assumes nested fields under elasticsearch.server.gc exist and dereferences them without null-checks, causing runtime script errors that appear in error.message for otherwise-normal logs.
Ingest pipeline for reference