[BUG] Script size limit exceeded in PPL queries with temporal functions and aggregations on large schemas

[alexey-temnikov]

Describe the bug

PPL queries combining eval with temporal functions (TIMESTAMP, TIMESTAMPDIFF) and aggregations (stats, top) fail with script size limit error on indices with large schemas (e.g., OCSF 1.1.0 with 618+ fields).

Error:

exceeded max allowed inline script size [65535] with size [202478]

To Reproduce

Query:

source=ocsf-1.1.0-6003 
| eval start_time_ts = TIMESTAMP(start_time_dt), time_ts = TIMESTAMP(time_dt), time_diff = TIMESTAMPDIFF(SECOND, start_time_ts, time_ts) 
| where time_diff > 0 
| stats count() by activity_name 
| sort - count 
| head 5

Schema: OCSF 1.1.0 (618 fields)

Result: Script size 202,478 bytes (exceeds 65,535 limit)

Tentative Root Cause

This is a preliminary analysis and requires further investigation.

Location: RelJsonSerializer.serialize() in opensearch/src/main/java/org/opensearch/sql/opensearch/storage/serde/RelJsonSerializer.java

The serializer includes the entire table schema (rowType) in the script even though the RexNode expression only references 2 fields. For large schemas, this causes massive script bloat.

Code (lines 88-93):

String rexNodeJson = jsonBuilder.toJsonString(relJson.toJson(rexNode));
Object rowTypeJsonObj = relJson.toJson(rowType);  // ← Serializes ALL fields
String rowTypeJson = jsonBuilder.toJsonString(rowTypeJsonObj);

Tentative Proposed Fix

This is a preliminary analysis and requires further investigation.

Design: Only serialize fields actually referenced in the RexNode expression.

Implementation:

1. Extract referenced field indices from RexNode using the visitor pattern
2. Build a minimal RelDataType with only those fields
3. Filter fieldTypes map to referenced fields only
4. Serialize minimal schema instead of full schema

Pseudocode:

Set<Integer> referencedFields = extractReferencedFields(rexNode);
RelDataType minimalRowType = createMinimalRowType(rowType, referencedFields);
Map<String, ExprType> minimalFieldTypes = filterFieldTypes(fieldTypes, referencedFields);
// Serialize minimal versions instead of full ones

Impact

• Severity: High - blocks legitimate queries on large schemas
• Workaround: Increase script.max_size_in_bytes (masks problem, doesn't scale)
• Scope: All PPL queries with eval + temporal functions + aggregations

[alexey-temnikov]

Reproduction Steps

Here are the steps to reproduce locally:

1. Create Test Index with 300 Fields

curl -X PUT "http://localhost:9200/test-script-size-issue" -H 'Content-Type: application/json' -d '{
  "mappings": {
    "properties": {
      "activity_name": {"type": "keyword"},
      "start_time": {"type": "date"},
      "end_time": {"type": "date"},
      "field_001": {"type": "keyword"}, "field_002": {"type": "keyword"}, "field_003": {"type": "long"},
      "field_004": {"type": "keyword"}, "field_005": {"type": "text"}, "field_006": {"type": "long"},
      "field_007": {"type": "keyword"}, "field_008": {"type": "keyword"}, "field_009": {"type": "long"},
      "field_010": {"type": "text"}, "field_011": {"type": "keyword"}, "field_012": {"type": "long"},
      "field_013": {"type": "keyword"}, "field_014": {"type": "keyword"}, "field_015": {"type": "text"},
      "field_016": {"type": "keyword"}, "field_017": {"type": "keyword"}, "field_018": {"type": "long"},
      "field_019": {"type": "keyword"}, "field_020": {"type": "text"}, "field_021": {"type": "long"},
      "field_022": {"type": "keyword"}, "field_023": {"type": "keyword"}, "field_024": {"type": "long"},
      "field_025": {"type": "text"}, "field_026": {"type": "keyword"}, "field_027": {"type": "long"},
      "field_028": {"type": "keyword"}, "field_029": {"type": "keyword"}, "field_030": {"type": "text"},
      "field_031": {"type": "keyword"}, "field_032": {"type": "keyword"}, "field_033": {"type": "long"},
      "field_034": {"type": "keyword"}, "field_035": {"type": "text"}, "field_036": {"type": "long"},
      "field_037": {"type": "keyword"}, "field_038": {"type": "keyword"}, "field_039": {"type": "long"},
      "field_040": {"type": "text"}, "field_041": {"type": "keyword"}, "field_042": {"type": "long"},
      "field_043": {"type": "keyword"}, "field_044": {"type": "keyword"}, "field_045": {"type": "text"},
      "field_046": {"type": "keyword"}, "field_047": {"type": "keyword"}, "field_048": {"type": "long"},
      "field_049": {"type": "keyword"}, "field_050": {"type": "text"}, "field_051": {"type": "long"},
      "field_052": {"type": "keyword"}, "field_053": {"type": "keyword"}, "field_054": {"type": "long"},
      "field_055": {"type": "text"}, "field_056": {"type": "keyword"}, "field_057": {"type": "long"},
      "field_058": {"type": "keyword"}, "field_059": {"type": "keyword"}, "field_060": {"type": "text"},
      "field_061": {"type": "keyword"}, "field_062": {"type": "keyword"}, "field_063": {"type": "long"},
      "field_064": {"type": "keyword"}, "field_065": {"type": "text"}, "field_066": {"type": "long"},
      "field_067": {"type": "keyword"}, "field_068": {"type": "keyword"}, "field_069": {"type": "long"},
      "field_070": {"type": "text"}, "field_071": {"type": "keyword"}, "field_072": {"type": "long"},
      "field_073": {"type": "keyword"}, "field_074": {"type": "keyword"}, "field_075": {"type": "text"},
      "field_076": {"type": "keyword"}, "field_077": {"type": "keyword"}, "field_078": {"type": "long"},
      "field_079": {"type": "keyword"}, "field_080": {"type": "text"}, "field_081": {"type": "long"},
      "field_082": {"type": "keyword"}, "field_083": {"type": "keyword"}, "field_084": {"type": "long"},
      "field_085": {"type": "text"}, "field_086": {"type": "keyword"}, "field_087": {"type": "long"},
      "field_088": {"type": "keyword"}, "field_089": {"type": "keyword"}, "field_090": {"type": "text"},
      "field_091": {"type": "keyword"}, "field_092": {"type": "keyword"}, "field_093": {"type": "long"},
      "field_094": {"type": "keyword"}, "field_095": {"type": "text"}, "field_096": {"type": "long"},
      "field_097": {"type": "keyword"}, "field_098": {"type": "keyword"}, "field_099": {"type": "long"},
      "field_100": {"type": "text"}, "field_101": {"type": "keyword"}, "field_102": {"type": "long"},
      "field_103": {"type": "keyword"}, "field_104": {"type": "keyword"}, "field_105": {"type": "text"},
      "field_106": {"type": "keyword"}, "field_107": {"type": "keyword"}, "field_108": {"type": "long"},
      "field_109": {"type": "keyword"}, "field_110": {"type": "text"}, "field_111": {"type": "long"},
      "field_112": {"type": "keyword"}, "field_113": {"type": "text"}, "field_114": {"type": "long"},
      "field_115": {"type": "text"}, "field_116": {"type": "keyword"}, "field_117": {"type": "long"},
      "field_118": {"type": "keyword"}, "field_119": {"type": "keyword"}, "field_120": {"type": "text"},
      "field_121": {"type": "keyword"}, "field_122": {"type": "keyword"}, "field_123": {"type": "long"},
      "field_124": {"type": "keyword"}, "field_125": {"type": "text"}, "field_126": {"type": "long"},
      "field_127": {"type": "keyword"}, "field_128": {"type": "keyword"}, "field_129": {"type": "long"},
      "field_130": {"type": "text"}, "field_131": {"type": "keyword"}, "field_132": {"type": "long"},
      "field_133": {"type": "keyword"}, "field_134": {"type": "keyword"}, "field_135": {"type": "text"},
      "field_136": {"type": "keyword"}, "field_137": {"type": "keyword"}, "field_138": {"type": "long"},
      "field_139": {"type": "keyword"}, "field_140": {"type": "text"}, "field_141": {"type": "long"},
      "field_142": {"type": "keyword"}, "field_143": {"type": "keyword"}, "field_144": {"type": "long"},
      "field_145": {"type": "text"}, "field_146": {"type": "keyword"}, "field_147": {"type": "long"},
      "field_148": {"type": "keyword"}, "field_149": {"type": "keyword"}, "field_150": {"type": "text"},
      "field_151": {"type": "keyword"}, "field_152": {"type": "keyword"}, "field_153": {"type": "long"},
      "field_154": {"type": "keyword"}, "field_155": {"type": "text"}, "field_156": {"type": "long"},
      "field_157": {"type": "keyword"}, "field_158": {"type": "keyword"}, "field_159": {"type": "long"},
      "field_160": {"type": "text"}, "field_161": {"type": "keyword"}, "field_162": {"type": "long"},
      "field_163": {"type": "keyword"}, "field_164": {"type": "keyword"}, "field_165": {"type": "text"},
      "field_166": {"type": "keyword"}, "field_167": {"type": "keyword"}, "field_168": {"type": "long"},
      "field_169": {"type": "keyword"}, "field_170": {"type": "text"}, "field_171": {"type": "long"},
      "field_172": {"type": "keyword"}, "field_173": {"type": "keyword"}, "field_174": {"type": "long"},
      "field_175": {"type": "text"}, "field_176": {"type": "keyword"}, "field_177": {"type": "long"},
      "field_178": {"type": "keyword"}, "field_179": {"type": "keyword"}, "field_180": {"type": "text"},
      "field_181": {"type": "keyword"}, "field_182": {"type": "keyword"}, "field_183": {"type": "long"},
      "field_184": {"type": "keyword"}, "field_185": {"type": "text"}, "field_186": {"type": "long"},
      "field_187": {"type": "keyword"}, "field_188": {"type": "keyword"}, "field_189": {"type": "long"},
      "field_190": {"type": "text"}, "field_191": {"type": "keyword"}, "field_192": {"type": "long"},
      "field_193": {"type": "keyword"}, "field_194": {"type": "keyword"}, "field_195": {"type": "text"},
      "field_196": {"type": "keyword"}, "field_197": {"type": "keyword"}, "field_198": {"type": "long"},
      "field_199": {"type": "keyword"}, "field_200": {"type": "text"}, "field_201": {"type": "long"},
      "field_202": {"type": "keyword"}, "field_203": {"type": "keyword"}, "field_204": {"type": "long"},
      "field_205": {"type": "text"}, "field_206": {"type": "keyword"}, "field_207": {"type": "long"},
      "field_208": {"type": "keyword"}, "field_209": {"type": "keyword"}, "field_210": {"type": "text"},
      "field_211": {"type": "keyword"}, "field_212": {"type": "keyword"}, "field_213": {"type": "long"},
      "field_214": {"type": "keyword"}, "field_215": {"type": "text"}, "field_216": {"type": "long"},
      "field_217": {"type": "keyword"}, "field_218": {"type": "keyword"}, "field_219": {"type": "long"},
      "field_220": {"type": "text"}, "field_221": {"type": "keyword"}, "field_222": {"type": "long"},
      "field_223": {"type": "keyword"}, "field_224": {"type": "keyword"}, "field_225": {"type": "text"},
      "field_226": {"type": "keyword"}, "field_227": {"type": "keyword"}, "field_228": {"type": "long"},
      "field_229": {"type": "keyword"}, "field_230": {"type": "text"}, "field_231": {"type": "long"},
      "field_232": {"type": "keyword"}, "field_233": {"type": "keyword"}, "field_234": {"type": "long"},
      "field_235": {"type": "text"}, "field_236": {"type": "keyword"}, "field_237": {"type": "long"},
      "field_238": {"type": "keyword"}, "field_239": {"type": "keyword"}, "field_240": {"type": "text"},
      "field_241": {"type": "keyword"}, "field_242": {"type": "keyword"}, "field_243": {"type": "long"},
      "field_244": {"type": "keyword"}, "field_245": {"type": "text"}, "field_246": {"type": "long"},
      "field_247": {"type": "keyword"}, "field_248": {"type": "keyword"}, "field_249": {"type": "long"},
      "field_250": {"type": "text"}, "field_251": {"type": "keyword"}, "field_252": {"type": "long"},
      "field_253": {"type": "keyword"}, "field_254": {"type": "keyword"}, "field_255": {"type": "text"},
      "field_256": {"type": "keyword"}, "field_257": {"type": "keyword"}, "field_258": {"type": "long"},
      "field_259": {"type": "keyword"}, "field_260": {"type": "text"}, "field_261": {"type": "long"},
      "field_262": {"type": "keyword"}, "field_263": {"type": "keyword"}, "field_264": {"type": "long"},
      "field_265": {"type": "text"}, "field_266": {"type": "keyword"}, "field_267": {"type": "long"},
      "field_268": {"type": "keyword"}, "field_269": {"type": "keyword"}, "field_270": {"type": "text"},
      "field_271": {"type": "keyword"}, "field_272": {"type": "keyword"}, "field_273": {"type": "long"},
      "field_274": {"type": "keyword"}, "field_275": {"type": "text"}, "field_276": {"type": "long"},
      "field_277": {"type": "keyword"}, "field_278": {"type": "keyword"}, "field_279": {"type": "long"},
      "field_280": {"type": "text"}, "field_281": {"type": "keyword"}, "field_282": {"type": "long"},
      "field_283": {"type": "keyword"}, "field_284": {"type": "keyword"}, "field_285": {"type": "text"},
      "field_286": {"type": "keyword"}, "field_287": {"type": "keyword"}, "field_288": {"type": "long"},
      "field_289": {"type": "keyword"}, "field_290": {"type": "text"}, "field_291": {"type": "long"},
      "field_292": {"type": "keyword"}, "field_293": {"type": "keyword"}, "field_294": {"type": "long"},
      "field_295": {"type": "text"}, "field_296": {"type": "keyword"}, "field_297": {"type": "long"},
      "field_298": {"type": "keyword"}, "field_299": {"type": "keyword"}, "field_300": {"type": "text"},
      "nested_001": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_002": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_003": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_004": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_005": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_006": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_007": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_008": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_009": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}},
      "nested_010": {"type": "object", "properties": {"sub_001": {"type": "keyword"}, "sub_002": {"type": "keyword"}, "sub_003": {"type": "long"}, "sub_004": {"type": "text"}}}
    }
  }
}'

2. Insert Sample Data

curl -X POST "http://localhost:9200/test-script-size-issue/_bulk" -H 'Content-Type: application/json' -d '
{"index":{}}
{"activity_name":"login","start_time":"2025-01-14T10:00:00Z","end_time":"2025-01-14T10:05:30Z"}
{"index":{}}
{"activity_name":"logout","start_time":"2025-01-14T10:10:00Z","end_time":"2025-01-14T10:10:15Z"}
{"index":{}}
{"activity_name":"file_access","start_time":"2025-01-14T10:15:00Z","end_time":"2025-01-14T10:20:45Z"}
{"index":{}}
{"activity_name":"api_call","start_time":"2025-01-14T10:25:00Z","end_time":"2025-01-14T10:25:02Z"}
{"index":{}}
{"activity_name":"login","start_time":"2025-01-14T11:00:00Z","end_time":"2025-01-14T11:03:20Z"}
{"index":{}}
{"activity_name":"logout","start_time":"2025-01-14T11:05:00Z","end_time":"2025-01-14T11:05:10Z"}
{"index":{}}
{"activity_name":"file_access","start_time":"2025-01-14T11:10:00Z","end_time":"2025-01-14T11:18:30Z"}
{"index":{}}
{"activity_name":"api_call","start_time":"2025-01-14T11:20:00Z","end_time":"2025-01-14T11:20:01Z"}
{"index":{}}
{"activity_name":"login","start_time":"2025-01-14T12:00:00Z","end_time":"2025-01-14T12:04:15Z"}
{"index":{}}
{"activity_name":"logout","start_time":"2025-01-14T12:10:00Z","end_time":"2025-01-14T12:10:12Z"}
'

3. Run PPL Query to Trigger the Bug

curl -X POST "http://localhost:9200/_plugins/_ppl" -H 'Content-Type: application/json' -d '{
  "query": "source=test-script-size-issue | eval start_ts = TIMESTAMP(start_time), end_ts = TIMESTAMP(end_time), duration = TIMESTAMPDIFF(SECOND, start_ts, end_ts) | where duration > 0 | stats count() as cnt by activity_name | sort - cnt | head 5"
}'

Expected Error

exceeded max allowed inline script size in bytes [65535] with size [67630]

Key Observations

• Script size: 67,630 bytes (2,095 bytes over the 65,535 limit)
• Query only references 2 fields: start_time and end_time
• Schema has 300+ fields: All fields are serialized into the Calcite script

[RyanL1997]

Hi @LantaoJin @songkant-aws , could you take a look of this? Thanks!

[qianheng-aws]

#4522 should mitigate the size issue but still exceed the threshold by my local test:

exceeded max allowed inline script size in bytes [65535] with size [67782] for script 

May need further enhancement on the script size.

[songkant-aws]

Most likely, it's caused by field type serialization problem. RelJsonSerializer requires input type's ExprTypes as well.

For now, we serialize scan's rowType field types, which could be a long array. But sometimes script input is a small set of long rowType. We haven't prune unnecessary field types.

[songkant-aws]

The major root cause is exactly the serialization of all field types for current scan rowType during pushdown. Sometimes, if a query doesn't have a project operator to narrow down the schema size, it will still pass a wide schema to RelJsonSerializer to serialize agg or filter script.

We observed that most of RexNode doesn't care about irrelevant fields. i.e. FILTER($z > 1) for scan schema [$a, $b, $c, ... $x, $y, $z]. Considering above situation, we can rewrite the input reference index for the RexNode. For FILTER($z > 1), the original RexInputRef(index=25) can be rewritten to RexInputRef(index=0). Then the required field types to be serialized will be [$z]. The input values are fetched via name. So changing input index doesn't impact the calculation.