API: api/v2/log-streams/
Updating an existing Splunk log stream requires that a value for “splunkPort” be provided even if no port was configured prior to the update.
Scenario:
- Read existing Splunk log stream (http GET). The value for “splunkPort” comes back empty:
{ id: “lst_0000000000001234”, name: “MyCorp Splunk”, type: “splunk”, status: “active”, sink: { splunkDomain: “http-inputs-mycorp.splunkcloud.com”, splunkPort: “”, splunkToken: “ORIGINALTOKEN”, splunkSecure: true, }}
-
Update something like “SplunkToken”
-
Update the log stream (http PATCH). api/v2/log-streams/lst_0000000000001234
{ name: “MyCorp Splunk”, type: “splunk”, status: “active”, sink: { splunkDomain: “http-inputs-mycorp.splunkcloud.com”, splunkPort: “”, splunkToken: “NEWTOKEN”, splunkSecure: true, }}
Expected result: The Splunk log stream’s token is updated. All other settings remain as they were.
Actual result:
{“statusCode”: 400, “error”: “Bad Request”, “message”: “The log stream configuration is invalid.”}
If a value for “splunkPort” is provided (i.e. 443) then the update works as expected.
If “splunkPort” is a required value during a PATCH then it should also be returned during a GET. Or, and this might be preferable, allow an empty value be provided for “splunkPort” and behind the scenes use a default port value (which is what configuring a Splunk log stream in the console seems to do).