I am trying to create index using the Java SDK for Splunk and to reset the "FrozenTimePeriodInSecs" property afterwards.
The code snippet follows:
ServiceArgs loginArgs = new ServiceArgs(); loginArgs.setUsername("admin"); loginArgs.setPassword("admin"); loginArgs.setHost("host"); loginArgs.setPort(8089); String indexName = "testIndex_" + System.currentTimeMillis(); HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2); Service splunkService = Service.connect(login); IndexCollection indexCollection = splunkService.getIndexes(); Index createdIndex = indexCollection.create(indexName); createdIndex.setFrozenTimePeriodInSecs(retentionPeriod); createdIndex.update();
I run into java.lang.NullPointerException because apparently the the IndexCollection.create(String indexName); returns a null value.
Any idea what am I doing wrong?
I have found the root cause.
The problem is with the capital "I" in the testIndex_<timestamp>.
It turns out that despite my attempt to create an index with name testIndex_<timestamp> (capital "I") on the backend an index with name testindex_<timestamp> (lower case "i") is created.
The method IndexCollection.create(String indexName) sends internal GET request attempting to obtain the Index object, having the original name testIndex_<timestamp> with (capital "I") and since on the back end there is no such thing that method returns null value.
In my opinion that is a bug.
Index names are always lower case. Per the Managing Indexers and Clusters of Indexers docs: "User-defined index names must consist of only numbers, lowercase letters, underscores, and hyphens."
Splunk probably should block attempts to create an index with an invalid name or warn that it changed the name, but I see no bug here.