Archive
Highlighted

HEC Posting Data Issue

New Member

Hi All,

I am trying to post some data to splunk via QT's Network Module. Currently, I have the HEC setup to where it can receive cURL's:

curl -k -H "Authorization: Splunk XXXXXXXXXXXXXXXXXXXXX" https://splunkserver:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}',

but I get no reply for the server when trying this code (even though the traffic is confirmed via Wireshark to be making it to the Splunk server). The server is set up to receive jsonnotimestamp data. Here is the function being called with the same input url as the above cURL command:

void Net::ConnectToSplunk(QString url)
{
QUrl qrl(url);//QUrl has network adress
manager = new QNetworkAccessManager(this);//create manager
connect(manager, SIGNAL(finished(QNetworkReply)),
this, SLOT(replyFinished(QNetworkReply
)));

//Set up request url
QNetworkRequest request;
request.setUrl(url);
QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

//Set up payload
map.insert("event", "auth1234");
map.insert("sourcetype", "mysourcetype");
QByteArray payload=QJsonDocument::fromVariant(map).toJson();
qDebug() << QVariant(payload).toString();
qDebug() << request.rawHeaderList();

QNetworkReply *reply = manager->post(request,payload);
qDebug() << reply->readAll();
qDebug() << "Headers:"<< reply->rawHeaderList()<< "content:" << reply->readAll();

if ( reply->error() != QNetworkReply::NoError ) {
qWarning() <<"ErrorNo: "<< reply->error() << "for url: " << reply->url().toString();
qDebug() << "Request failed, " << reply->errorString();
qDebug() << "Headers:"<< reply->rawHeaderList()<< "content:" << reply->readAll();
}
}

I get the following debug output (No response at all from Splunk):
"{\n \"event\": \"auth1234\",\n \"sourcetype\": \"mysourcetype\"\n}\n"
("Authorization:")
""
Headers: () content: ""

I even set up a json server on the same server as the Splunk server and it is receiving the post request just fine. Any ideas?

Thanks.

0 Karma
Highlighted

Re: HEC Posting Data Issue

Motivator

disable ssl in global settings in HTTP Event Collector under data inputs.

try with below request:

curl -k -H "Authorization: Splunk XXXXXXXXXXXXXXXXXXXXX" http://splunkserver:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}',
0 Karma
Highlighted

Re: HEC Posting Data Issue

New Member

Going to close this. I debugged all day and figured out that it is most likely some network settings on my Host PC. The code works from another PC.

0 Karma
Highlighted

Re: HEC Posting Data Issue

New Member

Hello, I had the same problems sending data from a Qt application to Splunk.

First of all you have to replace:

QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

with:

request.setRawHeader(QByteArray("Authorization"), QByteArray("Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX"));

(Authorization without colon)

0 Karma
Highlighted

Re: HEC Posting Data Issue

New Member

Hello, I had the same problems sending data from a Qt application to Splunk.

First of all you have to replace:

QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

with:

request.setRawHeader(QByteArray("Authorization"), QByteArray("Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX"));

(Authorization without colon)

0 Karma