Getting Data In

HEC Posting Data Issue

adam1124
New Member

Hi All,

I am trying to post some data to splunk via QT's Network Module. Currently, I have the HEC setup to where it can receive cURL's:

curl -k -H "Authorization: Splunk XXXXXXXXXXXXXXXXXXXXX" https://splunkserver:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}',

but I get no reply for the server when trying this code (even though the traffic is confirmed via Wireshark to be making it to the Splunk server). The server is set up to receive jsonnotimestamp data. Here is the function being called with the same input url as the above cURL command:

void Net::ConnectToSplunk(QString url)
{
QUrl qrl(url);//QUrl has network adress
manager = new QNetworkAccessManager(this);//create manager
connect(manager, SIGNAL(finished(QNetworkReply*)),
this, SLOT(replyFinished(QNetworkReply*)));

//Set up request url
QNetworkRequest request;
request.setUrl(url);
QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

//Set up payload
map.insert("event", "auth1234");
map.insert("sourcetype", "mysourcetype");
QByteArray payload=QJsonDocument::fromVariant(map).toJson();
qDebug() << QVariant(payload).toString();
qDebug() << request.rawHeaderList();

QNetworkReply *reply = manager->post(request,payload);
qDebug() << reply->readAll();
qDebug() << "Headers:"<< reply->rawHeaderList()<< "content:" << reply->readAll();

if ( reply->error() != QNetworkReply::NoError ) {
qWarning() <<"ErrorNo: "<< reply->error() << "for url: " << reply->url().toString();
qDebug() << "Request failed, " << reply->errorString();
qDebug() << "Headers:"<< reply->rawHeaderList()<< "content:" << reply->readAll();
}
}

I get the following debug output (No response at all from Splunk):
"{\n \"event\": \"auth1234\",\n \"sourcetype\": \"mysourcetype\"\n}\n"
("Authorization:")
""
Headers: () content: ""

I even set up a json server on the same server as the Splunk server and it is receiving the post request just fine. Any ideas?

Thanks.

0 Karma

andreas_franke_
New Member

Hello, I had the same problems sending data from a Qt application to Splunk.

First of all you have to replace:

QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

with:

request.setRawHeader(QByteArray("Authorization"), QByteArray("Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX"));

(Authorization without colon)

0 Karma

andreas_franke_
New Member

Hello, I had the same problems sending data from a Qt application to Splunk.

First of all you have to replace:

QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

with:

request.setRawHeader(QByteArray("Authorization"), QByteArray("Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX"));

(Authorization without colon)

0 Karma

adam1124
New Member

Going to close this. I debugged all day and figured out that it is most likely some network settings on my Host PC. The code works from another PC.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

disable ssl in global settings in HTTP Event Collector under data inputs.

try with below request:

curl -k -H "Authorization: Splunk XXXXXXXXXXXXXXXXXXXXX" http://splunkserver:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}',
————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...