Getting Data In

How to send data to HEC using Java SDK?

lyndac
Contributor

I'm looking for sample code that I can use to send json from my java app into the HEC. I'm having trouble connecting to HEC from the java program. I was hoping to be able to use the Splunk Java SDK, but I don't see any classes in there to support the HEC, so I'm using the Apache HttpClient implementation:

DefaultHttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("https://ip:8088/services/collector/event");
httppost.addHeader("Authorization", " Splunk <token id>");
String eventStr = "{sourcetype=accm_json, index=accm, event={ dataType: TEXT, filesize: 103212, processor: abc}}"
httppost.setEntity(new StringEntity(eventStr);
HttpResponse response = httpclient.execute(httppost);
HttpEntity entity = response.getEntity();
System.out.println("response: " + entity);

When I run the code, the java program throws an SSLHandshakeException "unable to find valid certification path to the requested target" and the splunkd.log on the HEC shows "alert certificate unknown.

I don't understand what I am supposed to provide to be able to connect to the HEC from java. Can someone please help? I am able to insert events into HEC using cURL:

curl -k https://ip:8088/services/collector/event -H 'Authorization Splunk <token>' -d  '{"sourcetype": "accm-json", "index":"accm", "event": {"dataType": "TEXT", "filesize":103212, "processor": "abc"}}'

cartoonbilly
Engager

When you're using curl, you are using the -k flag

   -k, --insecure
          (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

Looks like they've changed the interface a bunch between minor verisons of http client for some reason, but here's a Stack Overflow post that shows a bunch of the methods ignoring certificates

https://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclien...

What you probably should do, though, is to add your certificate to your trust store.

https://medium.com/@codebyamir/the-java-developers-guide-to-ssl-certificates-b78142b3a0fc

Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...