Getting Data In

How to send data to HEC using Java SDK?

lyndac
Contributor

I'm looking for sample code that I can use to send json from my java app into the HEC. I'm having trouble connecting to HEC from the java program. I was hoping to be able to use the Splunk Java SDK, but I don't see any classes in there to support the HEC, so I'm using the Apache HttpClient implementation:

DefaultHttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("https://ip:8088/services/collector/event");
httppost.addHeader("Authorization", " Splunk <token id>");
String eventStr = "{sourcetype=accm_json, index=accm, event={ dataType: TEXT, filesize: 103212, processor: abc}}"
httppost.setEntity(new StringEntity(eventStr);
HttpResponse response = httpclient.execute(httppost);
HttpEntity entity = response.getEntity();
System.out.println("response: " + entity);

When I run the code, the java program throws an SSLHandshakeException "unable to find valid certification path to the requested target" and the splunkd.log on the HEC shows "alert certificate unknown.

I don't understand what I am supposed to provide to be able to connect to the HEC from java. Can someone please help? I am able to insert events into HEC using cURL:

curl -k https://ip:8088/services/collector/event -H 'Authorization Splunk <token>' -d  '{"sourcetype": "accm-json", "index":"accm", "event": {"dataType": "TEXT", "filesize":103212, "processor": "abc"}}'

cartoonbilly
Engager

When you're using curl, you are using the -k flag

   -k, --insecure
          (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

Looks like they've changed the interface a bunch between minor verisons of http client for some reason, but here's a Stack Overflow post that shows a bunch of the methods ignoring certificates

https://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclien...

What you probably should do, though, is to add your certificate to your trust store.

https://medium.com/@codebyamir/the-java-developers-guide-to-ssl-certificates-b78142b3a0fc

Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...