Getting Data In

How to send data to HEC using Java SDK?

lyndac
Contributor

I'm looking for sample code that I can use to send json from my java app into the HEC. I'm having trouble connecting to HEC from the java program. I was hoping to be able to use the Splunk Java SDK, but I don't see any classes in there to support the HEC, so I'm using the Apache HttpClient implementation:

DefaultHttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("https://ip:8088/services/collector/event");
httppost.addHeader("Authorization", " Splunk <token id>");
String eventStr = "{sourcetype=accm_json, index=accm, event={ dataType: TEXT, filesize: 103212, processor: abc}}"
httppost.setEntity(new StringEntity(eventStr);
HttpResponse response = httpclient.execute(httppost);
HttpEntity entity = response.getEntity();
System.out.println("response: " + entity);

When I run the code, the java program throws an SSLHandshakeException "unable to find valid certification path to the requested target" and the splunkd.log on the HEC shows "alert certificate unknown.

I don't understand what I am supposed to provide to be able to connect to the HEC from java. Can someone please help? I am able to insert events into HEC using cURL:

curl -k https://ip:8088/services/collector/event -H 'Authorization Splunk <token>' -d  '{"sourcetype": "accm-json", "index":"accm", "event": {"dataType": "TEXT", "filesize":103212, "processor": "abc"}}'

cartoonbilly
Engager

When you're using curl, you are using the -k flag

   -k, --insecure
          (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

Looks like they've changed the interface a bunch between minor verisons of http client for some reason, but here's a Stack Overflow post that shows a bunch of the methods ignoring certificates

https://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclien...

What you probably should do, though, is to add your certificate to your trust store.

https://medium.com/@codebyamir/the-java-developers-guide-to-ssl-certificates-b78142b3a0fc

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...