Getting Data In

How to send data to HEC using Java SDK?

lyndac
Contributor

I'm looking for sample code that I can use to send json from my java app into the HEC. I'm having trouble connecting to HEC from the java program. I was hoping to be able to use the Splunk Java SDK, but I don't see any classes in there to support the HEC, so I'm using the Apache HttpClient implementation:

DefaultHttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost("https://ip:8088/services/collector/event");
httppost.addHeader("Authorization", " Splunk <token id>");
String eventStr = "{sourcetype=accm_json, index=accm, event={ dataType: TEXT, filesize: 103212, processor: abc}}"
httppost.setEntity(new StringEntity(eventStr);
HttpResponse response = httpclient.execute(httppost);
HttpEntity entity = response.getEntity();
System.out.println("response: " + entity);

When I run the code, the java program throws an SSLHandshakeException "unable to find valid certification path to the requested target" and the splunkd.log on the HEC shows "alert certificate unknown.

I don't understand what I am supposed to provide to be able to connect to the HEC from java. Can someone please help? I am able to insert events into HEC using cURL:

curl -k https://ip:8088/services/collector/event -H 'Authorization Splunk <token>' -d  '{"sourcetype": "accm-json", "index":"accm", "event": {"dataType": "TEXT", "filesize":103212, "processor": "abc"}}'

cartoonbilly
Engager

When you're using curl, you are using the -k flag

   -k, --insecure
          (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

Looks like they've changed the interface a bunch between minor verisons of http client for some reason, but here's a Stack Overflow post that shows a bunch of the methods ignoring certificates

https://stackoverflow.com/questions/2703161/how-to-ignore-ssl-certificate-errors-in-apache-httpclien...

What you probably should do, though, is to add your certificate to your trust store.

https://medium.com/@codebyamir/the-java-developers-guide-to-ssl-certificates-b78142b3a0fc

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...