Getting Data In

HEC Posting Data Issue

adam1124
New Member

Hi All,

I am trying to post some data to splunk via QT's Network Module. Currently, I have the HEC setup to where it can receive cURL's:

curl -k -H "Authorization: Splunk XXXXXXXXXXXXXXXXXXXXX" https://splunkserver:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}',

but I get no reply for the server when trying this code (even though the traffic is confirmed via Wireshark to be making it to the Splunk server). The server is set up to receive jsonnotimestamp data. Here is the function being called with the same input url as the above cURL command:

void Net::ConnectToSplunk(QString url)
{
QUrl qrl(url);//QUrl has network adress
manager = new QNetworkAccessManager(this);//create manager
connect(manager, SIGNAL(finished(QNetworkReply*)),
this, SLOT(replyFinished(QNetworkReply*)));

//Set up request url
QNetworkRequest request;
request.setUrl(url);
QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

//Set up payload
map.insert("event", "auth1234");
map.insert("sourcetype", "mysourcetype");
QByteArray payload=QJsonDocument::fromVariant(map).toJson();
qDebug() << QVariant(payload).toString();
qDebug() << request.rawHeaderList();

QNetworkReply *reply = manager->post(request,payload);
qDebug() << reply->readAll();
qDebug() << "Headers:"<< reply->rawHeaderList()<< "content:" << reply->readAll();

if ( reply->error() != QNetworkReply::NoError ) {
qWarning() <<"ErrorNo: "<< reply->error() << "for url: " << reply->url().toString();
qDebug() << "Request failed, " << reply->errorString();
qDebug() << "Headers:"<< reply->rawHeaderList()<< "content:" << reply->readAll();
}
}

I get the following debug output (No response at all from Splunk):
"{\n \"event\": \"auth1234\",\n \"sourcetype\": \"mysourcetype\"\n}\n"
("Authorization:")
""
Headers: () content: ""

I even set up a json server on the same server as the Splunk server and it is receiving the post request just fine. Any ideas?

Thanks.

0 Karma

andreas_franke_
New Member

Hello, I had the same problems sending data from a Qt application to Splunk.

First of all you have to replace:

QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

with:

request.setRawHeader(QByteArray("Authorization"), QByteArray("Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX"));

(Authorization without colon)

0 Karma

andreas_franke_
New Member

Hello, I had the same problems sending data from a Qt application to Splunk.

First of all you have to replace:

QString headerData = "Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX";
request.setRawHeader("Authorization:", headerData.toLocal8Bit());

with:

request.setRawHeader(QByteArray("Authorization"), QByteArray("Splunk XXXXXXXXXXXXXXXXXXXXXXXXXX"));

(Authorization without colon)

0 Karma

adam1124
New Member

Going to close this. I debugged all day and figured out that it is most likely some network settings on my Host PC. The code works from another PC.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

disable ssl in global settings in HTTP Event Collector under data inputs.

try with below request:

curl -k -H "Authorization: Splunk XXXXXXXXXXXXXXXXXXXXX" http://splunkserver:8088/services/collector/event -d '{"sourcetype": "mysourcetype", "event": "http auth ftw!"}',
————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...