0

I want to connect my java program to Splunk Cloud and send logs there.

I tried to connect with Splunk enterprise (installing on my local machine). In this case it's connected successfully and I can see the logs there too.

I don't know why I'm unable to get connect my java program to Splunk Cloud.

My code looks like this.

    Map<String, Object> connectArgs= new HashMap<String, Object>(); 
    HttpService.setSslSecurityProtocol( SSLSecurityProtocol.TLSv1_2);
    connectArgs.put("host", "xxx.splunkcloud.com"); //this is the part of the url what I found in the url of my splunk cloud account.
    connectArgs.put("username", "un");
    connectArgs.put("password", "pswd");
    connectArgs.put("scheme", "https"); // I tried http also here
    connectArgs.put("port", 8089); // I tried 8088 too nothing works
    
    Service splunkService= Service.connect(connectArgs);
    
    Args logArgs= new Args();
    logArgs.put("sourcetype", "helloWorldSplunk");
    
    Receiver receiver= splunkService.getReceiver();
    receiver.log("main", logArgs, "Hello from java SDE program to Splunk");
    
    System.out.println("END");

The error what I get while execuiting the above code =>

Exception in thread "main" java.lang.RuntimeException: Connection timed out: connect
at com.splunk.HttpService.send

Furthermore I've one more question here:

How to connect my JavaEE app to Splunk? Do I've same the procedure like I follow above? Or something different.

warren
  • 32,620
  • 21
  • 85
  • 124
SE123987
  • 29
  • 5

2 Answers2

2

If you're trying to send to Splunk's HTTP Event Collector (presumed from the reference to port 8088), then you'll need the right URL. The exact URL depends on if you're using free or paid Splunk Cloud account and where that account is hosted (AWS or Google).

The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:

<protocol>://inputs.<host>:<port>/<endpoint>

The standard form for the HEC URI in Splunk Cloud Platform is as follows:

<protocol>://http-inputs-<host>:<port>/<endpoint>

The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:

<protocol>://http-inputs.<host>:<port>/<endpoint>

Where:

    <protocol> is either http or https
    You must add http-inputs- before the <host>
    <host> is the Splunk Cloud Platform instance that runs HEC
    <port> is the HEC port number
        8088 on Splunk Cloud Platform free trials
        443 by default on Splunk Cloud Platform instances

See https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector_on_Splunk_Cloud_Platform for the details.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • I'm not using a HEC here. I'm using a java com.splunk.Service.connect() method for connecting. But it takes host, port, username and password for logging the user and connecting to the splunk. If I want to use HEC here then how can I give token here ? – SE123987 Apr 04 '22 at 05:42
  • To get a HEC token, sign in to your search head and go to Settings->Data inputs->HTTP Event Collector. Click the New Token button and complete the forms to generate the token. – RichG Apr 04 '22 at 13:32
0

This could possibly be due to firewall issues in your network or you may be running behind a corporate proxy. Can you ensure that you have validated it?

As far as shipping your logs to splunk instances, you would need log forwarding tools like universal forwarder installed in the same environment as your application to forward the application logs to the remote splunk servers.

Additionally, as a best practice keep the log forwarding decoupled from your application. Your application should only write logs to the file system. A log processor or forwarder should send it to a remote server for ingestion. The reason, you may change your mind to use logstash or datadog later, in such an event if you don't have to touch your application.

warren
  • 32,620
  • 21
  • 85
  • 124
Sai Prasad Sabeson
  • 103
  • 8
  • how to validate the firewall issue? Furthermore in my local splunk enterprise there is no need of forwarding tools then why I need it here cause I'm just sending my logs to Splunk Cloud. Can u help me here ? – SE123987 Apr 04 '22 at 05:46
  • 1
    you may, or may not, need a UF to send logs - HEC is also an option – warren Apr 04 '22 at 13:24
  • @SE123987 you may use libraries like telnet from your shell to check if you are able to access specific domain and a specific port. As mentioned by richG you can use httpevent collector using logging frameworks. But ensure connectivity to the proper endpoint. – Sai Prasad Sabeson Apr 05 '22 at 07:40