Splunk® Supported Add-ons

Splunk Add-on for Box

Download manual as PDF

Download topic as PDF

Troubleshoot the Splunk Add-on for Box

General troubleshooting

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Prebuilt panels

The Splunk Add-on for Box provides the following prebuilt panels. You can build your own dashboads using these panels to help you with troubleshooting.

  • Box_Active_Users_in_last_7_days
  • Box_API_Errors_troubleshooting_panel
  • Box_Collaboration_Invitation_happened_in_last_7_days
  • Box_Enterprise_Events
  • Box_File_distribution_by_last_modified_time
  • Box_File_distribution_by_size
  • Box_Login_Failure_geo-stats_in_last_7_days
  • Box_Login_Failure_in_last_7_days
  • Box_Share_events_in_last_7_days
  • Box_Top_10_File_Owners_by_file_count
  • Box_Top_10_storage_capacity_users
  • Box_Top_5_Delete_Users_in_the_last_7_days
  • Box_Top_5_File_Download_Users_in_last_7_days
  • Box_Top_5_Upload_Users_in_the_last_7_days
  • Box_Uncompleted_tasks_by_action

Configuration troubleshooting

If you think there is something wrong with the configuration, search for

eventtype=box_setup_error

403 or Permission denied errors

If you are seeing 403 Forbidden or "permission denied" errors, first verify that you are using a Box account with sufficient permissions. See step 1 in Configure credentials on Box for the Splunk Add-on for Box for details.

Once you have verified the account permissions are correct, try using a different browser than you usually use to get the developer token. Your browser may be caching the credentials of a different Box account, causing your Box Add-on's token to be granted the permissions of that other account.

Logging verbosity

You can configure the logging verbosity on the setup page for the add-on, or in $SPLUNK_HOME/etc/apps/Splunk_TA_box/local/box.conf. Supported log levels are DEBUG, INFO, and ERROR.

Slow data gathering

By default, the Splunk Add-on for Box collects all folder and file data concurrently. If there are millions of files and folders in your organization's Box account, it may take a long time to finish all of the information gathering. The add-on includes checkpoint functionality which allows the add-on to pick up from where it left off in case Splunk platform restarts during the data collection.

Note: The Box API has rate limiting. Concurrent folder scanning may hit the API's rate limit and throw "rate_limit_exceeded" errors. If this occurs, the add-on throttles the data gathering, which slows the scanning speed.

Rate limit errors

If you see 429 Too Many Requests errors, you are hitting the rate limit imposed by the Box API. For more information, see https://box-content.readme.io/reference#rate-limiting.

Increase your polling interval to 120 seconds or more to avoid this error.

Concurrent vs sequential folder scanning

If you want to do sequential folder scanning instead of concurrent scanning, copy $SPLUNK_HOME/etc/apps/Splunk_TA_box/default/box.conf to your $SPLUNK_HOME/etc/apps/Splunk_TA_box/local folder, then change use_thread_pool = 1 to use_thread_pool = 0. This setting is not exposed in Splunk Web. Sequential scanning is much slower than cocurrent scanning.

Reset checkpoint for historical event data collection

When you enable the Events input for the first time, the add-on collects historical enterprise event data for the past 300 days by default, unless you have configured a different value on the setup page. The add-on collects this data at a maximum rate of 500 records at a time using a collection interval of 30 seconds until it catches up to the present. The historical event collection occurs only the first time that you enable the input. After that, the add-on uses a checkpoint to collect only new events.

You can reset the checkpoint and index historical data again.

  1. Stop plunked.
  2. Go to $SPLUNK_HOME/var/lib/splunk/modinputs/box_service.
  3. Remove the "events" checkpoint file.
  4. Modify the created_after in local/box.conf to the new historical collection start date that you prefer.
  5. Start plunked.

HTTP 400 Bad request: "created_after is invalid since it is in the future"

Because the original timezone is not available in the event metadata, Box events are timestamped using the local timezone of your data collection endpoint. When this local time is not consistent with UTC time, this error may occur. Check that your machine's clock is synced with the world clock.

HTTP 400 Bad request: "created_after is beyond one year in the past"

The Box API currently limits historical event data collection to one year. If you set a date farther in the past than one year ago when you set up the add-on, you encounter this error. The add-on does not collect event data or set a checkpoint, so you can correct the start date to one within one year and restart data collection to recover.

404 errors for file metadata

404 errors are expected because files are frequently created, updated, and deleted in Box, so the resources are not persistent. If you try to access metadata about a file that is no longer there, you receive a 404 error.

OAuth access token and refresh token expiration behavior

The Box OAuth2 access token expires every two hours, so the add-on uses the OAuth2 refresh token to renew the access token automatically when it detects access token expiration. In some cases, the refresh token can itself expire. If this happens, you need to go to the setup page to re-perform the authentication and authorization. This recreates the access token and the refresh token. Search eventtype=box_ta_log_error "Refresh token has expired" to check if the refresh token has expired.

PREVIOUS
Configure inputs for the Splunk Add-on for Box
 

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters