Troubleshoot the Splunk Add-on for Box
The Splunk Add-on for Box provides the following prebuilt panels. You can build your own dashboads using these panels to help you with troubleshooting.
If you think there is something wrong with the configuration, search for
403 or Permission denied errors
If you are seeing 403 Forbidden or "permission denied" errors, first verify that you are using a Box account with sufficient permissions. See step 1 in Configure credentials on Box for the Splunk Add-on for Box for details.
Once you have verified the account permissions are correct, try using a different browser than you usually use to get the developer token. Your browser may be caching the credentials of a different Box account, causing your Box Add-on's token to be granted the permissions of that other account.
You can configure the logging verbosity on the setup page for the add-on, or in
$SPLUNK_HOME/etc/apps/Splunk_TA_box/local/box.conf. Supported log levels are DEBUG, INFO, and ERROR.
Slow data gathering
By default, the Splunk Add-on for Box collects all folder and file data concurrently. If there are millions of files and folders in your organization's Box account, it may take a long time to finish all of the information gathering. The add-on includes checkpoint functionality which allows the add-on to pick up from where it left off in case Splunk platform restarts during the data collection.
Note: The Box API has rate limiting. Concurrent folder scanning may hit the API's rate limit and throw "rate_limit_exceeded" errors. If this occurs, the add-on throttles the data gathering, which slows the scanning speed.
Rate limit errors
If you see
429 Too Many Requests errors, you are hitting the rate limit imposed by the Box API. For more information, see https://box-content.readme.io/reference#rate-limiting.
Increase your polling interval to 120 seconds or more to avoid this error.
Concurrent vs sequential folder scanning
If you want to do sequential folder scanning instead of concurrent scanning, copy
$SPLUNK_HOME/etc/apps/Splunk_TA_box/default/box.conf to your
$SPLUNK_HOME/etc/apps/Splunk_TA_box/local folder, then change
use_thread_pool = 1 to
use_thread_pool = 0. This setting is not exposed in Splunk Web. Sequential scanning is much slower than cocurrent scanning.
Reset checkpoint for historical event data collection
When you enable the Events input for the first time, the add-on collects historical enterprise event data for the past 300 days by default, unless you have configured a different value on the setup page. The add-on collects this data at a maximum rate of 500 records at a time using a collection interval of 30 seconds until it catches up to the present. The historical event collection occurs only the first time that you enable the input. After that, the add-on uses a checkpoint to collect only new events.
You can reset the checkpoint and index historical data again.
- Stop plunked.
- Go to
- Remove the "events" checkpoint file.
- Modify the
local/box.confto the new historical collection start date that you prefer.
- Start plunked.
HTTP 400 Bad request: "created_after is invalid since it is in the future"
Because the original timezone is not available in the event metadata, Box events are timestamped using the local timezone of your data collection endpoint. When this local time is not consistent with UTC time, this error may occur. Check that your machine's clock is synced with the world clock.
HTTP 400 Bad request: "created_after is beyond one year in the past"
The Box API currently limits historical event data collection to one year. If you set a date farther in the past than one year ago when you set up the add-on, you encounter this error. The add-on does not collect event data or set a checkpoint, so you can correct the start date to one within one year and restart data collection to recover.
404 errors for file metadata
404 errors are expected because files are frequently created, updated, and deleted in Box, so the resources are not persistent. If you try to access metadata about a file that is no longer there, you receive a 404 error.
OAuth access token and refresh token expiration behavior
The Box OAuth2 access token expires every two hours, so the add-on uses the OAuth2 refresh token to renew the access token automatically when it detects access token expiration. In some cases, the refresh token can itself expire. If this happens, you need to go to the setup page to re-perform the authentication and authorization. This recreates the access token and the refresh token. Search
eventtype=box_ta_log_error "Refresh token has expired" to check if the refresh token has expired.
Configure inputs for the Splunk Add-on for Box
This documentation applies to the following versions of Splunk® Supported Add-ons: released