Splunk® Supported Add-ons

Splunk Add-on for Box

Configure inputs for the Splunk Add-on for Box

As part of v3.5.0 of Splunk Add-on for Box, a new input has been introduced named "Live Monitoring Inputs". The existing input has been renamed to "Historical Querying Inputs".

Comparison between Historical Querying Inputs and Live Monitoring Inputs

All the older functionalities from "Historical Querying Inputs" remain the same and would work as expected in "Live Monitoring Inputs". The data collected for events endpoint under Historical Querying Inputs is done through admin_logs API, and under Live Monitoring Inputs is done through admin_logs_streaming API.

Historical Querying Input can collect Events data starting from the past 1 year and continue data collection for the current time based on the user defined interval. The Live Monitoring Input can collect data starting from the past 2 weeks and then continue data collection for the current time based on the user defined interval.

The admin_logs_streaming API, which is supported using Live Monitoring Input, has certain advantages and disadvantages with respect to admin_logs API. Depending on the use case it is recommended to use the most relevant input. The major benefit that the new API brings is consistent and reduced latency which may bring events quite earlier in Splunk.

More details regarding this can be found in the Box Documentation: https://developer.box.com/guides/events/enterprise-events/for-enterprise/.

Configuration

The data collected using any of these inputs for events endpoint would be collected under box:events sourcetype and can be differentiated using source field.

Please refer to Configure Historical Querying Inputs for the Splunk Add-on for Box for steps for configuring historical querying inputs.

Please refer to Configure Live Monitoring Inputs for the Splunk Add-on for Box for steps for configuring live monitoring inputs.

Points to consider when migrating from admin_logs to admin_logs_streaming API:

  • The user needs to disable the existing input of Historical Querying Input and create a new input of Live Monitoring Input type.
  • Since the new API would start bringing inndata from the past 2 weeks, if the data has already been collected using an older API, it would get duplicated.
  • There are chances of getting some duplicated events in "Live Monitoring Input". This is the behavior of the new API which Box has provided.
Last modified on 22 July, 2024
Set up the Splunk Add-on for Box   Configure Historical Querying Inputs for the Splunk Add-on for Box

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters