Splunk® Supported Add-ons

Splunk Add-on for Box

Configure Historical Querying Inputs for the Splunk Add-on for Box

To configure historical querying inputs for the Splunk Add-on for Box, complete these steps:

  1. On Splunk Web, go to the Splunk Add-on for Box, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Box.
  2. Click the Inputs tab.
  3. Click Create new input and then choose "Historical Querying Inputs".
  4. Fill in the required fields:
    Field Description
    Name A name for the new input
    Box account The Box account with permissions for the input. Ensure you have set up the add-on to work with this Box account.
    Endpoint The Box API endpoint relevant for collecting data for a given metric. Do not alter this value. The Splunk Add-on for Box provides four Endpoints — events, folders, users, and groups — which correspond to the four endpoints of the Box REST API. The Events endpoint is supported using admin_logs Box REST API.
    Metric Description
    events (admin_logs) Box enterprise events using Box admin_logs API.
    folders Metadata about files and folders, collaboration data for folders, file tasks and comments information. If you unchecked any of the boxes in the Box Data Collection Setup section when you set up the add-on, the corresponding data is excluded from collection.
    users User data
    groups User group data
    Collect since timestamp The date and time, after converting to UTC in YYYY-MM-DDThh:mm:ss format, after which to collect data. Default: last 90 days. Only compatible with the events metric.
    Interval How often, in seconds, the Splunk platform calls the API to collect data for a metric. This value overrides the configuration of the default collection interval in the setup screen. Set to 120 seconds or above to avoid rate limiting errors.
    Delay (Optional) Delay (measured in seconds) to be subtracted while scanning events from Box. The value should be strictly less than Interval. This Delay will be deducted from created_before and created_after Box Event API parameters while fetching events from Box. Default is 0.

    Set the value to non-zero if events are missed from your Box account.
    Only valid for the events metric.

    The delay will be deducted from "Collect since timestamp" due to product vendor behavior. See the ''Troubleshooting'' topic in this manual for more information.

    Index The index in which the Splunk platform stores events from Box. The default is main.

    When you enable the Events input for the first time, the add-on collects historical enterprise event data for the past 90 days by default, or starts collection at a different time based on what you configured on the setup page. The add-on collects this data at a maximum rate of 500 records at a time using a collection interval (defaults is 120 seconds) until it catches up to the present. All event timestamps reflect the local timezone of your data collection node, which may differ from the timezone applied in Box.

  5. Once you are satisfied with the configurations, click Enable next to the metrics you want to enable.

Checkpoint management

If the Splunk Add-on for Box finds an existing checkpoint for a given input name, a Use existing data input dialogue box appears. If you select Yes, then data is collected from that checkpoint. If you select No, then data collection resets. It begins from the query start date you provided, or from the default start date. This option will only appear when editing inputs containing the events metric.

Last modified on 22 December, 2023
Configure inputs for the Splunk Add-on for Box   Configure Live Monitoring Inputs for the Splunk Add-on for Box

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters