Troubleshoot the Splunk Add-on for Box
SSL certificate issues
Perform the following search to check whether SSL certificate validation is failing for the Splunk Add-on for Box:
index=“_internal” source=*box* CERTIFICATE_VERIFY_FAILED
- Check whether you see this warning message:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed. The certificate validation is enabled. You may need to check the certificate and refer to the documentation and add it to the trust list.
- If you see this message, you need to add your Box certificate to your
$SPLUNK_HOME/etc/apps/Splunk_TA_box/bin/certifi/cacert.pemfiles by following these steps:
- Navigate to https://apps.box.com.
- Download the certificate from your browser.
- Copy the downloaded certificate into the beginning of the
$SPLUNK_HOME/etc/apps/Splunk_TA_box/bin/certifi/cacert.pemwithout deleting anything in the files.
- Save the files.
- Restart your Splunk platform.
- Check whether Box data ingestion is now working.
If you think there is something wrong with the configuration, run the following search:
403 or Permission denied errors
If you are seeing 403 Forbidden or "permission denied" errors, first verify that you are using a Box account with sufficient permissions. See step 1 in Configure credentials on Box for the Splunk Add-on for Box for details.
Once you have verified the account permissions are correct, try using a different browser than you usually use to get the developer token. Your browser may be caching the credentials of a different Box account, causing your Box Add-on's token to be granted the permissions of that other account.
You can configure the logging verbosity on the setup page for the add-on, or in
$SPLUNK_HOME/etc/apps/Splunk_TA_box/local/box.conf. Supported log levels are DEBUG, INFO, and ERROR.
Slow data gathering
By default, the Splunk Add-on for Box collects all folder and file data concurrently. If there are millions of files and folders in your organization's Box account, it may take a long time to finish all of the information gathering. The add-on includes checkpoint functionality which allows the add-on to pick up from where it left off in case Splunk platform restarts during the data collection.
The Box API has rate limiting. Concurrent folder scanning may hit the API's rate limit and throw "rate_limit_exceeded" errors. If this occurs, the add-on throttles the data gathering, which slows the scanning speed.
Rate limit errors
If you see
429 Too Many Requests errors, you are hitting the rate limit imposed by the Box API. For more information, see https://box-content.readme.io/reference#rate-limiting.
Increase your polling interval to 120 seconds or more to avoid this error.
Concurrent vs sequential folder scanning
If you want to do sequential folder scanning instead of concurrent scanning, copy
$SPLUNK_HOME/etc/apps/Splunk_TA_box/default/box.conf to your
$SPLUNK_HOME/etc/apps/Splunk_TA_box/local folder, then change
use_thread_pool = 1 to
use_thread_pool = 0. This setting is not exposed in Splunk Web. Sequential scanning is much slower than cocurrent scanning.
Reset checkpoint for historical event data collection
When you enable the Events input for the first time, the add-on collects historical enterprise event data for the past 300 days by default, unless you have configured a different value on the setup page. The add-on collects this data at a maximum rate of 500 records at a time using a collection interval of 30 seconds until it catches up to the present. The historical event collection occurs only the first time that you enable the input. After that, the add-on uses a checkpoint to collect only new events.
You can reset the checkpoint and index historical data again.
- Stop your Splunk platform instance.
- Go to
- Remove the
- Modify the
local/box.confto the new historical collection start date that you prefer.
- Start your Splunk platform instance.
HTTP 400 Bad request: "created_after is invalid since it is in the future"
Because the original timezone is not available in the event metadata, Box events are timestamped using the local timezone of your data collection endpoint. When this local time is not consistent with UTC time, this error may occur. Check that your machine's clock is synced with the world clock.
HTTP 400 Bad request: "created_after is beyond one year in the past"
The Box API currently limits historical event data collection to one year. If you set a date farther in the past than one year ago when you set up the add-on, you encounter this error. The add-on does not collect event data or set a checkpoint, so you can correct the start date to one within one year and restart data collection to recover.
404 errors for file metadata
404 errors are expected because files are frequently created, updated, and deleted in Box, so the resources are not persistent. If you try to access metadata about a file that is no longer there, you receive a 404 error.
OAuth access token and refresh token expiration behavior
The Box OAuth2 access token expires every two hours, so the add-on uses the OAuth2 refresh token to renew the access token automatically when it detects access token expiration. In some cases, the refresh token can itself expire. If this happens, you need to go to the setup page to re-perform the authentication and authorization. This recreates the access token and the refresh token. Search
eventtype=box_ta_log_error "Refresh token has expired" to check if the refresh token has expired.
Files with extensions including
.zip are not supported for preview mode. Fields such as
expiring_embed_link require preview support, and will result in the following error:
Box API error returned: Previews for <FileExtension> files are not yet supported. File id <FileID> skipped. Consider adjusting your API field parameters.
If you added this field to your
box.conf file, remove it. Otherwise, events for these files are not indexed.
Box account configuration error
If you see the following error in the
splunkd.log file, an enabled data input is missing Box Account configuration details:
ERROR ExecProcessor - message from "python <SPLUNK_HOME>/etc/apps/Splunk_TA_box/bin/box_service.py" ERRORaccount.
To resolve this error and to resume data collection, correct or complete your Box Account configuration details for your enabled data inputs.
Configure inputs for the Splunk Add-on for Box
This documentation applies to the following versions of Splunk® Supported Add-ons: released