Configure Historical Querying Inputs for the Splunk Add-on for Box¶
To configure historical querying inputs for the Splunk Add-on for Box, complete these steps:
- On Splunk Web, go to the Splunk Add-on for Box, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Box.
- Click the Inputs tab.
- Click Create new input and then choose “Historical Querying Inputs”.
- Fill in the required fields:
Input Field Descriptions¶
| Field | Description |
|---|---|
| Name | A name for the new input. |
| Box account | The Box account with permissions for the input. Ensure you have set up the add-on to work with this Box account. |
| Endpoint | The Box API endpoint relevant for collecting data for a given metric. Do not alter this value. The Splunk Add-on for Box provides four Endpoints — events, folders, users, and groups — which correspond to the four endpoints of the Box REST API. The Events endpoint is supported using admin_logs Box REST API. See the Metrics and Descriptions section below for details. |
| Collect since timestamp | The date and time, after converting to UTC in YYYY-MM-DDThh:mm:ss format, after which to collect data. Default: last 90 days. Only compatible with the events metric. NOTE: The date should not exceed 1 year in the past, as data older than this is not supported by APIs. |
| Interval | How often, in seconds, the Splunk platform calls the API to collect data for a metric. This value overrides the configuration of the default collection interval in the setup screen. Set to 120 seconds or above to avoid rate limiting errors. |
| Delay | (Optional) Delay (measured in seconds) to be subtracted while scanning events from Box. The value should be strictly less than Interval. This Delay will be deducted from created_before and created_after Box Event API parameters while fetching events from Box. Default is 0. Set the value to non-zero if events are missed from your Box account. Only valid for the events metric. Note: The delay is also deducted from “Collect since timestamp” due to Box vendor behavior. See the Troubleshooting section for details. |
| Index | The index in which the Splunk platform stores events from Box. Default is main. |
Note
When you enable the Events input for the first time, the add-on collects historical enterprise event data for the past 90 days by default, or starts collection at a different time based on what you configured on the setup page. The add-on collects this data at a maximum rate of 500 records at a time using a collection interval (defaults is 120 seconds) until it catches up to the present. All event timestamps reflect the local timezone of your data collection node, which may differ from the timezone applied in Box.
Metrics and Descriptions¶
| Metric | Description |
|---|---|
| events (admin_logs) | Box enterprise events using Box admin_logs API. |
| folders | Metadata about files and folders, collaboration data for folders, file tasks and comments information. If you unchecked any of the boxes in the Box Data Collection Setup section when setting up the add-on, the corresponding data is excluded from collection. |
| users | User data. |
| groups | User group data. |
- Once you are satisfied with the configurations, click Enable next to the metrics you want to enable.
Checkpoint management¶
If the Splunk Add-on for Box finds an existing checkpoint for a given
input name, a Use existing data input dialogue box appears. If you
select Yes, then data is collected from that checkpoint. If you
select No, then data collection resets. It begins from the query
start date you provided, or from the default start date. This option
will only appear when editing inputs containing the events metric.