About the Splunk Add-on for Box¶


Version	4.0.0
Vendor Products	Box
Visible in Splunk Web	Yes. This add-on contains views for configuration.

The Splunk Add-on for Box allows a Splunk software administrator to collect data from Box and monitor Box events in near real time. The add-on can collect the following data via the Box REST APIs:

Enterprise events
Metadata about files and folders
User and user group data
Collaboration data for folders
Tasks data for files
Content of files with supported extensions of json, csv, xml, text, txt, and log

This add-on provides the inputs and CIM compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

Download the Splunk Add-on for Box from Splunkbase.

For a summary of new features, fixed issues, and known issues, see Release Notes.

For information about installing and configuring the Splunk Add-on for Box, see Installation and configuration overview.

See the Splunk Community page for questions related to the Splunk Add-on for Box.

Overview ↵

Source types for the Splunk Add-on for Box¶

The Splunk Add-on for Box provides the index-time and search-time knowledge for Box events, metadata, user and group information, collaboration data, and tasks in the following formats.

Source type	Description	CIM data models
`box:events`	Box enterprise audit events	Authentication Change Alerts DataAccess Malware
`box:file`	Box file metadata	Inventory
`box:fileComment`	Box file comments information	Inventory
`box:fileTask`	Task information about box files	Inventory
`box:folder`	Box file and folder metadata	Inventory
`box:folderCollaboration`	Box collaboration information on folders	Inventory
`box:groups`	Box group information	Inventory
`box:users`	Box user information	Inventory
`box:filecontent`	Sourcetype for content of txt, text, log files on Box	none
`box:filecontent:json`	Box JSON file content	none
`box:filecontent:xml`	Box XML file content	none
`box:filecontent:csv`	Box CSV file content	none
`box:addon:log`	Splunk Add-on for Box internal log	none
`box:addon:setup:log`	Splunk Add-on for Box internal installation log	none

Release notes for the Splunk Add-on for Box¶

Version 4.0.0 of the Splunk Add-on for Box was released on July 8, 2025.

Compatibility¶

Version 4.0.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.1.x, 9.2.x, 9.3.x, 9.4.x
CIM	6.0.4
Platforms	Linux and Windows
Vendor Products	Box

New Features¶

Version 4.0.0 of the Splunk Add-on for Box contains the following new features:

Added support for non-interactive OAuth 2.0 (Client Credentials grant type) authentication to enable adding OAuth accounts without external validation. See Configure Oauth 2.0 Client Credential.
Added support for Box SDK v3.14.0.
Updated add-on to allow power users with list_storage_password to view inputs and configurations in the UI.

Bug fixes:¶

Version 4.0.0 of the Splunk Add-on for Box contains the following bug fixes:

Allow slash “/” in proxy host, username and password.
Fixed data ingestion issue for delay greater than 0 for Events endpoint in Historical Querying Inputs.

Fixed issues¶

Version 4.0.0 of the Splunk Add-on for Box fixes the following fixed issues. If none appear, none have been reported:

Known issues¶

Version 4.0.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits.

Release history for the Splunk Add-on for Box¶

The latest version of the Splunk Add-on for Box is version 4.0.0. See Release notes of the latest version.

Version 3.12.1¶

Version 3.12.1 of the Splunk Add-on for Box was released on January 17, 2025.

Compatibility¶

Version 3.12.1 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.0.x, 9.1.x, 9.2.x, 9.3.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Fixed issues¶

Version 3.12.1 of the Splunk Add-on for Box fixes the following fixed issues. If none appear, none have been reported:

Known issues¶

Version 3.12.1 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits.

Version 3.12.0¶

Version 3.12.0 of the Splunk Add-on for Box was released on December 6, 2024.

Compatibility¶

Version 3.12.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.0.x, 9.1.x, 9.2.x, 9.3.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

New Features¶

Version 3.12.0 of the Splunk Add-on for Box contains the following new features:

Added support of new File Ingestion Input which allows users to ingest contents of JSON, CSV, XML, TEXT, TXT and LOG files. See Configure File Ingestion Input for more information.
Added support for Box SDK v3.13.0.

Fixed issues¶

Version 3.12.0 of the Splunk Add-on for Box fixes the following fixed issues.

Version 3.11.0¶

Version 3.11.0 of the Splunk Add-on for Box was released on July 22, 2024.

Compatibility¶

Version 3.11.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.0.x, 9.1.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.11.0 of the Splunk Add-on for Box contains the following new features:

Verified IPv6 compliance checks for the add-on and enhanced TA functionality
Added support for Box SDK v3.9.2

Fixed issues¶

Version 3.11.0 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.11.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits

Version 3.10.1¶

Version 3.10.1 of the Splunk Add-on for Box was released on December 22, 2023.

Compatibility¶

Version 3.10.1 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.0.x, 9.1.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.10.1 of the Splunk Add-on for Box contains the following new features:

Fixed the security vulnerabilities found in the certifi and urllib3 libraries by upgrading their version from 2022.12.7 to 2023.11.17, 1.26.6 to 1.26.18 respectively.

Fixed issues¶

Version 3.10.1 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.10.1 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits

Version 3.10.0¶

Version 3.10.0 of the Splunk Add-on for Box was released on December 22, 2023.

Compatibility¶

Version 3.10.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.10.0 of the Splunk Add-on for Box contains the following new features:

Added support for Box SDK v3.7.2

Fixed issues¶

Version 3.10.0 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.10.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits

Version 3.9.0¶

Version 3.9.0 of the Splunk Add-on for Box was released on October 27, 2022.

Compatibility¶

Version 3.9.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.9.0 of the Splunk Add-on for Box contains the following new features:

Added support for Box SDK v3.5.1
Modified timestamp field extraction to be extracted from “modified_at”
These sourcetypes will be affected due to this change:
box:users
box:folder
box:folderCollabration
box:file
box:fileComment
Minor Bug fixes and enhancements

Note

This change regarding timestamp field extraction won’t apply to already indexed events

Fixed issues¶

Version 3.9.0 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.9.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits

Version 3.8.0¶

Version 3.8.0 of the Splunk Add-on for Box was released on October 27, 2022.

Compatibility¶

Version 3.8.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.8.0 of the Splunk Add-on for Box contains the following new features:

Uses KV-store for checkpointing instead of files for better reliability and performance.

Note

Confirm that you enabled the KV Store service on your Splunk instance. Refer to Troubleshooting to check the status of your KV Store service.

Note

For the Splunk Add-on for Box version 3.6.0 and higher, we no longer support the SOCKS4 proxy. Splunk best practice is to use an HTTP or SOCKS5 proxy instead.

Fixed issues¶

Version 3.8.0 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.8.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits

Version 3.7.0¶

Compatibility¶

Version 3.7.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.7.0 of the Splunk Add-on for Box contains the following new features:

Added support for Box SDK v3.3.0.

Note

For the Splunk Add-on for Box version 3.6.0 and higher, we no longer support the SOCKS4 proxy. Splunk best practice is to use an HTTP or SOCKS5 proxy instead.

Fixed issues¶

Version 3.7.0 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.7.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a Document file for download: Splunk Add-on for Box third-party software credits

Version 3.6.0¶

Version 3.6.0 of the Splunk Add-on for Box was released on April 21, 2022.

Compatibility¶

Version 3.6.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x
CIM	5.0.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.6.0 of the Splunk Add-on for Box contains the following new features:

Compatibility with CIM version 5.0.1
Updated to version 3.2.0 of the Box SDK.
SSL Certificate Management Solution.
Added Support for Box Shield Events.
CIM Mapping and Enhancements for events associated with the SHIELD_ALERT Box Event_type, which maps to these 4 Source Types for Threat Detection Alerts:
- Suspicious locations
- Suspicious sessions
- Anomalous downloads
- Malicious content

Mapped the following Box Event_types with the box:events source type to the Account_Management data model.
EMAIL_ALIAS_REMOVE
EMAIL_ALIAS_ADD_UNCONFIRMED
EMAIL_ALIAS_CONFIRM

Mapped the following Box Event_type with the box:events source type to the All_Changes data model.
UPDATE_SHARE_EXPIRATION

Note

For the Splunk Add-on for Box version 3.6.0 and higher, we no longer support the SOCKS4 proxy. Splunk best practice is to use an HTTP or SOCKS5 proxy instead.

Data Model Changes¶

Version 3.6.0 of the Splunk Add-on for Box introduces data model changes for the box:events source type. See the following table for the data model changes:

Source type	Box Event_type	Previous Data Model	New Data Model
`['box:events']`	EMAIL_ALIAS_REMOVE, EMAIL_ALIAS_ADD_UNCONFIRMED, EMAIL_ALIAS_CONFIRM		Change:Account_Management
`['box:events']`	UPDATE_SHARE_EXPIRATION		Change:All_Changes
`['box:events']`	SHIELD_ALERT	Alerts:Alerts	Malware:Malware_Attacks

Note

For the SHIELD_ALERT Box Event_type, Malicious Content Events are mapped to the Malware:Malware_Attacks Data Model and remaining events are mapped to the Alerts Data Model.

Field Mapping Changes¶

Version 3.6.0 of the Splunk Add-on for Box introduces field changes to the box:events source type.

This table includes the events for the updated datasets (within the same data model) but does not include events for those updated data models.

Field mapping changes for the `box:events` source type¶

Source type	Box Event_type	Fields added	Fields modified
`['box:events']`	EMAIL_ALIAS_REMOVE	src_user, src_user_name	object_attrs
`['box:events']`	UPDATE_SHARE_EXPIRATION		object_attrs
`['box:events']`	EMAIL_ALIAS_ADD_UNCONFIRMED	action, status, src_user, src_user_name	object_attrs
`['box:events']`	EMAIL_ALIAS_CONFIRM	src_user, src_user_name	object_attrs
`['box:events']`	SHIELD_ALERT	file_hash, file_name	src

Sample values for modified source types¶

The following tables display the field changes for the box:events source type.

box:events source type field changes¶

Box Event_type	Field modified	Sample Value for Modified fields in 3.5.0	Sample Value for Modified fields in 3.6.0
UPDATE_SHARE_EXPIRATION	`object_attrs`	`directory`	`expiration`
EMAIL_ALIAS_REMOVE, EMAIL_ALIAS_CONFIRM, EMAIL_ALIAS_ADD_UNCONFIRMED	`object_attrs`	`user`	`email alias`
SHIELD_ALERT	`src`	`Unknown IP`	`117.99.61.179`

Fixed issues¶

Version 3.6.0 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.6.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for Box third-party software credits

Version 3.5.0¶

Version 3.5.0 of the Splunk Add-on for Box was released on February 2, 2022.

Compatibility¶

Version 3.5.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x
CIM	5.0.0
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features¶

Version 3.5.0 of the Splunk Add-on for Box contains the following new features:

Updated to the Box SDK version 2.14.0.
Introduced a new Input which supports Box Enterprise Event Stream API.
Compatibility with CIM version 5.0.0.
Fixed below issues:
The “Interval” field was not updated to default value when the endpoint was changed while configuring input.
Future dates were accepted in the “Collect since timestamp” field while configuring the input.
If no value was selected in the “Collect since timestamp” field, the default date of 90 days was not reflected in the UI while editing the input.
Minor Bug Fixes and UI enhancements.

Note

This release introduces changes on the Inputs page, where a new input has been added and existing input has been renamed.

For more information about these changes and configuration guide, refer to the Configure inputs page.

Fixed issues¶

Version 3.5.0 of the Splunk Add-on for Box fixes the following fixed issues.

Known issues¶

Version 3.5.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for Box third-party software credits

Version 3.4.1¶

Version 3.4.1 of the Splunk Add-on for Box was released on November 16, 2021.

Compatibility¶

Version 3.4.1 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x
CIM	4.20.2
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Fixed issues¶

Version 3.4.1 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 3.4.1 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for Box third-party software credits

Version 3.4.0¶

Version 3.4.0 of the Splunk Add-on for Box was released on October 15, 2021.

Compatibility¶

Version 3.4.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.20.2
Platforms	Linux and Windows
Vendor Products	Box

Note

The new field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features¶

Version 3.4.0 of the Splunk Add-on for Box contains the following new features:

Enhanced CIM mappings and added support for the latest CIM version v4.20.2.
Added support for the newly introduced DataAccess data model.
Updated data model and CIM mappings for 31 event_types of box:events sourcetype to DataAccess data model.
Updated action and object_attrs field values for box:events source type to CIM compliant values.
Changed mappings for user src_user and object (when object is a user) CIM fields to the unique login IDs.
Updated user & description CIM fields for the box:users source type.
Removed the CIM tags from the ACCESS_GRANTED and ACCESS_REVOKED eventsfor box:events source type.

Note

For more detailed CIM fields mapping changes see the tables below.

Note

The extractions for CIM fields user, src_user and object (when object is a user), have been updated to unique login IDs instead of the First and Last names as a part of this release which could be a breaking change for the content using these fields in the existing add-on version.

Data Model Changes¶

Version 3.4.0 of the Splunk Add-on for Box introduces data model changes for the box:events sourcetype. See the following table for information in data model changes:

Source-type	Event_type	Previous Data Model	New Data Model
`['box:events']`	ACCESS_GRANTED, ACCESS_REVOKED	Change:All	No Data Model
`['box:events']`	APPLICATION_CREATED, OAUTH2_ACCESS_TOKEN_REVOKE	Change:All	Change:AccountManagement
`['box:events']`	COPY, DELETE, DOWNLOAD, EDIT, ITEM_OPEN, ITEM_MODIFY, LOCK, UNLOCK, MOVE, PREVIEW, RENAME, UNSHARE, SHARE, STORAGE_EXPIRATION, TASK_ASSIGNMENT_CREATE, TASK_CREATE, TASK_ASSIGNMENT_UPDATE, UNDELETE, UPLOAD, WATERMARK_LABEL_CREATE, WATERMARK_LABEL_DELETE	Change:All	Data Access
`['box:events']`	GROUP_CREATION, GROUP_EDITED, GROUP_DELETION, REMOVE_LOGIN_ACTIVITY_DEVICE	Change:AccountManagement	Change:All

Field Mapping Changes¶

Version 3.4.0 of the Splunk Add-on for Box introduces field changes to the box:events, box:file and box:users sourcetypes.

This table includes the events for which the datasets changed (within the same data model) but does not include events for which the data models were changed. For example, Change DM and is All_Changes data set is now Change DM with the data set Account_Management. See https://docs.splunk.com/Documentation/CIM/4.20.0/User/Change for more information.

Sourcetype - box:events field mapping changes¶

Source-type	event_type	Fields added	Fields removed
`['box:events']`	ADD_LOGIN_ACTIVITY_DEVICE	vendor_type, application_id, user_id, user_name	src_user
`['box:events']`	ADMIN_LOGIN	user_name, user_id, signature, application_id, signature_id, user_role, vendor_type	src_user
`['box:events']`	ADVANCED_FOLDER_SETTINGS_UPDATE	parent_object_id, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, owner	src_user
`['box:events']`	ANNOTATIONV2_CREATE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, action, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	APPLICATION_CREATED	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	CHANGE_ADMIN_ROLE	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	COLLABORATION_ACCEPT	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type	src_user
`['box:events']`	COLLABORATION_EXPIRATION	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type\|src_user
`['box:events']`	COLLABORATION_INVITE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type	src_user
`['box:events']`	COLLABORATION_REMOVE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type	src_user
`['box:events']`	COLLABORATION_ROLE_CHANGE	parent_object_id, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, owner	src_user
`['box:events']`	COMMENT_CREATE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	COMMENT_DELETE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	COMMENT_EDIT	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	CONTENT_ACCESS	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, action, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	CONTENT_WORKFLOW_POLICY_ADD	user_name, object_category, user_id, object, object_id, application_id, vendor_type	src_user
`['box:events']`	CONTENT_WORKFLOW_POLICY_RETIRE	status, user_name, object_category, user_id, object, object_id, application_id, action, vendor_type	src_user
`['box:events']`	DELETE_USER	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	EDIT_USER	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	FAILED_LOGIN	user_name, signature, application_id, signature_id, vendor_type
`['box:events']`	GROUP_ADD_USER	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	GROUP_ADMIN_CREATED	src_user_name, user_name, user_id, application_id, vendor_type, user_type
`['box:events']`	GROUP_CREATION	vendor_type, application_id, user_id, user_name	src_user
`['box:events']`	GROUP_EDITED, GROUP_DELETION	vendor_type, application_id, user_id, user_name	src_user
`['box:events']`	GROUP_REMOVE_USER	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	LOGIN	user_name, signature, application_id, signature_id, vendor_type
`['box:events']`	METADATA_INSTANCE_CREATE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	METADATA_INSTANCE_DELETE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	METADATA_INSTANCE_UPDATE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	METADATA_TEMPLATE_CREATE	user_name, object_category, user_id, object, object_id, application_id, vendor_type	src_user
`['box:events']`	METADATA_TEMPLATE_UPDATE	user_name, object_category, user_id, object, object_id, application_id, vendor_type	src_user
`['box:events']`	NEW_USER	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	OAUTH2_ACCESS_TOKEN_REVOKE	src_user_name, user_name, user_id, application_id, vendor_type
`['box:events']`	REMOVE_LOGIN_ACTIVITY_DEVICE	vendor_type, application_id, user_id, user_name	src_user
`['box:events']`	RETENTION_POLICY_ASSIGNMENT_ADD	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type	src_user
`['box:events']`	SHARED_LINK_REDIRECT_OUT_OF_SHARED_CONTEXT	parent_object_id, owner, owner_email, user_name, id, description, user_id, owner_id, parent_object_category, severity, signature_id, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	SHARE_EXPIRATION	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	SHIELD_ALERT	user_name, id, description, user_id, signature, severity_id, severity, signature_id, application_id, vendor_type	src_user
`['box:events']`	TASK_UPDATE	parent_object_id, owner, owner_email, user_name, user_id, owner_id, parent_object_category, application_id, parent_object, vendor_type, object_size	src_user
`['box:events']`	WORKFLOW_AUTOMATION_CREATE	user_name, user_id, application_id, action, vendor_type, status	src_user, object_id
`['box:events']`	WORKFLOW_AUTOMATION_UPDATE	user_name, user_id, application_id, action, vendor_type, status	src_user, object_id

Sourcetype - box:users field mapping changes¶

Source-type	sourcetype	Fields added	Fields removed
`['box:users']`	box:users	user_role

Sourcetype - box:file field mapping changes¶

Source-type	sourcetype	Fields added	Fields removed
`['box:file']`	box:file	vendor_description

Fixed issues¶

Version 3.4.0 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 3.4.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for Box third-party software credits

Version 3.3.2¶

Version 3.3.2 of the Splunk Add-on for Box was released on July 23, 2021.

Compatibility¶

Version 3.3.2 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.18.1
Platforms	Linux and Windows
Vendor Products	Box

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features¶

Version 3.3.2 of the Splunk Add-on for Box contains the following new features:

Fast and intuitive UI with an improved look and feel.
Fixed critical security issue by removing jquery2.
Removed python2 support. Splunk only supports python3 and 8.x or above for future releases.
Updated to the Box SDK version 2.12.0
Compatibility with CIM version 4.18.1 and enhanced mappings:
Mapped box:fileComment, box:fileTask, box:folderCollaboration & box:groups source types to Inventory DM.
Updated dest field value from cloud to box.com which is more meaningful.
Removed user_category field from the box:events source type.
Removed enabled & serial fields from the box:folder source type.
Removed serial field from the box:folderCollaboration source type.
Removed serial & user_category field from the box:users source type.
Fixed issue where the data collection for all enabled inputs was triggered hourly instead of according to the provided Collection Interval.
Fixed issue where data was collected for all the file, tasks, comments and folders instead of selected checkboxes for the Folders endpoint.
Enhanced UI validations.
Minor bug fixes.

Fixed issues¶

Version 3.3.2 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 3.3.2 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download: Splunk Add-on for Box third-party software credits

Version 3.2.0¶

Version 3.2.0 of the Splunk Add-on for Box was released on August 10, 2020.

Compatibility¶

Version 3.2.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	7.2.x, 7.3.x, 8.0.x, 8.1.x, 8.2.x
CIM	4.15
Platforms	Linux and Windows
Vendor Products	Box

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features¶

Version 3.2.0 of the Splunk Add-on for Box contains the following new features:

Enhanced ability to add offsets while scanning events to recover delayed events written by Box.

Fixed issues¶

Version 3.2.0 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 3.2.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 3.2.0 of the Splunk Add-on for Box incorporates the following third-party software or libraries:

Version 3.1.0¶

Version 3.1.0 of the Splunk Add-on for Box was released on June 15, 2020.

Compatibility¶

Version 3.1.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.14
Platforms	Linux and Windows
Vendor Products	Box

New features¶

Version 3.1.0 of the Splunk Add-on for Box contains the following new features:

Enhanced compatibility with version 4.14 of the Common Information Model (CIM).
Enhanced security features.

Fixed issues¶

Version 3.1.0 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 3.1.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 3.1.0 of the Splunk Add-on for Box incorporates the following third-party software or libraries:

Version 3.0.1¶

Version 3.0.1 of the Splunk Add-on for Box was released on March 10, 2020.

Compatibility¶

Version 3.0.1 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.0
CIM	4.14
Platforms	Linux and Windows
Vendor Products	Box

New features¶

Version 3.0.1 of the Splunk Add-on for Box contains the following new features:

Default support for Python3

Fixed issues¶

Version 3.0.1 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 3.0.1 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 3.0.1 of the Splunk Add-on for Box incorporates the following third-party software or libraries:

Version 3.0.0¶

Version 3.0.0 of the Splunk Add-on for Box was released on December 17, 2019.

Compatibility¶

Version 3.0.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.0
CIM	4.14
Platforms	Linux and Windows
Vendor Products	Box

New features¶

Version 3.0.0 of the Splunk Add-on for Box contains the following new features:

Support for Python3

Fixed issues¶

Version 3.0.0 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 3.0.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 3.0.0 of the Splunk Add-on for Box incorporates the following third-party software or libraries:

Version 2.1.0¶

Version 2.1.0 of the Splunk Add-on for Box was released on August 19, 2019.

Compatibility¶

Version 2.1.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM	4.13
Platforms	Linux and Windows
Vendor Products	Box

New features¶

Version 2.1.0 of the Splunk Add-on for Box contains the following new features:

Support for a configurable disable_ssl_certificate_validation parameter.
Ability to identify whether Box files are publicly or privately shared.
Ability to enable viewing of the entire parent structure of an asset.

Fixed issues¶

Version 2.1.0 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 2.1.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 2.1.0 of the Splunk Add-on for Box incorporates the following third-party software or libraries:

Version 2.0.0¶

Version 2.0.0 of the Splunk Add-on for Box was released on October 15, 2018.

The Splunk Add-on for Box version 2.0.0 introduces breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Box, you must follow the steps outlined in Upgrade Addon to prevent data loss.

Compatibility¶

Version 2.0.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM	4.11
Platforms	Linux and Windows
Vendor Products	Box

New features¶

Version 2.0.0 of the Splunk Add-on for Box contains the following new features:

Improved alert messaging
Support for multiple accounts
To distinguish between data collected from different Box accounts, the source field contains the Box URL next to the data input name.

Fixed issues¶

Version 2.0.0 of the Splunk Add-on for Box fixes the following issues:

Known issues¶

Version 2.0.0 of the Splunk Add-on for Box has the following known issues.

Error: `created_after` is invalid since it is in the future¶

Version 2.0.0 of the Splunk Add-on for Box has a known issue with the created_after field. It switches this value after initial data ingestion. Complete the following steps to resolve this issue:

From the UI of the Splunk Add-on for Box, disable your input.
Delete the checkpoint file from $SPLUNK_HOME/var/lib/splunk/modinputs/box_service/.
Update line 271 of $SPLUNK_HOME/etc/apps/Splunk_TA_box/bin/box_data_loader.py. It reads before = datetime.strftime(before, self.time_fmt). Replace this line with before = datetime.strftime(min(before, datetime.utcnow()), self.time_fmt).
(Optional) Update your collect_since value to avoid data duplication.
Enable your input again.

Third-party software attributions¶

Version 2.0.0 of the Splunk Add-on for Box incorporates the following third-party software or libraries:

Version 1.2.0¶

Version 1.2.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms.

About this release¶


Splunk platform versions	6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM	4.11
Platforms	Linux
Vendor Products	Box

This version of the add-on drops support for Splunk platform versions older than 6.3.X. If you are running older versions of the Splunk platform, upgrade them to a minimum of 6.3.X before upgrading the add-on.

New features¶

Version 1.2.0 of the Splunk Add-on for Box contains the following new features:

Support for SSL intercept mode in proxy.

Fixed issues¶

Version 1.2.0 of the Splunk Add-on for Box fixes the following issues.

Known issues¶

Version 1.2.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 1.2.0 of the Splunk Add-on for Box incorporates the following third-party software or libraries.

Version 1.1.1¶

Version 1.1.1 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms.

About this release¶

Version 1.1.1 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.4.x and later
CIM	4.1 and later
Platforms	Linux
Vendor Products	Box

This version of the add-on drops support for Splunk platform versions older than 6.3.X. If you are running older versions of the Splunk platform, upgrade them to a minimum of 6.3.X before upgrading the add-on.

Version 1.1.0¶

Version 1.1.0 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.3.x and later
CIM	4.1 and later
Platforms	Linux
Vendor Products	Box

This version of the add-on drops support for Splunk platform versions older than 6.3.X. If you are running older versions of the Splunk platform, upgrade them to a minimum of 6.3.X before upgrading the add-on.

New features¶

Version 1.1.0 of the Splunk Add-on for Box fixes the following new features.

Date	Issue number	Description
2016/06/13	ADDON-6817	After you install the Splunk Add-on for Box on the search head, the Splunk platform no longer prompts you to perform any add-on setup, which is not required on the search head.
2016/06/09	ADDON-8414	New pre-built panel for troubleshooting API errors.
2016-06-02	ADDON-6087	The Splunk Add-on for Box now uses Box SDK for authentication, token refreshing, and auto retry on error.
2016-06-02	ADDON-9769	Adjusted the order of the Box File API calls.
2016-06-02	ADDON-8415	Prevented unnecessary Box API calls when a file does not exist.
2016-05-25	ADDON-9464	Support for Box Verified Enterprise (BVE).

Fixed issues¶

Version 1.1.0 of the Splunk Add-on for Box fixes the following issues.

Known issues¶

Version 1.1.0 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 1.1.0 of the Splunk Add-on for Box incorporates the following third-party software or libraries.

Version 1.0.2¶

Version 1.0.2 of the Splunk Add-on for Box is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.1.x and above
CIM	4.1 and above
Platforms	Linux
Vendor Products	Box

Fixed issues¶

Version 1.0.2 of the Splunk Add-on for Box fixes the following issues.

Known issues¶

Version 1.0.2 of the Splunk Add-on for Box has the following known issues.

Third-party software attributions¶

Version 1.0.2 of the Splunk Add-on for Box incorporates the

Httplib2 Python library

Version 1.0.1¶

Version 1.0.1 of the Splunk Add-on for Box has the same compatibility specifications as version 1.0.2.

Migration notes¶

In order to fix an issue with gathering events from the Box API, the 1.0.1 release adjusted the behavior of the event input. No specific migration activity is required as a result of these changes.

The event input now collects only one year’s worth of historical events when you enable the event for the first time, instead of all events. This does not affect users upgrading from version 1.0.0. However, you can now set the date from which event data should be corrected using the configuration file. See the input configuration for details.

Also, in version 1.0.1, the event input collects data in intervals of 30 seconds by default. This is a change from the previous setting of 20 seconds. Any existing event inputs set to the default interval are automatically adjusted to 30 seconds in this release. You can edit the interval at any time.

Fixed issues¶

Version 1.0.1 of the Splunk Add-on for Box fixed the following issue.

Known issues¶

Version 1.0.1 of the Splunk Add-on for Box had the following known issues.

Third-party software attributions¶

Version 1.0.1 of the Splunk Add-on for Box incorporates the

Httplib2 Python library

Version 1.0.0¶

Version 1.0.0 of the Splunk Add-on for Box has the same compatibility specifications as Version 1.0.1.

New features¶

Version 1.0.0 of the Splunk Add-on for Box had the following new features.


Date	Issue number	Description
03/23/15	ADDON-1389	New Splunk-supported add-on with inputs for enterprise events, file and folder metadata, collaboration information, and user and user group data, CIM mapping, and prebuilt panels.

Known issues¶

Version 1.0.0 of the Splunk Add-on for Box had the following known issues.

Third-party software attributions¶

Version 1.0.0 of the Splunk Add-on for Box incorporates the

Httplib2 Python library

Hardware and software requirements for the Splunk Add-on for Box¶

To install and configure the Splunk Add-on for Box, you must be a member of the admin or sc_admin role. This add-on communicates over HTTPS, and uses SSL/TLS security technologies.

Box requirements¶

This add-on communicates with your organization’s Box instance using the Box REST API. You must have a valid Box account assigned to a role with sufficient permissions to collect the data you want to collect. For example, use an account assigned to the Admin role to allow the add-on to collect all metadata for all files, folders, and enterprise events for the entire organization.

OS Platform¶

The Splunk Add-on for Box is platform independent.

Note

The clock on the machine being used for setup must be synced with the world clock. The timezone must be in UTC format.

Splunk platform requirements¶

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

For Splunk Enterprise system requirements, see System Requirements in the Splunk Enterprise Installation Manual.
If you plan to run this add-on entirely in Splunk Cloud, there are no additional Splunk platform requirements.
If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Installation and configuration overview for the Splunk Add-on for Box¶

Complete the following steps to install and configure this add-on:

Configure your credentials on Box to get your Box client ID and client secret.
On the part of your Splunk Enterprise architecture that is performing data collection for the add-on, set up the add-on using the client ID and client secret you just configured for your Box account.
Configure your inputs to get your Box data into Splunk Enterprise.

Ended: Overview

Installation ↵

Install the Splunk Add-on for Box¶

Get the Splunk Add-on for Box by downloading it from Splunkbase or browsing to it using the app browser within Splunk Web.
Determine where and how to install this add-on in your deployment, using the tables on this page.
Perform any prerequisite steps before installing, if required and specified in the tables below.
Complete your installation.

If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the installation walkthroughs section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, Splunk Cloud, or Splunk Light.

Distributed deployments¶

Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

Where to install this add-on¶

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.

Splunk Instance Type	Supported	Required	Actions Required / Comments
Search Heads	Yes	Yes	Install this add-on to all search heads where Box knowledge management is required.
Indexers	Yes	No	Not required, because the parsing operations occur on the heavy forwarders.
Heavy Forwarders	Yes	Yes	Install this add-on on heavy forwarders to perform data collection via modular inputs.
Universal Forwarders	No	No	Install this add-on on a heavy forwarder for data collection.

Distributed deployment feature compatibility¶

This table describes the compatibility of this add-on with Splunk distributed deployment features.

Distributed Deployment Feature	Supported	Actions Required
Search Head Clusters	Yes	You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection. Before installing this add-on to a cluster, make the following changes to the add-on package: Remove the `inputs.conf` file.
Indexer Clusters	Yes	Before installing this add-on to a cluster, remove the `inputs.conf` file from the add-on package.
Deployment Server	No	Supported for deploying unconfigured add-on only. - Using a deployment server to deploy the configured add-on to multiple forwarders acting as data collectors causes duplication of data. - The add-on uses the credential vault to secure your credentials, and this credential management solution is incompatible with the deployment server.

Installation walkthroughs¶

The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.

For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:

Upgrade the Splunk Add-on for Box¶

Upgrade to the latest version of the Splunk Add-on for Box.

Upgrade from version 3.4.1 or above to version 3.5.0 or above of the Splunk Add-on for Box¶

There are no additional steps required for this version upgrade. See the Install the Splunk Add-on for Box topic in this manual.

Upgrade from version 3.1.0 to version 3.2.0 or later of the Splunk Add-on for Box¶

To upgrade from version 3.1.0 to version 3.2.0 or later, perform the following steps:

Note

If you are upgrading from version 3.0.1 or below to version 3.2.0 or later, perform the steps for upgrading from version 3.0.1 or earlier to version 3.1.0 in addition to these steps.

Disable all inputs that you have currently configured in your version of the Splunk Add-on for Box.
Upgrade the add-on using one of the following methods:
- Download the add-on from Splunkbase, and follow the steps in the Install the Splunk Add-on for Box topic in this manual.
- In Splunk Web, navigate to the Apps bar, and click Upgrade.
Refresh your browser cache.
In each input for the events Endpoint, edit the input and enter the Delay (seconds) parameter.
- (Optional) Set the Delay to non-zero if events from your Box deployment are missing in your Splunk platform deployment.
Note

The value of the Delay parameter should be strictly less than value Interval parameter.
Save your changes.
Enable all the inputs.

Upgrade from version 3.0.1 or earlier to version 3.1.0 of the Splunk Add-on for Box¶

To upgrade from version 3.0.1 or earlier to version 3.1.0, perform the following steps:

Disable all inputs that you have currently configured in your version of the Splunk Add-on for Box.
Upgrade the add-on using one of the following methods:
- Download the add-on from Splunkbase, and follow the steps in the ‘Install topic in this manual.
- In Splunk Web, navigate to the Apps bar, and click Upgrade.
Stop the Splunk platform instance.
on HWF, Navigate to \$SPLUNK_HOME/etc/apps/Splunk_TA_box/local/, and open your inputs.conf file in a text editor.
In each input, find every instance of a interval parameter, and replace with a duration parameter.
Save your changes.
On HWF, Navigate to \$SPLUNK_HOME/etc/apps/Splunk_TA_box/bin/ and remove the below folders and files:
- sockshandler.py
- socks.py
- six.py
- urllib3
- requests_toolbelt
- idna
- enum
- chardet
- certifi
- boxsdk
- bin
- requests
- Splunk_TA_box
Start the Splunk platform instance.
Refresh your browser cache.
Enable your inputs

Upgrade from versions earlier than 2.0.0¶

Caution

The Splunk Add-on for Box version 2.0.0 introduced breaking changes. If you are upgrading from version 1.2.0 or earlier to version 2.0.0 or above of the Splunk Add-on for Box, you must follow these instructions to prevent data loss.

To upgrade from version 1.2.0 or earlier to version 2.0.0 or above, follow these steps:

Before upgrading, disable the inputs configured in Box version 1.2.0 or earlier.
Upgrade the add-on.
Go to the Box > Configuration > Box Account page and configure your previously configured Box account.
Go to the Box > Input page. There are a list of inputs that had been configured before the upgrade. The Name field contains the values for the endpoint, including events, folders, users, and groups.
1. At first, all configured inputs have a warning symbol next to the Name field.
2. At first, the Account Name field shows Missing Box Account configuration, and the Endpoint field shows Missing Endpoint configuration.
Reconfigure each input:
1. Select the correct Box account.
2. Select the Endpoint value corresponding to the Input Name to resume data collection.
3. (Optional) Edit the Interval field if required. In previous versions of the Splunk Add-on for Box, the default interval was 120 seconds for events and 64,800 seconds for folders, users, and groups. After upgrading, the interval for configured data inputs is 30 seconds. You might need to edit this default interval after upgrading to version 2.0.0.
4. Click Save.
Enable the reconfigured inputs.

Ended: Installation

Configuration ↵

Configure credentials on Box for the Splunk Add-on for Box¶

Oauth 2.0 - Authorization Code Grant Type¶

Box uses OAuth 2.0 for authentication and authorization. For the Splunk Add-on for Box to collect data from the Box APIs, you must obtain an OAuth 2.0 client ID and client secret from Box. Before you attempt to set up the Splunk Add-on for Box, use the following steps to configure a Box client app and obtain these credentials.

Refer to Box documentation for more details and additional reference information.

Log in to Box using an existing Box account. The role of the Box account that you use for this configuration step affects the scope of the data you can gather with the add-on. The account and the credentials are persistent, explicitly have more than read-only permissions in Box, and and not just used to establish an API key for the nodes to communicate:
- If you use a Box account with the admin role, the add-on has permissions to gather all metadata of all files and folders and all enterprise events for your entire organization through the Box APIs.
- If you use a Box account with a co-admin role, you need to enable the permission to “Run new reports and access existing reports” for that account.
- If you use an account with a user role, you may not be able to collect all data.
Use an account with the appropriate roles and permissions to gather the scope of data that you want to collect with the add-on.

Note

To allow Admins, Co-Admins, and Service Accounts to retrieve any content they do not own or are not collaborators on within their enterprise, you must configure the following setting as described in this Box documentation: Global Content Manager (GCM) Configuration.
Go to https://app.box.com/master/settings/apps. Admin role will be required to access these settings.
Select Individual Application Controls.
Search for Splunk Add-on for Box in the search bar.
Hover over it and select Configure. Box displays a configuration window with Splunk Add-on settings.
In the Additional Configuration section, select + Add Integration Credentials.
(Optional) Change the default name of the integration credentials and select Save.
Next to OAuth 2.0 Redirect URI, in the Redirect URI field, enter the SSL-secured HTTPS URI of the Splunk Platform instance that you want to be responsible for data collection from Box, usually a heavy forwarder. For example, if the URL of your heavy forwarder is http://<host>:8000/en-US/app/Splunk_TA_box/splunk_ta_box_redirect, then the redirect URI is exactly the same as this. The OAuth 2.0 specification only supports HTTPS redirects, which means you need turn on SSL for Splunk Web on the instance you are using for Box data collection. Refer to Turn on encryption (https) with Splunk Web in the Splunk Enterprise security documentation for details on how to turn on SSL for Splunk Web.

In Application Scopes, select the following options based on the data you want to pull from your Box account:

Application Scope	Uses
Read all files and folders stored in Box.	Gets data of `Folders` endpoint (Collect folder metadata, Collect folder collaboration, Collect file metadata).
Read and write all files and folders in Box.	Gets data of `Folders` endpoint (Collect tasks and comments).
Manage users.	Gets data of `Users` endpoint
Manage groups.	Gets data of `Groups` endpoint
Manage enterprise properties.	Gets data of `Events` endpoint

Note

If the application scopes are changed after configuring your account in the Splunk Add-on for Box, the Box account will have to be reconfigured in the Box add-on to generate a new token with the upgraded, and downgraded access.

Note down the Client ID and Client Secret in OAuth 2.0 Credentials. You need this when you set up the Splunk Add-on for Box.
Click Save Changes.

Oauth 2.0 - Client Credentials Grant Type¶

Box supports OAuth 2.0 Client Credentials grant type for server-to-server authentication. The Splunk Add-on for Box can use this method to collect data from Box APIs without requiring user interaction. Use the following steps to configure a Box app for OAuth 2.0 Client Credentials and obtain the necessary credentials for the add-on.

Refer to Box documentation for additional reference information.

Prerequisites¶

Before you configure OAuth 2.0 Client Credentials in Box, ensure the following requirements are met:

A Box Platform Application using Server Authentication (Client Credentials Grant), created in the Box Developer Console.
2FA enabled on your Box account to view and copy the application’s client secret from the configuration tab.
The application must be authorized in the Box Admin Console.

Steps to configure an OAuth 2.0 Client Credentials App in Box Developer Console¶

Log in to the Box Developer Console using your Box account.
Navigate to My Platform Apps and click Create New App.
In App Type, select Custom App.
Provide a name and any other required details, then click Next.
Under App Authentication, select Server Authentication (Client Credentials Grant).
Click Create App.
Under the Application Access section, select App Access + Enterprise Access.
Under Application Scopes, enable the following permissions:

Application Scope	Uses
Read all files and folders stored in Box.	Gets data of `Folders` endpoint (Collect folder metadata, Collect folder collaboration, Collect file metadata).
Read and write all files and folders in Box.	Gets data of `Folders` endpoint (Collect tasks and comments).
Manage users.	Gets data of `Users` endpoint
Manage groups.	Gets data of `Groups` endpoint
Manage enterprise properties.	Gets data of `Events` endpoint

Note

To allow Admins, Co-Admins, and Service Accounts to retrieve any content they do not own or are not collaborators on within their enterprise, you must configure the following setting as described in this Box documentation: Global Content Manager (GCM) Configuration.

Under Advanced Features, enable: - Generate user access tokens
Click Save Changes.
Go to the Authorization tab.
Click Review and Submit to send the app for approval by your Box enterprise admin.

Note

The app must be authorized after any change to scopes or features. Re-submit it for approval each time you make such changes.

Steps to Authorize the App in the Box Admin Console¶

Log in to the Box Admin Console.
In the left-hand menu, navigate to Integrations.
Select Platform Apps Manager.
Under Server Authentication Apps, locate your app.
Click More, and then select Authorize App.

Set up the Splunk Add-on for Box¶

Before you follow the instructions on this page to set up the Splunk Add-on for Box, be sure to obtain your client ID and client secret from Box.

Account Configuration¶

On Splunk Web, go to the Splunk Add-on for Box, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Box.
Click the Configuration tab.
Click the Accounts tab. Click on Add.
Enter a name for the account in the Account Name field.

From the Auth Type drop-down menu, select the appropriate authentication flow based on your use case.

OAuth 2.0 – Authorization Code Grant Type
OAuth 2.0 – Client Credentials Grant Type

Configure OAuth 2.0 - Authorization Code Grant Type¶

It requires interactive login to Box.

In the Add Box Account dialog box, fill in the required fields:

Field	Description
Account Name	The name of your Box account.
Auth Type	The type of authentication.
Client ID	The client ID that you obtained from Box.
Client Secret	The client secret that you obtained from Box.
Redirect URL	Copy this Redirect URL and paste it into the OAuth 2.0 Redirect URI field in your Box app configuration.

Click Add. The Splunk platform opens a new window to the Box login page.
Within 30 seconds, enter your Box account credentials.
Click Grant Access to Box. If you don’t enter credentials in time, the request will time out.
(Optional) To configure multiple accounts, make sure you’re logged into the correct Box account in the same browser session. If unsure:
1. Log out of your Box account in the browser.
2. Open Splunk Web in the same browser.
3. Navigate to the Splunk Add-on for Box, and go to the Configuration tab.
4. Enter the Client ID and Client Secret of the desired Box account.
5. Click the Save button. A pop-up will ask you to log in to Box.
6. Enter your credentials.
7. Click Grant Access to Box.
8. Once the configuration is saved, repeat for other accounts as needed.

Configure OAuth 2.0 - Client Credentials Grant Type¶

It does not require user interaction.

In the Add Box Account dialog box, fill in the required fields:

Field	Description
Account Name	The name of your Box account.
Auth Type	The type of authentication.
Client ID	The client ID that you obtained from Box.
Client Secret	The client secret that you obtained from Box.
Box User ID	The Box User ID of the user.

Click Add. Splunk will use the client credentials to obtain a token without requiring a browser login.
Ensure your Box app has been authorized in the Box Admin Console under Integrations > Platform Apps Manager.

Note

If scopes, advanced settings, or access levels are changed in the Box app, it must be re-authorized in the Admin Console, and the Box account must be reconfigured in Splunk.

If you’re using a proxy, check Enable Proxy and fill in the required fields under the Configuration tab. For CLI-based configuration, see Configure a proxy using configuration files.
If authentication succeeds, the add-on securely saves the access token and refreshes it internally.If authentication fails, you may see: “Request time out while authenticating. Please try again.” Double-check the client credentials and Box app configuration, and try again.

Next, configure your inputs.

(Optional) Change logging level¶

On Splunk Web, go to the Splunk Add-on for Box, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Box.
Click the Configuration tab.
Click the Logging tab.
Select a new logging level from the drop-down menu.
Click Save to save your configurations.

(Optional) Proxy setup¶

On Splunk Web, go to the Splunk Add-on for Box, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Box.
Click the Configuration tab.
Click the Proxy tab.
Check Enable and fill in the required fields.

Configure a proxy using configuration files¶

You can also configure your proxy using the configuration files. This gives you access to a few advanced options.

Create or edit $SPLUNK_HOME/etc/apps/Splunk_TA_box/local/splunk_ta_box_settings.conf.

Fill in values for your proxy using the following structure:

[box_proxy]
proxy_enabled = 0
proxy_url =
proxy_port =
proxy_username =
proxy_password =
proxy_rdns = 1
proxy_type = http

Adjust the proxy_rdns to 0 if you want to use the local machine to do a DNS lookup. Leaving it at 1 means that the DNS lookup occurs through the proxy.
Adjust the proxy_type to http_no_tunnel if that is your preference.
Enable the proxy by setting proxy_enabled to 1.

Add SSL certificate to trust lists¶

If you encounter a SSLHandshakeError:

The SSL certificate entry might be missing from your certificate store.
The Box server is configured over a self-signed certificate and isn’t present in the library’s certificate store. Follow the below steps to resolve the issue:

Download the root CA certificate used in your Box deployment.
Copy the contents of the new certificate.
Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_box.
Create a new .pem file and add the content of the new certificate. Append the new certificate content if the file is already present.
Open the local/splunk_ta_box_settings.conf file in a text editor. Create a new one if not present.

Add the ca_certs_path parameter value as below:

[additional_parameters]
ca_certs_path=/opt/splunk/etc/apps/Splunk_TA_box/custom_ca_certs.pem # <absolute path to the <certs_file>.pem file>

Save your changes.
Restart your Splunk instance.

Note

Certificates of all the Box servers configured in the add-on must be present under the .pem file, if you are using the ca_certs_path parameter as mentioned in the above steps.

Comparison between Historical Querying Inputs and Live Monitoring Inputs¶

As part of version 3.5.0 of the Splunk Add-on for Box, a new input has been introduced named “Live Monitoring Inputs”. The existing input has been renamed to “Historical Querying Inputs”.

All the older functionalities from “Historical Querying Inputs” remain the same and would work as expected in “Live Monitoring Inputs”. The data collected for events endpoint under Historical Querying Inputs is done through admin_logs API, and under Live Monitoring Inputs is done through admin_logs_streaming API.

Historical Querying Input can collect Events data starting from the past 1 year and continue data collection for the current time based on the user defined interval. The Live Monitoring Input can collect data starting from the past 2 weeks and then continue data collection for the current time based on the user defined interval.

The admin_logs_streaming API, which is supported using Live Monitoring Input, has certain advantages and disadvantages with respect to admin_logs API. Depending on the use case it is recommended to use the most relevant input. The major benefit that the new API brings is consistent and reduced latency which may bring events quite earlier in Splunk.

More details regarding this can be found in the Box Documentation: https://developer.box.com/guides/events/enterprise-events/for-enterprise/.

Configuration¶

The data collected using any of these inputs for events endpoint would be collected under box:events sourcetype and can be differentiated using source field.

Please refer to Configure Historical Querying Inputs for the Splunk Add-on for Box for steps for configuring historical querying inputs.

Please refer to Configure Live Monitoring Inputs for the Splunk Add-on for Box for steps for configuring live monitoring inputs.

Points to consider when migrating from admin_logs to admin_logs_streaming API:

The user needs to disable the existing input of Historical Querying Input and create a new input of Live Monitoring Input type.
Since the new API would start bringing inndata from the past 2 weeks, if the data has already been collected using an older API, it would get duplicated.
There are chances of getting some duplicated events in “Live Monitoring Input”. This is the behavior of the new API which Box has provided.

Configure Historical Querying Inputs for the Splunk Add-on for Box¶

To configure historical querying inputs for the Splunk Add-on for Box, complete these steps:

On Splunk Web, go to the Splunk Add-on for Box, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Box.
Click the Inputs tab.
Click Create new input and then choose “Historical Querying Inputs”.
Fill in the required fields:

Input Field Descriptions¶

Field	Description
Name	A name for the new input.
Box account	The Box account with permissions for the input. Ensure you have set up the add-on to work with this Box account.
Endpoint	The Box API endpoint relevant for collecting data for a given metric. Do not alter this value. The Splunk Add-on for Box provides four Endpoints — events, folders, users, and groups — which correspond to the four endpoints of the Box REST API. The Events endpoint is supported using admin_logs Box REST API. See the Metrics and Descriptions section below for details.
Collect since timestamp	The date and time, after converting to UTC in `YYYY-MM-DDThh:mm:ss` format, after which to collect data. Default: last 90 days. Only compatible with the `events` metric. NOTE: The date should not exceed 1 year in the past, as data older than this is not supported by APIs.
Interval	How often, in seconds, the Splunk platform calls the API to collect data for a metric. This value overrides the configuration of the default collection interval in the setup screen. Set to 120 seconds or above to avoid rate limiting errors.
Delay	(Optional) Delay (measured in seconds) to be subtracted while scanning events from Box. The value should be strictly less than Interval. This Delay will be deducted from created_before and created_after Box Event API parameters while fetching events from Box. Default is 0. Set the value to non-zero if events are missed from your Box account. Only valid for the events metric. Note: The delay is also deducted from “Collect since timestamp” due to Box vendor behavior. See the Troubleshooting section for details.
Index	The index in which the Splunk platform stores events from Box. Default is `main`.

Note

When you enable the Events input for the first time, the add-on collects historical enterprise event data for the past 90 days by default, or starts collection at a different time based on what you configured on the setup page. The add-on collects this data at a maximum rate of 500 records at a time using a collection interval (defaults is 120 seconds) until it catches up to the present. All event timestamps reflect the local timezone of your data collection node, which may differ from the timezone applied in Box.

Metrics and Descriptions¶

Metric	Description
events (admin_logs)	Box enterprise events using Box admin_logs API.
folders	Metadata about files and folders, collaboration data for folders, file tasks and comments information. If you unchecked any of the boxes in the Box Data Collection Setup section when setting up the add-on, the corresponding data is excluded from collection.
users	User data.
groups	User group data.

Once you are satisfied with the configurations, click Enable next to the metrics you want to enable.

Checkpoint management¶

If the Splunk Add-on for Box finds an existing checkpoint for a given input name, a Use existing data input dialogue box appears. If you select Yes, then data is collected from that checkpoint. If you select No, then data collection resets. It begins from the query start date you provided, or from the default start date. This option will only appear when editing inputs containing the events metric.

Configure Live Monitoring Inputs for the Splunk Add-on for Box¶

To configure live monitoring inputs for the Splunk Add-on for Box, complete these steps:

On Splunk Web, go to the Splunk Add-on for Box, either by clicking the name of this add-on on the left navigation banner, or by going to Manage Apps then by clicking Launch App in the row for the Splunk Add-on for Box.
Click the Inputs tab.
Click Create new input and then choose “Live Monitoring Inputs”.
Fill in the required fields:

Field	Description
Name	A name for the new input.
Box account	The Box account with permissions for the input. Ensure you have set up the add-on to work with this Box account.
Endpoint	The Box API endpoint relevant to collecting data for a given metric. This field is disabled and value is selected by default. The Splunk Add-on for Box provides one Endpoint — events, which uses adminlogs_streaming Box REST API: Metric: events (adminlogs_streaming) Description: Box enterprise events using Box admin_logs_streaming API.
Interval	How often, in seconds, the Splunk platform calls the API to collect data for a metric. This value overrides the configuration of the default collection interval in the setup screen. Set to 120 seconds or above to avoid rate limiting errors.
Index	The index in which the Splunk platform stores events from Box. The default is main.

Note

When you enable the Events input for the first time, the add-on collects enterprise event data using admin_logs_streaming API using stream position as 0,which starts bringing data starting from the past 2 weeks (this is based on what BOX API supports). The add-on collects this data at a maximum rate of 500 records at a time until it gets no records and then next calls are done based on the user defined interval (default every 120 seconds).

Once you are satisfied with the configurations, click Enable next to the metrics you want to enable.

Checkpoint management¶

If the Splunk Add-on for Box finds an existing checkpoint for a given input name, a Use existing data input dialogue box appears. If you select Yes, then data is collected from that checkpoint. If you select No, then data collection resets. It begins from the stream position 0, which starts bringing data from the past 2 weeks. This option will only appear when editing inputs containing the events metric.

Configure File Ingestion Input for the Splunk Add-on for Box¶

To configure File Ingestion inputs for the Splunk Add-on for Box, complete these steps:

On Splunk Web, go to the Splunk Add-on for Box, either by selecting the name of the add-on on the navigation banner, or by going to Manage Apps then selecting Launch App in the Splunk Add-on for Box section.
Select Inputs.
Select Create new input and then select File Ingestion Input.

Fill in the required fields:

Field	Description
Name	A name for the new input
Box account	The Box account with permissions for the input. Ensure you have set up the add-on to work with this Box account.
File/Folder ID	Enter the File/Folder ID found in the Box portal URL (e.g., https://app.box.com/folder/123456789), where the numbers at the end represent the ID.
Interval	How often, in seconds, the Splunk platform calls the API to collect data for a metric. This value overrides the configuration of the default collection interval in the setup screen. The default interval value is set to 86400 seconds.
Index	The index in which the Splunk platform stores events from Box. The default is main.

Note

The following file extensions are supported for file ingestion input: .json, .xml, .csv, .txt, .text, and .log. Files with other extensions will not be ingested.

JSON Files: Each JSON object will be ingested as a separate event in Splunk.
XML Files: Only valid XML content will be ingested as a single event in Splunk. If the XML content is invalid, the file will not be ingested.
CSV Files: Each row in the CSV file will be ingested as a separate event in Splunk.

Ended: Configuration

Troubleshooting ↵

Troubleshoot the Splunk Add-on for Box¶

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Extract the precise location(dest) for the file, folders, and events of the box:Events sourcetype¶

Some logs do not provide the location of the files and folder, e.g. a file path or a shared URL. Specifically, the logs of the Box:Events sourcetype do not provide such information, by the vendor. That is why the TA assigns the generic value of box.com to the CIM field “dest” for this sourcetype. In this case, if you need the actual, more precise, location (the “dest” CIM field value) for the files and folders, you may run the additional search for the box:file or box:folder sourcetypes, where the precise location of the files and folders can be retrieved, since it is provided by the vendor.

Perform the following search to find the exact location (“dest” field) for the actual location of a particular file/folder. If you don’t want to override the existing “dest” field, then provide another field name in the last eval command in the search query.

sourcetype="box:events" (source_item_id=* OR source_folder_id=*)
| eval unique_id = coalesce(source_item_id,source_folder_id)
| join unique_id
    [ search (sourcetype="box:fi*" OR sourcetype="box:fo*") | rename id AS unique_id]
| eval dest = coalesce(shared_link_url, location)
| table unique_id, dest

Configuration troubleshooting¶

If you think there is something wrong with the configuration, run the following search:

eventtype=box_setup_error

403 or Permission denied errors¶

If you are seeing 403 Forbidden or “permission denied” errors, first verify that you are using a Box account with sufficient permissions. See step 1 in Configure credentials on Box for the Splunk Add-on for Box for details.

Once you have verified the account permissions are correct, try using a different browser than you usually use to get the developer token. Your browser may be caching the credentials of a different Box account, causing your Box Add-on’s token to be granted the permissions of that other account.

Logging verbosity¶

You can configure the logging verbosity on the setup page for the add-on, or in $SPLUNK_HOME/etc/apps/Splunk_TA_box/local/box.conf. Supported log levels are DEBUG, INFO, and ERROR.

Slow data gathering¶

By default, the Splunk Add-on for Box collects all folder and file data concurrently. If there are millions of files and folders in your organization’s Box account, it may take a long time to finish all of the information gathering. The add-on includes checkpoint functionality which allows the add-on to pick up from where it left off in case Splunk platform restarts during the data collection.

The Box API has rate limiting. Concurrent folder scanning may hit the API’s rate limit and throw “rate_limit_exceeded” errors. If this occurs, the add-on throttles the data gathering, which slows the scanning speed.

Rate limit errors¶

If you see 429 Too Many Requests errors, you are hitting the rate limit imposed by the Box API. For more information, see https://box-content.readme.io/reference#rate-limiting.

Increase your polling interval to 120 seconds or more to avoid this error.

Concurrent vs sequential folder scanning¶

If you want to do sequential folder scanning instead of concurrent scanning, copy $SPLUNK_HOME/etc/apps/Splunk_TA_box/default/box.conf to your $SPLUNK_HOME/etc/apps/Splunk_TA_box/local folder, then change use_thread_pool = 1 to use_thread_pool = 0. This setting is not exposed in Splunk Web. Sequential scanning is much slower than cocurrent scanning.

Reset checkpoint for historical event data collection¶

When you enable the Events input for the first time, the add-on collects historical enterprise event data for the past 90 days by default, unless you have configured a different value on the setup page. The add-on collects this data at a maximum rate of 500 records at a time using a collection interval of 120 seconds until it catches up to the present. The historical event collection occurs only the first time that you enable the input. After that, the add-on uses a checkpoint to collect only new events.

You can reset the checkpoint and index historical data again.

Stop your Splunk platform instance.
Navigate to $SPLUNK_HOME/var/lib/splunk/modinputs/box_service.
Remove the events checkpoint file.
Modify the created_after in local/inputs.conf to the new historical collection start date that you prefer.
Start your Splunk platform instance.

HTTP 400 Bad request: “created_after is invalid since it is in the future”¶

Because the original timezone is not available in the event metadata, Box events are timestamped using the local timezone of your data collection endpoint. When this local time is not consistent with UTC time, this error may occur. Check that your machine’s clock is synced with the world clock.

HTTP 400 Bad request: “created_after is beyond one year in the past”¶

The Box API currently limits historical event data collection to one year. If you set a date farther in the past than one year ago when you set up the add-on, you encounter this error. The add-on does not collect event data or set a checkpoint, so you can correct the start date to one within one year and restart data collection to recover.

404 errors for file metadata¶

404 errors are expected because files are frequently created, updated, and deleted in Box, so the resources are not persistent. If you try to access metadata about a file that is no longer there, you receive a 404 error.

OAuth access token and refresh token expiration behavior¶

The Box OAuth2 access token expires every two hours, so the add-on uses the OAuth2 refresh token to renew the access token automatically when it detects access token expiration. In some cases, the refresh token can itself expire. If this happens, you need to go to the setup page to re-perform the authentication and authorization. This recreates the access token and the refresh token. Search eventtype=box_ta_log_error "Refresh token has expired" to check if the refresh token has expired.

Files with extensions including .boxnote and .zip are not supported for preview mode. Fields such as expiring_embed_link require preview support, and will result in the following error: Box API error returned: Previews for <FileExtension> files are not yet supported. File id <FileID> skipped. Consider adjusting your API field parameters. If you added this field to your box.conf file, remove it. Otherwise, events for these files are not indexed.

Box account configuration error¶

If you see the following error in the splunkd.log file, an enabled data input is missing Box Account configuration details: ERROR ExecProcessor - message from "python <SPLUNK_HOME>/etc/apps/Splunk_TA_box/bin/box_service.py" ERRORaccount.

To resolve this error and to resume data collection, correct or complete your Box Account configuration details for your enabled data inputs.

Box events are missed during data collection¶

If you encounter data gaps while collecting events from your Box account, perform the following troubleshooting steps:

Upgrade to the latest version of the Splunk add-on for Box 3.7.0 add-on using the Upgrade the Splunk Add-on for Box topic in this manual.
In Splunk Web, navigate to the Inputs tab in the Splunk add-on for Box.
Disable the input with “events” endpoint you want to edit.
Edit your input with “events” endpoint.
Increase the “Interval” time and enter/increase the “Delay” and keep it in the range of 75%-90% of the Interval set.
Save the changes.
Enable the input.

Delay is getting deducted from “Collect Since Timestamp”¶

The seconds entered in the Delay field will be deducted from Collect Since Timestamp for the Events endpoint input. This is expected behavior. To resolve this, add the delay you want to Collect Since Timestamp, and configure your input.

For example:

The date you want to enter for Collect Since Timestamp is 2020-08-01T00:00:00 and the Delay you want to enter is 300 seconds. In this case, add the “Delay” to Collect Since Timestamp. For example, enter the date as 2020-08-01T00:05:00 with 300 seconds as Delay. Enter any other values you want, and save the input. This will get the data from your expected Collect Since Timestamp.

KV Store error when collecting data¶

If you encounter this error: Error occurred while updating the start_timestamp for the input: xyz:HTTP 503 Service Unavailable -- KV Store is disabled.

You must enable your KV Store service to resume data collection in your ta_box.log.

UI is not loading¶

UI pages of the add-on are not loading with the following error in the splunkd.log file.

Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_box/bin/Splunk_TA_box_rh_box_service.py", line 7, in <module>
    import import_declare_test
  File "/opt/splunk/etc/apps/Splunk_TA_box/bin/import_declare_test.py", line 13, in <module>
    import queue
  File "/opt/splunk/lib/python3.7/queue.py", line 3, in <module>
    import threading
  File "/opt/splunk/lib/python3.7/threading.py", line 8, in <module>
    from traceback import format_exc as _format_exc
  File "/opt/splunk/lib/python3.7/traceback.py", line 5, in <module>
    import linecache
  File "/opt/splunk/lib/python3.7/linecache.py", line 11, in <module>
    import tokenize
  File "/opt/splunk/lib/python3.7/tokenize.py", line 33, in <module>
    import re
  File "/opt/splunk/lib/python3.7/re.py", line 145, in <module>
    class RegexFlag(enum.IntFlag):
AttributeError: module 'enum' has no attribute 'IntFlag'

The issue is because of the incorrect library structure due to python2/python3 compatibility. To resolve this issue perform the following steps:

Remove the local folder from the add-on directory and place it somewhere accessible.
Uninstall the existing add-on and install the latest version of the add-on.
Add the local folder back to the add-on directory.
Restart the Splunk platform.

File Ingestion for Invalid JSON content¶

In the case of JSON files, the JSON content must be properly formed. If the JSON is invalid or improperly structured, there is a possibility that some data may not be ingested into Splunk.

Connection Issues with Custom Certificates¶

Verify the path of the installed certificates. The certificate must be configured as specified in the TA documentation: Add SSL Certificate to Trust Lists.
If the configuration is correct but issues persist, check the OS-level firewall settings to ensure they are not blocking the connection.

Data duplication observed while checkpoint logs are present¶

In this TA, for the folder input, the checkpointing mechanism operates in a state-based manner.

The checkpoint is used during a single invocation to track files and folders to be fetched during that session.
After the invocation completes, the checkpoint becomes null.
During the next invocation, the data will be fetched again from the root, leading to duplication.

This behavior is expected and occurs because the data being collected is state-based.

Unable to reach the Box server when a proxy is enabled¶

If the proxy is enabled, try disabling it and reattempt the connection.
If the connection works without the proxy, there might be an issue with the proxy configuration. Review and correct the proxy settings as per Proxy setup TA docs.

UI not loading properly and displaying a 500 error code¶

Check the server.conf file at both the system and app levels.
Ensure there are no misconfigurations in this file, as incorrect settings can lead to this error.

About the Splunk Add-on for Box¶

Overview ↵

Source types for the Splunk Add-on for Box¶

Release notes for the Splunk Add-on for Box¶

Compatibility¶

New Features¶

Bug fixes:¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Release history for the Splunk Add-on for Box¶

Version 3.12.1¶

Compatibility¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.12.0¶

Compatibility¶

New Features¶

Fixed issues¶

Version 3.11.0¶

Compatibility¶

New Features¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.10.1¶

Compatibility¶

New Features¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.10.0¶

Compatibility¶

New Features¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.9.0¶

Compatibility¶

New Features¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.8.0¶

Compatibility¶

New Features¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.7.0¶

Compatibility¶

New Features¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.6.0¶

Compatibility¶

New Features¶

Data Model Changes¶

Field Mapping Changes¶

Field mapping changes for the box:events source type¶

Sample values for modified source types¶

box:events source type field changes¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.5.0¶

Compatibility¶

New Features¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.4.1¶

Compatibility¶

Fixed issues¶

Known issues¶

Third-party software attributions¶

Version 3.4.0¶

Compatibility¶

Field mapping changes for the `box:events` source type¶

Error: `created_after` is invalid since it is in the future¶