Got this TA running without too much issue on a search head that sends this to a remote indexer using an index called "newbox" I can see data with the following source types:
box:users
box:folderCollaboration
box:folder
box:file
box:fileComment
box:fileTask
box:groups
Shouldn't there also be a box:events sourcetype? Essentially I want to set up the same dashboards that I have for Box App for Splunk ie searches for delete events like:
index=box event_type="*delete*" OR event_type="*remove*"| dedup event_id |spath source | table created_at, created_by.name, created_by.login, event_type, source.item_type, source.item_name, source.parent.name | rename created_at as time, created_by.name as user, created_by.login as login,source.item_type as item_type,source.item_name as item_name,source.parent.name as parent_folder
The Add-on seems to have uncovered an API problem, Box may disable events polling in some cases. You might be able to avoid the threshold by slowing collection with this option: http://docs.splunk.com/Documentation/AddOns/latest/Box/Troubleshooting#Concurrent_vs_sequential_fold...
Or just disable event collection until this gets fixed. We're not sure yet where those fixes will be done or when.
The Add-on seems to have uncovered an API problem, Box may disable events polling in some cases. You might be able to avoid the threshold by slowing collection with this option: http://docs.splunk.com/Documentation/AddOns/latest/Box/Troubleshooting#Concurrent_vs_sequential_fold...
Or just disable event collection until this gets fixed. We're not sure yet where those fixes will be done or when.
We just posted version 1.0.1, which reduces the aggression level on queries a bit; there's still some more work to do on the Box side before event gathering is fully operational.
Yes, there is a box:events sourcetype.
The inputs.conf has
[box_service://events]
rest_endpoint = events
duration = 20
the props.conf has
[box:events]
FIELDALIAS-action = event_type AS action
FIELDALIAS-src = ip_address AS src
FIELDALIAS-src_user = created_by_name AS src_user
FIELDALIAS-src_user_category = created_by_type AS src_user_category
EVAL-object = case(isnotnull(source_item_name),source_item_name)
EVAL-object_category = case(isnotnull(source_item_type),source_item_type)
EVAL-object_id = case(isnotnull(source_item_id),source_item_id)