Hello,
I am trying to get some box-logs into Splunk with the mentioned add-on above. I was able to do the steps listed in the Documentation and got from the box-support a confirmation that the access-logs of me on their side is fine.
So I set up the dashboard in Splunk, but in every panel I get "No results found"
Thanks and regards
What do you get when you run:
index = _internal source=box error
still struggeling, any help would be very appreciated
that log looks like your OAUTH token expired -- that can happen if some time passes without it being used. Try setting the add-on up again.
Another gotcha is that you might have a token of your own that isn't the one you want to use; we recommend using a different browser than you usually use with Box to make sure that you're getting a token for the service account instead of your personal one.
Hey thx for your reply.
Kinda embarassing but i realized i don't get ANY logs with the app. The mentioned inputs i got are from manually uploaded logs only.
So i get zero results, running your search.
I'am guessing there is connection problem. Do i have to forward something? Splunk itself is on a VM.
got some logs now: sometimes authentication succeeded, sometimes not:
splunkd.log:
12-23-2015 10:48:06.747 +0100 ERROR AdminManagerExternal - Failed to do authentication, reason=Bad Request, {u'error_description': u'The authorization code has expired', u'error': u'invalid_grant'}
12-23-2015 10:48:06.747 +0100 ERROR SetupAdminHandler - Error while posting to url=/servicesNS/nobody/Splunk_TA_box/box_setup/box_account/box_account
12-23-2015 10:56:38.580 +0100 ERROR AdminManagerExternal - Failed to do authentication, reason=Bad Request, {u'error': u'invalid_grant', u'error_description': u'The authorization code has expired'}
12-23-2015 10:56:38.580 +0100 ERROR SetupAdminHandler - Error while posting to url=/servicesNS/nobody/Splunk_TA_box/box_setup/box_account/box_account
12-23-2015 10:59:08.413 +0100 ERROR AdminManagerExternal - Failed to do authentication, reason=Bad Request, {u'error': u'invalid_grant', u'error_description': u'The authorization code has expired'}
splunk_ui_access.log:
127.0.0.1 - admin [23/Dec/2015:14:14:03.242 +0100] "POST /en-US/splunkd/__raw/servicesNS/nobody/search/search/jobs/1450875152.37/control HTTP/1.1" 200 59 "https://localhost:8000/en-US/app/search/search?q=search%20index%3D_internal%20box%20error%20source%3D%22C%3A%5C%5CProgram%20Files%5C%5CSplunk%5C%5Cvar%5C%5Clog%5C%5Csplunk%5C%5Csplunkd.log%22&display.page.search.mode=smart&earliest=&latest=&sid=1450875152.37" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" - 2876a338ea88cef186a7a6d077300f11 4ms
aswell as this: ta_box.log:
2015-12-23 14:15:05,966 INFO 4692 - Box account is not fully configured, exiting...
I would first confirm that you are getting the data by running a search before you add panels:
index=main sourcetype=box*
If you are getting no data. I would following the troubleshooting steps per:
http://docs.splunk.com/Documentation/AddOns/latest/Box/Troubleshooting
Thx for your reply.
I got some inputs but by far not all of them and they aren't displayed in my panels.
I already did the stepts listed in the Doc.