All Apps and Add-ons

How to refresh access tokens of Splunk Addon for Box?

AdrianSBaX
Path Finder

I got some problems with refreshing the access token of the Splunk addon for box. I don't know if this should be normally done by the addon?
So every hour my connection to box fails and i have to restart splunk manually to get it working again. My goal is to monitoring box 24/7.
Currently as a workaround i'am trying to search for errors in logs and restart splunk with a script, but even this is not working. As i see the addon is stopping to write into the logs and thats why my alert for searching terms like "error, refresh token" is not triggered.
I got no response of this serverlogs since 4 hours. Sometimes its working overnight. Sometime snot
Any help is appreciated!

Regards

index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" error

2016-01-22 10:37:26,760 ERROR 140673298708224 - Failed to connect https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=1453446926495;7f7aac36-5e11-488f-b343-9b24eda9e381&created_after=2016-01-22T07:58:05-00:00&created_before=2016-01-22T09:37:26-00:00, reason=Unauthorized, 

2016-01-22 10:37:22,299 ERROR 140673307100928 - Failed to connect https://api.box.com/2.0/folders/0/items?limit=500&offset=0&fields=type,id,name,size,sequence_id,etag,item_status,permissions,created_at,modified_at,has_collaborations,can_non_owners_invite,tags,created_by,modified_by,parent, reason=Unauthorized, 

2016-01-22 10:36:57,317 ERROR 140673315493632 - Failed to connect https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=1453446926495;7f7aac36-5e11-488f-b343-9b24eda9e381&created_after=2016-01-22T07:58:05-00:00&created_before=2016-01-22T09:36:56-00:00, reason=Unauthorized, 

2016-01-22 10:36:50,362 ERROR 140673323886336 - Failed to connect https://api.box.com/2.0/groups?limit=500&offset=0, reason=Unauthorized, 

index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token

2016-01-22 10:37:27,119 INFO 140673298708224 - End of refreshing access token.
2016-01-22 10:37:26,760 INFO 140673298708224 - Access token has been expired, refreshing
2016-01-22 10:37:22,300 INFO 140673307100928 - Access token has been expired, refreshing
2016-01-22 10:36:57,318 INFO 140673315493632 - Access token has been expired, refreshing
2016-01-22 10:36:50,362 INFO 140673323886336 - Access token has been expired, refreshing
2016-01-22 10:36:49,102 INFO 140673332279040 - End of refreshing access token.
2016-01-22 10:36:48,361 INFO 140673332279040 - Access token has been expired, refreshing
2016-01-22 08:57:37,868 INFO 140442830190336 - Access token has been expired, refreshing

my alerts are working...sometimes

source = /opt/splunk/var/log/splunk/python.log

2016-01-22 10:37:27,376 +0100 INFO  runshellscript:188 - runshellscript: ['/bin/bash', '/opt/splunk/bin/scripts/restarttest', '1', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'error access token refresh', 'Saved Search [error access token refresh] always(1)', 'https://newbox:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now', '', '/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0/per_result_alert/tmp_0.csv.gz']

2016-01-22 10:37:27,375 +0100 INFO  runshellscript:129 - ['/opt/splunk/bin/scripts/restarttest', '1', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'error access token refresh', 'Saved Search [error access token refresh] always(1)', 'https://newbox:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now', '', '/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0/per_result_alert/tmp_0.csv.gz']

jcoates_splunk
Splunk Employee
Splunk Employee

Looking at those logs, it looks like you don't have permission to reauthorize. DEBUG level logging would probably clarify that. A fairly common issue is picking up your personal account from a browser cookie or something instead of the service account that you meant to use, maybe try a different browser than you usually use when setting it up?

0 Karma

AdrianSBaX
Path Finder

tried with a new browser and set up new- debug log lvl:

host = newbox source = /opt/splunk/var/log/splunk/ta_box.log sourcetype = ta_box.log.save

2016-01-25 17:51:15,135 ERROR 139793822406400 - Failed to connect https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=0&created_after=2015-05-31T13:04:20-00:00&created_before=2015-06-01T13:04:20-00:00, reason=Unauthorized, 
1/25/16
5:51:13.199 PM  
2016-01-25 17:51:13,199 ERROR 139793830799104 - Failed to connect https://api.box.com/2.0/folders/0/items?limit=500&offset=0&fields=type,id,name,size,sequence_id,etag,item_status,permissions,created_at,modified_at,has_collaborations,can_non_owners_invite,tags,created_by,modified_by,parent, reason=Unauthorized, 
1/25/16
5:50:45.220 PM  
2016-01-25 17:50:45,220 ERROR 139793839191808 - Failed to connect https://api.box.com/2.0/users?limit=500&offset=0&fields=type,id,name,login,created_at,modified_at,role,timezone,space_amount,space_used,max_upload_size,can_see_managed_users,is_external_collab_restricted,status,job_title,phone,address,avatar_url,is_exempt_from_device_limits,is_exempt_from_login_verification,enterprise,my_tags, reason=Unauthorized, 
1/25/16
5:50:31.161 PM  
2016-01-25 17:50:31,161 ERROR 139793847584512 - Failed to connect https://api.box.com/2.0/groups?limit=500&offset=0, reason=Unauthorized, 

index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token

1/25/16
5:51:15.135 PM  
2016-01-25 17:51:15,135 INFO 139793822406400 - Access token has been expired, refreshing
1/25/16
5:51:13.199 PM  
2016-01-25 17:51:13,199 INFO 139793830799104 - Access token has been expired, refreshing
1/25/16
5:50:45.221 PM  
2016-01-25 17:50:45,221 INFO 139793839191808 - Access token has been expired, refreshing
1/25/16
5:50:31.715 PM  
2016-01-25 17:50:31,715 INFO 139793847584512 - End of refreshing access token.
1/25/16
5:50:31.675 PM  
2016-01-25 17:50:31,675 DEBUG 139793847584512 - end https://api.box.com/oauth2/token
1/25/16
5:50:31.161 PM  
2016-01-25 17:50:31,161 DEBUG 139793847584512 - start https://api.box.com/oauth2/token
1/25/16
5:50:31.161 PM  
2016-01-25 17:50:31,161 INFO 139793847584512 - Access token has been expired, refreshing
0 Karma

snort80
Explorer

Hey Adrian, running into similar issue - can you please share how you got around this problem?

Thanks!

0 Karma

AdrianSBaX
Path Finder

hey thx for your reply - i'am testing it. Is this Addon used to handle the refresk tokens automatically or not?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...