TLDR- Is the application indexing items other than the events stream?
I'm trying to search some of the "tracking_codes" for users in my Box instance to report on usage by groups, for example "Sales", and this is not being returned in the splunk events. (Tracking codes can be enabled by the Box customer success teams for enterprise customers).
I first edited the box.conf file to add the appropriate user fields:
user_fields = type,id,name,login,created_at,modified_at,role,timezone,space_amount,space_used,max_upload_size,can_see_managed_users,is_external_collab_restricted,status,job_title,phone,address,avatar_url,is_exempt_from_device_limits,is_exempt_from_login_verification,tracking_codes,enterprise,my_tags
I created a new user in Box with tracking codes set:
{
"type": "user",
"id": "240685827",
"name": "Danno Tracking Code Test",
"login": "doleary+XXXX@x.com",
"created_at": "2015-06-23T11:00:33-07:00",
"modified_at": "2015-06-23T11:10:44-07:00",
"language": "en",
"timezone": "America\/Los_Angeles",
"space_amount": 1000000000000000,
"space_used": 1255288,
"max_upload_size": 16106127360,
"status": "active",
"job_title": "",
"phone": "",
"address": "",
"avatar_url": "https:\/\/FOOOO.app.box.com\/api\/avatar\/large\/240685827"
}
When I add the "fields" parameter with "tracking_codes", it returns:
{
"type": "user",
"id": "24068NNNN",
"tracking_codes": [
{
"type": "tracking_code",
"name": "Sales",
"value": "Field Team"
},
{
"type": "tracking_code",
"name": "Finance",
"value": "2300"
},
{
"type": "tracking_code",
"name": "APAC",
"value": "Bravo"
}
]
}
In Splunk however, I think that these optional fields aren't being indexed: You can see that the sourcetype is box:events
Per the Box documentation, at https://developers.box.com/docs/#fields
Fields Support: The fields parameter
is not yet supported for GET /events,
POST /files/content, and POST
/files/{id}/content.
Question- since some of these optional fields are set and appear to be in use, how do we get them indexed?
... View more