All Apps and Add-ons

Splunk Add-On for Box only receiving my file/folder data

kprior201_lilly
Path Finder

We have the Box integration set up on a HFW, and we have proper permissions set up on the Box side. The integration user has the following co-admin rights:
- Manage users
- Manage groups
- View users content
- Edit users content (for testing)
- Log in to users accounts (for testing)
- View settings / apps for your company
- Edit settings and apps for your company
- Run new reports and access existing reports
- View policies set up for your company
- Create, edit, and delete policies for your company (for testing)
- View automations set up for your company
- Create, edit, and delete automations for your company (for testing)
- Create and edit metadata templates for your company (for testing)

However, the file/folder sourcetypes are only pulling data for the integration user. All other sourcetypes pull through with everyone's data just fine. Anyone have any ideas as to why that might be? Thanks.

0 Karma

carlkennedy
Path Finder

Did you get this figured out? I am having the same issue.

0 Karma

kprior201_lilly
Path Finder

Negative; I have a support case still open about it. I'll update as I get useful information.

0 Karma

samejgink
Explorer

Did you ever get a resolution to this?

0 Karma

KaraD
Community Manager
Community Manager

Hi @samejgink! Since this question was from a few years ago, we recommend posting your question in a new thread to gain more visibility. Thanks!

 

- Kara D, Community Manager

0 Karma

carlkennedy
Path Finder

I worked with a Box technical engineer on this and he indicated it is because we have an "open file structure" at Box instead of "closed". Anybody can post to the Open Files folder. We are getting everything important with the sourcetype box:events so we can see who logs in, uploads, downloads, delete, etc. The box:files sourcetype sounds like it is functioning as designed with our file structure.

0 Karma

kprior201_lilly
Path Finder

Only the file/folder sourcetypes allow for the 'location' field to be populated, though, and that's what we're trying to get. Thank you for the information you've gotten thus far!

0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...