Splunk Add-on for Box: How to troubleshoot why I'm...

AdrianSBaX · ‎12-21-2015

Hello,

I am trying to get some box-logs into Splunk with the mentioned add-on above. I was able to do the steps listed in the Documentation and got from the box-support a confirmation that the access-logs of me on their side is fine.

So I set up the dashboard in Splunk, but in every panel I get "No results found"

Thanks and regards

ehaddad_splunk · ‎12-22-2015

What do you get when you run:
index = _internal source=box error

AdrianSBaX · ‎01-03-2016

still struggeling, any help would be very appreciated

jcoates_splunk · ‎01-16-2016

that log looks like your OAUTH token expired -- that can happen if some time passes without it being used. Try setting the add-on up again.

Another gotcha is that you might have a token of your own that isn't the one you want to use; we recommend using a different browser than you usually use with Box to make sure that you're getting a token for the service account instead of your personal one.

AdrianSBaX · ‎12-22-2015

Hey thx for your reply.

Kinda embarassing but i realized i don't get ANY logs with the app. The mentioned inputs i got are from manually uploaded logs only.

So i get zero results, running your search.

I'am guessing there is connection problem. Do i have to forward something? Splunk itself is on a VM.

AdrianSBaX · ‎12-23-2015

got some logs now: sometimes authentication succeeded, sometimes not:

splunkd.log:

12-23-2015 10:48:06.747 +0100 ERROR AdminManagerExternal - Failed to do authentication, reason=Bad Request, {u'error_description': u'The authorization code has expired', u'error': u'invalid_grant'}
12-23-2015 10:48:06.747 +0100 ERROR SetupAdminHandler - Error while posting to url=/servicesNS/nobody/Splunk_TA_box/box_setup/box_account/box_account
12-23-2015 10:56:38.580 +0100 ERROR AdminManagerExternal - Failed to do authentication, reason=Bad Request, {u'error': u'invalid_grant', u'error_description': u'The authorization code has expired'}
12-23-2015 10:56:38.580 +0100 ERROR SetupAdminHandler - Error while posting to url=/servicesNS/nobody/Splunk_TA_box/box_setup/box_account/box_account
12-23-2015 10:59:08.413 +0100 ERROR AdminManagerExternal - Failed to do authentication, reason=Bad Request, {u'error': u'invalid_grant', u'error_description': u'The authorization code has expired'}

splunk_ui_access.log:

127.0.0.1 - admin [23/Dec/2015:14:14:03.242 +0100] "POST /en-US/splunkd/__raw/servicesNS/nobody/search/search/jobs/1450875152.37/control HTTP/1.1" 200 59 "https://localhost:8000/en-US/app/search/search?q=search%20index%3D_internal%20box%20error%20source%3D%22C%3A%5C%5CProgram%20Files%5C%5CSplunk%5C%5Cvar%5C%5Clog%5C%5Csplunk%5C%5Csplunkd.log%22&display.page.search.mode=smart&earliest=&latest=&sid=1450875152.37" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" - 2876a338ea88cef186a7a6d077300f11 4ms

aswell as this: ta_box.log:

2015-12-23 14:15:05,966 INFO 4692 - Box account is not fully configured, exiting...

ehaddad_splunk · ‎12-21-2015

I would first confirm that you are getting the data by running a search before you add panels:
index=main sourcetype=box*

If you are getting no data. I would following the troubleshooting steps per:
http://docs.splunk.com/Documentation/AddOns/latest/Box/Troubleshooting

AdrianSBaX · ‎12-22-2015

Thx for your reply.

I got some inputs but by far not all of them and they aren't displayed in my panels.

I already did the stepts listed in the Doc.

Splunk Add-on for Box: How to troubleshoot why I'm getting "No results found" for every panel?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor