Why am I getting "HTTP Request error: 400 Client Error: Bad Request" trying to set up the Box App for Splunk on a heavy forwarder?


So, I go into the Box App for Splunk on my Heavy Forwarder to do initial configuration. I successfully configure the app and validate the oauth information with my Box admin account. However, I notice I'm not getting any data. Looking in the splunkd log I'm seeing the following error.

ERROR ExecProcessor - message from "python /apps/splunk/etc/apps/BoxAppForSplunk/bin/" HTTP Request error: 400 Client Error: Bad Request

The only thing I can think of is the account I have doesn't have access to the API, but wondering if anyone else has ran into this error.


Well i finally successed with the "Splunk addon for box".. not that i know what really went wrong, but i made it to work. I just created a new box account and only used the term https://localhost:8000/ as redirect_uri.

However i guess that wasnt the problem but i did some search tests and figured out i had some overlapping in my dashboards with both box- addons. So i realized my SplunkAddon Dashboard was using some prebuild boxapp-panels, which didnt work. Furthermore my recently used search didnt work, because index=box sourcetype=box-rest-api dont show me any results. So with index=* source= i got some results!

SPlunkAddon is using $decideonstartup as host/index, so maybe thats why i didnt find those logs earlier.

Mention the permission denies of my get requests, they still happen with boxappforsplunk..dunno whats wrong but iam fine now 🙂 thx for your help


I converted your comment to an answer. Please mark it as the answer and upvote to help others find it.

0 Karma


If you go to

do you get the same error?

Looks like the uri is wrong. Do you specify your boxURI anywhere? Host & Port anywhere? Looks like there is a variable here.... like $SPLUNKINSTANCE$/2.0/events.... and it's blank/missing so you just end up with /2.0/events...

Can you post your inputs.conf?

The endpoint in inputs.conf should be:
endpoint =

I meant the inputs.conf in the box app for splunk:
alt text

0 Karma


hello and thx for your reply

if i am clicking your link, i just get a white site.
My inputs.conf local is empty. Do i have to edit my local with endpoint = ?

My URI in box for redirect is https://newbox:8000/en-US/manager/Splunk_TA_box/apps/local/Splunk_TA_box/setup?action=edit
Splunk add-on tells me credentials were successful, but with searching index=box sourcetype=box-rest-api i get no results.

Splunk server name is newbox, https is activated, webport 8000. APPPORT 8065. tried already this port, no change.

mentioning these logs...

2016-01-05 11:00:01,650 INFO 139915727435520 - Get

2016-01-05 11:00:02,058 ERROR 139915727435520 - Failed to connect, reason=Forbidden, {"type":"error","status":403,"code":"access_denied_insufficient_permissions","help_url":"http:\/\/\/docs\/#errors","message":"Access denied - insufficient permission","request_id":"43199700568bf692091f3"}

This is my inputs.conf default.

index         = default
_rcvbuf        = 1572864
host = $decideOnStartup


index = _internal

index = _internal

move_policy = sinkhole
crcSalt = 

queue       = stashparsing
sourcetype  = stash_new
move_policy = sinkhole
crcSalt     = 

#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
filesPerDelay = 10
delayInMills = 100




interval = 60.0
start_by_shell = true

# default cipher suites that splunk allows. Change this if you wish to increase the security 
# of SSL connections, or to lower it if you having trouble connecting to splunk.
allowSslRenegotiation = true
sslQuietShutdown = false

#Allow only sslv3 and above connections
sslVersions = *,-ssl2
0 Karma


You're getting a 403, access is denied error. You need to check your authentication settings related to the box app. I've edited my original answer to show you the inputs.conf you should have in the box app's default directory.

Please do not post your "secret keys"

However, these keys need to be populated with your box api oauth stuffs. Below are the specific keys you need to edit, from the inputs.conf of the latest copy of the app itself (I just downloaded the app and opened it to view the file, no setup/install). So these are defaults. You need to add your own.

oauth2_client_id = tdmcuubsa2zix32pc4ucxzvzfylanc0z
oauth2_client_secret = GV42Oh5I6z6Hb6JskCFc0ihPzfe4Dj6J
oauth2_access_token =
oauth2_refresh_token =
0 Karma


Your settings in your previously post are looking exactly like mine. clientid+secret is written there

Is this normal, that my BoxAppForSplunk directory in apps cannot be open-permission denied?

Another question... is this app even working with splunk enterprise TRIAL?

0 Karma


eww... i dont know if it does work with the trial, as many of them do not.

dbconnect doesnt for example.

I feel like you need an access token there, or different client id and secret.

Did you do step 4?

0 Karma


I would like to add that I have seen this on 6.3.1 with Box app 1.4 on a Linux OS and a Microsoft 2012 R2 OS. I also see the same result on 6.2.5 and 1.2 and 1.4 version of Box. If you set the ExecProcessor to debug you can see a more detailed message of.
‘DEBUG ExecProcessor - message from "python /opt/splunk/etc/apps/BoxAppForSplunk/bin/" "GET /2.0/events?created_after=2014-11-21T00%3A00%3A00-00%3A00&stream_position=0&created_before=2014-11-22T00%3A00%3A00-00%3A00&stream_type=admin_logs&limit=500 HTTP/1.1" 400 276’

I have spent about 30 hours trying to figure this one out.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!