Getting Data In

Can I install the Splunk Add-on for Box on just my search head, and not use a Forwarder?

darlas
Communicator

Hi.

I'm trying to re-install the Box Add-on, which has somehow stopped working. I do not have a universal forwarder, that has a GUI to set up the Box API information, so I just installed on my Search Head. I am able to successfully grant Splunk access to my Box account and pull events.

But I cannot add the Data Inputs, as specified in the configuration instructions. In fact, when I try to "Add Data" the web page just spins at "loading" and I never even get a chance to add the inputs.

Splunk support says this is because I don't have the Add-on installed on a forwarder so they will no longer assist me.

Hopefully someone out there can help me.

-Darla

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Hi Darla,

This add-on is supported in a single-instance deployment of the Splunk platform, so you can install it on your single instance and configure input collection there, and that should be supported.

If you have a distributed deployment, per the documentation, you should set up a heavy forwarder (a full Splunk Enterprise instance) to handle your data inputs. (This add-on does not support universal forwarders for data collection.) Install the add-on on BOTH your search head and your heavy forwarder, but configure the add-on on your heavy forwarder only. Make sure you are using an account that has the admin role when you perform the configuration.

Here is the installation documentation: http://docs.splunk.com/Documentation/AddOns/released/Box/Install

View solution in original post

omuelle1
Communicator

How can you collect box data if you are in a on-prem (HFs and UFs) cloud windows Splunk environment ?

0 Karma

mpreddy
Communicator

@ kmorris [Splunk] , @rpille [Splunk]

Hi Morris/rpille,

Is there a way to index box files. example: I had a csv file which is saved in box. I want to index that csv data in to splunk. Is it possible?

Regards,
Reddy

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Not through this add-on. This add-on doesn't index the contents of files in Box.

You can download those files to a location that the Splunk platform can monitor and then set up a monitor input.

0 Karma

mpreddy
Communicator

@rpille

Thanks rpille.

0 Karma

darlas
Communicator

Thanks!! I'm running splunk on linux. and I've gotten events before. just had some issues and needed to reinstall.

0 Karma

darlas
Communicator

Thanks to kmorris and rpille. So it sounds like I can install on ONLY a search head if I want and that is a supported configuration. Since I do not have a heavy forwarder right now it is best for me to just do it on a search head.

I appreciate the speedy responses.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

It is not recommended to ingest data through the Search Head. For Add-ons with a GUI configuration, you would want to install a Heavy Forwarder. Take a look at this table from the docs for the Box Add-on.

alt text

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Hi Darla,

This add-on is supported in a single-instance deployment of the Splunk platform, so you can install it on your single instance and configure input collection there, and that should be supported.

If you have a distributed deployment, per the documentation, you should set up a heavy forwarder (a full Splunk Enterprise instance) to handle your data inputs. (This add-on does not support universal forwarders for data collection.) Install the add-on on BOTH your search head and your heavy forwarder, but configure the add-on on your heavy forwarder only. Make sure you are using an account that has the admin role when you perform the configuration.

Here is the installation documentation: http://docs.splunk.com/Documentation/AddOns/released/Box/Install

rpille_splunk
Splunk Employee
Splunk Employee

I forgot to add, your data collection instance has to be running Linux.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...