Getting Data In

Can I install the Splunk Add-on for Box on just my search head, and not use a Forwarder?

darlas
Communicator

Hi.

I'm trying to re-install the Box Add-on, which has somehow stopped working. I do not have a universal forwarder, that has a GUI to set up the Box API information, so I just installed on my Search Head. I am able to successfully grant Splunk access to my Box account and pull events.

But I cannot add the Data Inputs, as specified in the configuration instructions. In fact, when I try to "Add Data" the web page just spins at "loading" and I never even get a chance to add the inputs.

Splunk support says this is because I don't have the Add-on installed on a forwarder so they will no longer assist me.

Hopefully someone out there can help me.

-Darla

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Hi Darla,

This add-on is supported in a single-instance deployment of the Splunk platform, so you can install it on your single instance and configure input collection there, and that should be supported.

If you have a distributed deployment, per the documentation, you should set up a heavy forwarder (a full Splunk Enterprise instance) to handle your data inputs. (This add-on does not support universal forwarders for data collection.) Install the add-on on BOTH your search head and your heavy forwarder, but configure the add-on on your heavy forwarder only. Make sure you are using an account that has the admin role when you perform the configuration.

Here is the installation documentation: http://docs.splunk.com/Documentation/AddOns/released/Box/Install

View solution in original post

omuelle1
Communicator

How can you collect box data if you are in a on-prem (HFs and UFs) cloud windows Splunk environment ?

0 Karma

mpreddy
Communicator

@ kmorris [Splunk] , @rpille [Splunk]

Hi Morris/rpille,

Is there a way to index box files. example: I had a csv file which is saved in box. I want to index that csv data in to splunk. Is it possible?

Regards,
Reddy

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Not through this add-on. This add-on doesn't index the contents of files in Box.

You can download those files to a location that the Splunk platform can monitor and then set up a monitor input.

0 Karma

mpreddy
Communicator

@rpille

Thanks rpille.

0 Karma

darlas
Communicator

Thanks!! I'm running splunk on linux. and I've gotten events before. just had some issues and needed to reinstall.

0 Karma

darlas
Communicator

Thanks to kmorris and rpille. So it sounds like I can install on ONLY a search head if I want and that is a supported configuration. Since I do not have a heavy forwarder right now it is best for me to just do it on a search head.

I appreciate the speedy responses.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

It is not recommended to ingest data through the Search Head. For Add-ons with a GUI configuration, you would want to install a Heavy Forwarder. Take a look at this table from the docs for the Box Add-on.

alt text

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Hi Darla,

This add-on is supported in a single-instance deployment of the Splunk platform, so you can install it on your single instance and configure input collection there, and that should be supported.

If you have a distributed deployment, per the documentation, you should set up a heavy forwarder (a full Splunk Enterprise instance) to handle your data inputs. (This add-on does not support universal forwarders for data collection.) Install the add-on on BOTH your search head and your heavy forwarder, but configure the add-on on your heavy forwarder only. Make sure you are using an account that has the admin role when you perform the configuration.

Here is the installation documentation: http://docs.splunk.com/Documentation/AddOns/released/Box/Install

rpille_splunk
Splunk Employee
Splunk Employee

I forgot to add, your data collection instance has to be running Linux.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...