Getting Data In

Can I install the Splunk Add-on for Box on just my search head, and not use a Forwarder?

darlas
Communicator

Hi.

I'm trying to re-install the Box Add-on, which has somehow stopped working. I do not have a universal forwarder, that has a GUI to set up the Box API information, so I just installed on my Search Head. I am able to successfully grant Splunk access to my Box account and pull events.

But I cannot add the Data Inputs, as specified in the configuration instructions. In fact, when I try to "Add Data" the web page just spins at "loading" and I never even get a chance to add the inputs.

Splunk support says this is because I don't have the Add-on installed on a forwarder so they will no longer assist me.

Hopefully someone out there can help me.

-Darla

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Hi Darla,

This add-on is supported in a single-instance deployment of the Splunk platform, so you can install it on your single instance and configure input collection there, and that should be supported.

If you have a distributed deployment, per the documentation, you should set up a heavy forwarder (a full Splunk Enterprise instance) to handle your data inputs. (This add-on does not support universal forwarders for data collection.) Install the add-on on BOTH your search head and your heavy forwarder, but configure the add-on on your heavy forwarder only. Make sure you are using an account that has the admin role when you perform the configuration.

Here is the installation documentation: http://docs.splunk.com/Documentation/AddOns/released/Box/Install

View solution in original post

omuelle1
Communicator

How can you collect box data if you are in a on-prem (HFs and UFs) cloud windows Splunk environment ?

0 Karma

mpreddy
Communicator

@ kmorris [Splunk] , @rpille [Splunk]

Hi Morris/rpille,

Is there a way to index box files. example: I had a csv file which is saved in box. I want to index that csv data in to splunk. Is it possible?

Regards,
Reddy

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Not through this add-on. This add-on doesn't index the contents of files in Box.

You can download those files to a location that the Splunk platform can monitor and then set up a monitor input.

0 Karma

mpreddy
Communicator

@rpille

Thanks rpille.

0 Karma

darlas
Communicator

Thanks!! I'm running splunk on linux. and I've gotten events before. just had some issues and needed to reinstall.

0 Karma

darlas
Communicator

Thanks to kmorris and rpille. So it sounds like I can install on ONLY a search head if I want and that is a supported configuration. Since I do not have a heavy forwarder right now it is best for me to just do it on a search head.

I appreciate the speedy responses.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

It is not recommended to ingest data through the Search Head. For Add-ons with a GUI configuration, you would want to install a Heavy Forwarder. Take a look at this table from the docs for the Box Add-on.

alt text

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Hi Darla,

This add-on is supported in a single-instance deployment of the Splunk platform, so you can install it on your single instance and configure input collection there, and that should be supported.

If you have a distributed deployment, per the documentation, you should set up a heavy forwarder (a full Splunk Enterprise instance) to handle your data inputs. (This add-on does not support universal forwarders for data collection.) Install the add-on on BOTH your search head and your heavy forwarder, but configure the add-on on your heavy forwarder only. Make sure you are using an account that has the admin role when you perform the configuration.

Here is the installation documentation: http://docs.splunk.com/Documentation/AddOns/released/Box/Install

rpille_splunk
Splunk Employee
Splunk Employee

I forgot to add, your data collection instance has to be running Linux.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...