In my last post about Splunking Box data, we focused on user authentications including percentage of failed logins, where logins are coming from, user accounts associated with failed logins, etc. In this post, I want to focus on some of the events surrounding Box content once a user is authenticated.
Content Events
In the context of this post, we will call a content event anything that happens to your Box content. For example, a content event may be a file preview, upload, download, sharing, delete, etc. There is a handy event type defined in the Splunk Add-on for Box called box_events_change. Using this event type, we can get an idea of the type of activity going on within the Box environment. Here is an example search showing all the different things going on with Box content:
eventtype=box_events_change | stats count by event_type | sort -count
Visualizing this search with a bar chart would make sense here:
So this is a good start, but we can get a little more granular. By using an in-page drill down on the above bar chart, we can see who is performing these actions and when. To add the drill down to the chart, add the following Simple XML right before your closing </chart> tag:
<drilldown>
<set token="event_type">$click.value$</set>
</drilldown>
</chart>
This markup sets a token named event_type to whatever the user clicks. We can use this token in a dependent search for a table. The search looks like this (notice the use of the token):
eventtype=box* event_type=$event_type$ | table _time source_item_name created_by_name created_by_login
Putting it all Together
To make life easier and so that you can follow along at home, I have created a public GitHub repo that has these use cases pre-built. I will be adding to this repo as this blog series progresses.