Splunk® Supported Add-ons

Splunk Add-on for Google Workspace

Release history for the Splunk Add-on for Google Workspace

The latest version of the Splunk Add-on for Google Workspace is version 2.8.1. See Release notes for the Splunk Add-on for Google Workspace for release notes of this latest version.

Version 2.8.0

Version 2.8.0 of the Splunk Add-on for Google Workspace was released on July 26, 2024.

About this release

Version 2.8.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 9.3, 9.2, 9.1
CIM 5.x
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.8.0 of the Splunk Add-on for Google Workspace has the following new features.

  • Added 3 new source types:
    • gws:reports:chat
    • gws:reports:mobile
    • gws:reports:chrome

Fixed issues

Version 2.8.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Known issues

Version 2.8.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions

Version 2.8.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.7.0

Version 2.7.0 of the Splunk Add-on for Google Workspace was released on April 7, 2024.

About this release

Version 2.7.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.7.0 of the Splunk Add-on for Google Workspace has the following new features.

  • Added feature to change view type in User Identity List input
  • Added feature to use custom tables in Gmail Logs Migrated input

Fixed issues

Version 2.7.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.


Known issues

Version 2.7.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.


Third-party software attributions

Version 2.7.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace


Version 2.6.3

Version 2.6.3 of the Splunk Add-on for Google Workspace was released on February 7, 2024.

About this release

Version 2.6.3 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.6.3 of the Splunk Add-on for Google Workspace has the following new features.

  • Fixed Big Query used in Gmail Logs input that results to excessive data scanning

Fixed issues

Version 2.6.3 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Date resolved Issue number Description
2024-02-05 ADDON-64975 Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning

Known issues

Version 2.6.3 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.


Third-party software attributions

Version 2.6.3 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace


Version 2.6.2

Version 2.6.2 of the Splunk Add-on for Google Workspace was released on January 22, 2024.

About this release

Version 2.6.2 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.6.2 of the Splunk Add-on for Google Workspace has the following new features.

  • Fixed a security vulnerability found in the urllib3 by upgrading its version from 1.26.14 to 1.26.18.

Fixed issues

Version 2.6.2 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.


Known issues

Version 2.6.2 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed Issue number Description
2023-09-12 ADDON-64975 Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning

Third-party software attributions

Version 2.6.2 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.6.0

Version 2.6.0 of the Splunk Add-on for Google Workspace was released on TBD.

About this release

Version 2.6.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.6.0 of the Splunk Add-on for Google Workspace has the following new features.

  • Checkpoints for "Activity report" modular inputs are being migrated to KVStore. This is an automatic update during the modular input run after you update to the v2.6.0 of the add-on. If you were experiencing issues with "Activity report" modular input in Splunk Cloud, please remove all your inputs, update the add-on and recreate the inputs.
  • "Activity report" modular input was redesigned to support more data ingestion.
  • New "Advanced Settings" configuration tab to provide control over speed of data collection. Current functionality has parameter for "Activity report interval size". By default, the add-on creates 5 threads to collect the data. This is sufficient for most of use cases as it can bring around 120,000 events per minute through one configured modular input.

Do not configure more modular inputs with the same "Application Name" and the same "Service Account to use" as it will result in duplicated data.

  • To see how many events (per 20 seconds) the particular modular input is bringing in you can run this search:

``` index=_internal source=*<modular-input-name>* "Total split events ingested" ```

  • To see the average amount of events (per 20 seconds) the particular modular input is bringing in you can run this search:

``` index=_internal source=*<modular-input-name>* "Total split events ingested" | rex field=_raw "Total split events ingested: (?<n_events>.*)$" | stats avg(n_events) ```

  • If the number is less than 40000, you can use the default advanced configuration.
  • If you notice a delay in your data collection, you can change "Activity report interval size" to 2, save the changes and in your next run of the modular input, there will be 10 threads to collect the data, increasing the speed of the data collection even further. Note: changing the interval size to a smaller number requires more resources.

Fixed issues

Version 2.6.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Date resolved Issue number Description
2023-07-31 ADDON-61198 GWS Activity report: not currently supporting clustering environment

Known issues

Version 2.6.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed Issue number Description
2023-09-12 ADDON-64975 Gmail Logs Input - Inefficient Big Query used that results to excessive data scanning

Third-party software attributions

Version 2.6.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace


Version 2.5.1

Version 2.5.1 of the Splunk Add-on for Google Workspace was released on April 28, 2023.

About this release

Version 2.5.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.5.1 of the Splunk Add-on for Google Workspace has the following new features.

  • Introduces support for application name "rules" for "Activity report" modular input
  • Fixes issues found for "Alert Center" modular input.
  • Optimizes some parts of the data collection for "Activity report" modular input.

Fixed issues

Version 2.5.1 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Date resolved Issue number Description
2023-05-04 ADDON-61892 GWS Alert Center: 'Gmail Phishing' source inputs not working as expected

Known issues

Version 2.5.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed Issue number Description
2023-03-06 ADDON-61198 GWS Activity report: not currently supporting clustering environment

Third-party software attributions

Version 2.5.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace


Version 2.5.0

Version 2.5.0 of the Splunk Add-on for Google Workspace was released on April 3, 2023.

About this release

Version 2.5.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.5.0 of the Splunk Add-on for Google Workspace has the following new features.

  • Introduced Alert Center, a modular input for collecting data from Google Workspace. It is recommended to use a different service account to use with this modular input as it needs a different scope.
  • Both Gmail Logs and Gmail Logs Migrated got an update regarding the checkpointing strategy and should fix an issue where the data ingestion was delayed because of the frequent checkpoint saving.

Fixed issues

Version 2.5.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.


Known issues

Version 2.5.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Date filed Issue number Description
2023-04-19 ADDON-61892 GWS Alert Center: 'Gmail Phishing' source inputs not working as expected
2023-03-06 ADDON-61198 GWS Activity report: not currently supporting clustering environment

Third-party software attributions

Version 2.5.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.4.1

Version 2.4.1 of the Splunk Add-on for Google Workspace was released on December 9, 2022.

About this release

Version 2.4.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called Gmail Logs Migrated and has all of the same parameters as the Gmail Logs modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data. For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.

  • Added multiple domain support for Google Workspace data ingestion.
  • Added support for the Asset and Identity framework in Splunk Enterprise Security.
  • Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
  • UI label and help text feature enhancements.
  • The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
  • Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
  • The query for Gmail Logs input was improved to reduce the cost for running each query.

Fixed issues

Version 2.4.1 of the Splunk Add-on for Google Workspace fixes the following issues:


Known issues

Version 2.4.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Date filed Issue number Description
2023-03-06 ADDON-61198 GWS Activity report: not currently supporting clustering environment

Third-party software attributions

Version 2.4.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.4.0

Version 2.4.0 of the Splunk Add-on for Google Workspace was released on October 27, 2022.

About this release

Version 2.4.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, and 9.0.x
CIM 4.20, 5.0
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

  • Added multiple domain support for Google Workspace data ingestion.
  • Added support for the Asset and Identity framework in Splunk Enterprise Security.
  • Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
  • UI label and help text feature enhancements.
  • The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
  • Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
  • The query for Gmail Logs input was improved to reduce the cost for running each query.

Fixed issues

Version 2.4.0 of the Splunk Add-on for Google Workspace fixes the following issues:


Known issues

Version 2.4.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:


Third-party software attributions

Version 2.4.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.3.0

Version 2.3.0 of the Splunk Add-on for Google Workspace was released on August 23, 2022.

About this release

Version 2.3.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, and 9.0x
CIM 4.20
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

"Activity" input changes

  • Improved the way non-UTF-8 characters are ingested into Splunk. Before this update, if your event had a non-UTF-8 character (for example, "こんにちは世界", which is "Hello World" in Japanese), it would show as a unicode string ("\u3053\u3093\u306b\u3061\u306f\u4e16\u754c") in the raw event. This can make it difficult to search for the same exact word using an SPL search. With version 2.3.0, the raw event contains string "こんにちは世界", which lets you now perform SPL searches.
  • Interval for "Activity" input now has low and high boundaries, which are 20 seconds and 3600 seconds respectively. This limitation is only for the new inputs. Inputs created before the 2.3.0 version will continue to work as before.
  • The "Activity report" input is now enhanced to improve reliability of the input, especially for big environments. This release completely redesigns how the data is gathered, including better error handling and ingestion, and will solve past issues that occur in bigger environments.
  • The add-on now collects data for 20 second chunks, ingests that data to Splunk, and then moves the checkpoint. This approach allows us to be more reliable if network issues occur during data collection.

"Gmail Logs" input changes

  • Proxy handling for "Gmail Logs" input is improved and additional environment variables are set before making requests to Google BigQuery API (HTTP_PROXY, https_proxy and http_proxy).
  • "Dataset name" option was added to "Gmail Logs" input. This allows you to specify a custom BigQuery dataset name when you export Gmail logs to BigQuery. The default setting is gmail_logs_dataset. All "Gmail Logs" inputs created in previous releases will still work, but you should update the input's "dataset_name" field to the default one ("gmail_logs_dataset").

General changes

Proxy handling for both "Activity" and "Gmail Logs" was changed. Previously, when you enabled and configured a proxy in the "Configuration" tab, the Python code for the modular inputs would make HTTPS requests using https://<your-configured-proxy (specify username:password@ip:port>. With version 2.3.0, HTTP and HTTPS requests will go through http://<your-configured-proxy>. This change creates a similar proxy configuration to other Splunk-supported add-ons

Fixed issues

Version 2.3.0 of the Splunk Add-on for Google Workspace fixes the following issues:


Date resolved Issue number Description
2023-03-21 ADDON-50955 Splunk Add-on for Google Workspace - 401 Client error

Known issues

Version 2.3.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:


Third-party software attributions

Version 2.3.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Google Workspace was released on June 1, 2022.

About this release

Version 2.2.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0x
CIM 4.20
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following new features.

  • Added the following new sourcetypes and CIM mapping support to event names:

sourcetype: gws:reports:calendar

  • event names:
    • change_calendar_acls
    • create_calendar
    • delete_calendar
    • create_event
    • delete_event
    • add_event_guest
    • change_event
    • restore_event


sourcetype: gws:reports:context_aware_access

  • event names:
    • ACCESS_DENY_EVENT


  • Updated existing sourcetypes and added CIM mapping support to event names:

sourcetype: gws:reports:groups_enterprise

  • event names:
    • invite_member


sourcetype: gws:reports:admin

  • event names:
    • CREATE_CALENDAR_RESOURCE
    • UPDATE_CALENDAR_RESOURCE
    • CHANGE_FIRST_NAME
    • CHANGE_LAST_NAME
    • CHANGE_USER_LOCATION
    • RESET_SIGNIN_COOKIES
    • DELETE_GMAIL_SETTING
    • DELETE_ROLE
    • REMOVE_PRIVILEGE
    • RENAME_ROLE
    • UNASSIGN_ROLE
    • DISALLOW_SERVICE_FOR_OAUTH2_ACCESS
    • ORG_LICENSE_REVOKE
    • USER_LICENSE_ASSIGNMENT


Token expiration Fix
When an activity report is running for more than 1 hour, the add-on reported a 401 status code while trying to make another request to the Google Workspace API. One of the potential scenarios that could lead to this issue - an input that was enabled, then stopped for a while and then reenabled. This caused the activity report input to gather all the data for that period of time (from when the input stopped until reenabling). The amount of data the add-on was trying to pull was too large for the 1 hour (API token expiration time) given to collect all that data.

Proxy improvements
This release brings in an improvement regarding the proxy support.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Google Workspace fixes the following issues:


Date filed Issue number Description
2022-05-16 ADDON-50955 The issue occurs on Splunk Add-On for Google Workspace. The logs are missing intermittent and the Customer could see "HTTPError: 401 Client Error: Unauthorized for url "


Known issues

Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Splunk Add-on for Google Workspace third-party software credits.pdf


Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Google Workspace was released on March 14, 2022.

About this release

Version 2.1.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.20
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following new features.

  • Added the following new sourcetypes:
    • gws:reports:groups_enterprise

      The gws:reports:groups_enterprise sourcetype is designated for Enterprise Groups Audit activity events. For more information, see the Enterprise Groups Audit Activity Events topic in the Google Workspace Admin SDK manual.

    • gws:reports:gcp

      The gws:reports:gcp sourcetype is designated for Google Cloud Platform activity events. For more information, see the Google Cloud Platform Activity Events topic in the Google Workspace Admin SDK manual.

  • Added CIM mapping support for the gws:reports:groups_enterprise sourcetype for the following event names:
    • add_member
    • add_member_role
    • add_security_setting
    • add_service_account_permission
    • change_security_setting
    • create_group
    • delete_group
    • join
    • unban_member
  • Added CIM mapping support for the gws:reports:gcp sourcetype for the following event names:
    • GET_LOGIN_PROFILE
    • GET_SSH_PUBLIC_KEY
    • IMPORT_SSH_PUBLIC_KEY
    • UPDATE_SSH_PUBLIC_KEY
  • Added CIM mapping support for the gws:reports:login sourcetype for the following event names:
    • account_disabled_generic
    • account_disabled_hijacked
    • account_disabled_spamming
    • account_disabled_spamming_through_relay
    • email_forwarding_out_of_domain
    • gov_attack_warning
    • titanium_enroll
    • titanium_unenroll
  • Added CIM mapping support for the gws:reports:drive sourcetype for the following event names:
    • CHANGE_DOCS_SETTING
    • DRIVE_DATA_RESTORE
    • MOVE_SHARED_DRIVE_TO_ORG_UNIT
    • TRANSFER_DOCUMENT_OWNERSHIP
  • Added CIM mapping support for the gws:reports:admin sourcetype for the following event names:
    • ADD_PRIVILEGE
    • ADD_TO_BLOCKED_OAUTH2_APPS
    • ALLOW_SERVICE_FOR_OAUTH2_ACCESS
    • ASSIGN_ROLE
    • BLOCK_ALL_THIRD_PARTY_API_ACCESS
    • BLOCK_ON_DEVICE_ACCESS
    • CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS
    • CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID
    • CHANGE_CAA_APP_ASSIGNMENTS
    • CHANGE_EMAIL_SETTING
    • CHANGE_GMAIL_SETTING
    • CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION
    • CHANGE_TWO_STEP_VERIFICATION_FREQUENCY
    • CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION
    • CHANGE_TWO_STEP_VERIFICATION_START_DATE
    • CREATE_GMAIL_SETTING
    • CREATE_ROLE
    • DROP_FROM_QUARANTINE
    • EMAIL_UNDELETE
    • ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY
    • ENFORCE_STRONG_AUTHENTICATION
    • REJECT_FROM_QUARANTINE
    • RELEASE_FROM_QUARANTINE
    • REMOVE_FROM_BLOCKED_OAUTH2_APPS
    • REMOVE_FROM_TRUSTED_OAUTH2_APPS
    • SESSION_CONTROL_SETTINGS_CHANGE
    • TRUST_DOMAIN_OWNED_OAUTH2_APPS
    • UNBLOCK_ALL_THIRD_PARTY_API_ACCESS
    • UNBLOCK_ON_DEVICE_ACCESS
    • UNTRUST_DOMAIN_OWNED_OAUTH2_APPS
    • UPDATE_ROLE
    • WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED
  • The lookbackOffset parameter for activity-related events minimal and default values were also revisited. The minimum value is 5 minutes, and the default value is 30 minutes.
  • The bug with gws:reports:token sourcetype events was fixed, so now respected events have proper CIM-mapping support.

Fixed issues

This is the first release of the Splunk Add-on for Google Workspace.

Version 2.1.0 of the Splunk Add-on for Google Workspace fixes the following issues:



Known issues

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Date filed Issue number Description
2022-04-22 ADDON-50955 Splunk Add-on for Google Workspace - 401 Client error

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Third-party software attributions for the Splunk Add-on for Google Workspace2.1.0.pdf


Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Google Workspace was released on February 2, 2022.

About this release

Version 2.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.20
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

New features

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following new features.

  • HTTPS proxy support for collecting activity report and Gmail headers information
    This version of the Splunk Add-on for Google Workspace introduces a new configuration tab containing HTTPS proxy configurations that, when enabled, are used to proxy all requests to Google APIs.
  • Split some events into multiple events
    Some Google Workspace Reports API events contain multiple subevents. For example, moving a file to a folder in Google Drive generates one event, which has four subevents (create, change_user_access, change_acl_editors and add_to_folder). This causes potential issues with CIM mapping support for these events.
    This version of the Splunk Add-on for Google Workspace introduces a change to split four subevents to four separate events ingested into your Splunk platform deployment. Each of the four new related events have the same etag field.
    For example, if a system revokes Google Workspace licenses for two users, the event in previous versions of the Splunk Add-on for Google Workspace will look like the following:
    {
      "kind":"admin#reports#activity",
      "id":{
        "time":"2021-06-28T18:25:42.247Z",
        "uniqueQualifier":"123",
        "applicationName":"admin",
        "customerId":"some-customerId"
      },
      "etag":"some-etag",
      "actor":{
        "callerType":"KEY",
        "key":"SYSTEM"
      },
      "events":[
        {
          "type":"LICENSES_SETTINGS",
          "name":"USER_LICENSE_REVOKE",
          "parameters":[
            {
              "name":"USER_EMAIL",
              "value":"user1@example.com"
            },
            {
              "name":"PRODUCT_NAME",
              "value":"Google Workspace"
            },
            {
              "name":"OLD_VALUE",
              "value":"Google Workspace Enterprise Plus"
            }
          ]
        },
        {
          "type":"LICENSES_SETTINGS",
          "name":"USER_LICENSE_REVOKE",
          "parameters":[
            {
              "name":"USER_EMAIL",
              "value":"user2@example.com"
            },
            {
              "name":"PRODUCT_NAME",
              "value":"Google Workspace"
            },
            {
              "name":"OLD_VALUE",
              "value":"Google Workspace Enterprise Plus"
            }
          ]
        }
      ]
    }
    

    This release of the Splunk Add-on for Google Workspace splits this single event into two separate events and ingests them in the following format into your Splunk platform deployment:

    Event 1:

    
    {
      "kind":"admin#reports#activity",
      "id":{
        "time":"2021-06-28T18:25:42.247Z",
        "uniqueQualifier":"123",
        "applicationName":"admin",
        "customerId":"some-customerId"
      },
      "etag":"some-etag",
      "actor":{
        "callerType":"KEY",
        "key":"SYSTEM"
      },
      "event": {
        {
          "type":"LICENSES_SETTINGS",
          "name":"USER_LICENSE_REVOKE",
          "parameters":[
            {
              "name":"USER_EMAIL",
              "value":"user1@example.com"
            },
            {
              "name":"PRODUCT_NAME",
              "value":"Google Workspace"
            },
            {
              "name":"OLD_VALUE",
              "value":"Google Workspace Enterprise Plus"
            }
          ]
        }
      }
    }
    


    Event #2:

    {
      "kind":"admin#reports#activity",
      "id":{
        "time":"2021-06-28T18:25:42.247Z",
        "uniqueQualifier":"123",
        "applicationName":"admin",
        "customerId":"some-customerId"
      },
      "etag":"some-etag",
      "actor":{
        "callerType":"KEY",
        "key":"SYSTEM"
      },
      "event": {
        {
          "type":"LICENSES_SETTINGS",
          "name":"USER_LICENSE_REVOKE",
          "parameters":[
            {
              "name":"USER_EMAIL",
              "value":"user2@example.com"
            },
            {
              "name":"PRODUCT_NAME",
              "value":"Google Workspace"
            },
            {
              "name":"OLD_VALUE",
              "value":"Google Workspace Enterprise Plus"
            }
          ]
        }
      }
    }
    


    If you want to identify a specific event, and other events occur at the same time, you can search for the etag field, which can show you all the related events.

  • Support for collecting Gmail headers information
    This release includes support for Gmail headers ingestion into your Splunk platform deployment. This feature is supported for the following types of Google Workspace editions: Enterprise, Education Standard, and Plus.
    For more information, see the Prepare to use Gmail logs in BigQuery topic in the Google Workspace Admin documentation.
  • Extend CIM mapping support for all sourcetypes
    This release includes CIM mapping support for the following event names:
    1. gws:reports:saml sourcetype. For more information, see the SAML Audit Activity Events topic in the Workspace Admin SDK documentation.
      1. login_failure
      2. login_success
    2. gws:reports:login sourcetype. For more information, see the Login Audit Activity Events topic in the Workspace Admin SDK documentation.
      1. 2sv_disable
      2. 2sv_enroll
      3. account_disabled_password_leak
      4. login_failure
      5. login_success
      6. logout
      7. password_edit
      8. recovery_email_edit
      9. recovery_phone_edit
      10. recovery_secret_qa_edit
      11. suspicious_login
      12. suspicious_login_less_secure_app
      13. suspicious_programmatic_login
    3. gws:reports:oauthtoken sourcetype. For more information, see the OAuth Token Audit Activity Events topic in the Workspace Admin SDK documentation.
      1. authorize
      2. revoke
    4. gws:reports:drive sourcetype. For more information, see the Drive Audit Activity Events topic in the Workspace Admin SDK documentation.
      1. add_to_folder
      2. change_document_access_scope
      3. change_document_access_scope_hierarchy_reconciled
      4. change_document_visibility
      5. change_document_visibility_hierarchy_reconciled
      6. change_user_access
      7. change_user_access_hierarchy_reconciled
      8. copy
      9. create
      10. delete
      11. download
      12. edit
      13. email_as_attachment
      14. move
      15. print
      16. publish_change
      17. remove_from_folder
      18. rename
      19. shared_drive_membership_change
      20. sheets_import_range
      21. trash
      22. untrash
      23. upload
      24. view
    5. gws:reports:admin sourcetype. For more information, see the Reports API: Admin Activity Report Event Names topic in the Workspace Admin SDK documentation.
      1. ADD_RECOVERY_EMAIL
      2. ADD_RECOVERY_PHONE
      3. ARCHIVE_USER
      4. AUTHORIZE_API_CLIENT_ACCESS
      5. CHANGE_PASSWORD
      6. CHANGE_PASSWORD_ON_NEXT_LOGIN
      7. CHANGE_RECOVERY_EMAIL
      8. CHANGE_RECOVERY_PHONE
      9. CREATE_EMAIL_MONITOR
      10. CREATE_USER
      11. DELETE_EMAIL_MONITOR
      12. DELETE_USER
      13. ENABLE_USER_IP_WHITELIST
      14. GENERATE_2SV_SCRATCH_CODES
      15. GMAIL_RESET_USER
      16. GRANT_ADMIN_PRIVILEGE
      17. GRANT_DELEGATED_ADMIN_PRIVILEGES
      18. MAIL_ROUTING_DESTINATION_ADDED
      19. MAIL_ROUTING_DESTINATION_REMOVED
      20. MOVE_USER_TO_ORG_UNIT
      21. REMOVE_RECOVERY_EMAIL
      22. REMOVE_RECOVERY_PHONE
      23. RENAME_USER
      24. REVOKE_ADMIN_PRIVILEGE
      25. SECURITY_KEY_REGISTERED_FOR_USER
      26. SUSPEND_USER
      27. TURN_OFF_2_STEP_VERIFICATION
      28. UNARCHIVE_USER
      29. UNBLOCK_USER_SESSION
      30. UNDELETE_USER
      31. UNENROLL_USER_FROM_STRONG_AUTH
      32. UNENROLL_USER_FROM_TITANIUM
      33. UNSUSPEND_USER
      34. USER_LICENSE_REVOKE
      35. USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD

Common Information Model mapping changes

The following table displays the changes to the Common Information Model (CIM) mapping for this add-on:

Sourcetype Event name Changes
gws:reports:login login_success Field authentication_method is now taken from login_type first and if there is nothing there, it is taken from login_challenge_method

Added dest_name field equal to Google Workspace
Added vendor_product field equal to Google Workspace

gws:reports:login login_failure Field authentication_method is now taken from login_type first and if there is nothing there, it is taken from login_challenge_method

Added dest_name field equal to Google Workspace
Added vendor_product field equal to Google Workspace

gws:reports:login logout Added dest_name field equal to Google Workspace

Removed src_ip field mapping
Added src_user_id field mapping
Added src_user_name field mapping

gws:reports:oauthtoken token_authorize Added dest_url field equal to dest field
gws:reports:oauthtoken token_revoke Field action was changed to modified from logoff

Added app field mapping
Added dest_url field equal to dest field
Field object is now taken from cliend_id field
Field object_id is now taken from cliend_id field
Field result is equal to revoke
Field result_id is equal to revoke
Added src_user_id field
Field user is now taken from client_id field
Field user_id is now taken from client_id field
Field user_name is now taken from client_id field

gws:reports:admin USER_LICENSE_REVOKE Field object_attrs is now equal to USER_LICENSE
gws:reports:admin AUTHORIZE_API_CLIENT_ACCESS Added dest_url field equal to dest field

Field object_attrs is now equal to API_CLIENT
Added src_user_id field

gws:reports:admin DELETE_USER Field object_attrs is now equal to USER_SETTINGS

Added src_user_id field

gws:reports:admin SUSPEND_USER Added dest_name field equal to dest

Added src_user_id field

gws:reports:admin CHANGE_MOBILE_SETTING Field dest is now taken from ORG_UNIT_NAME field

Added dest_name field equal to dest
Field object_attrs is now equal to NEW_VALUE field

gws:reports:admin CREATE_USER Added dest_name field equal to dest

Field object_attrs is now equal to USER_SETTINGS
Added src_user_id field

gws:reports:admin ADD_TO_TRUSTED_OAUTH2_APPS Field action was changed from modified to created

Field object_attrs is now equal to SECURITY_SETTINGS

Fixed issues

This is the first release of the Splunk Add-on for Google Workspace.

Version 2.0.0 of the Splunk Add-on for Google Workspace fixes the following issues:


Known issues

Version 2.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Third-party software attributions for the Splunk Add-on for Google Workspace2.0.0.pdf

Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Google Workspace was released on September 1, 2021.

About this release

Version 1.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.18
Platforms Platform independent
Vendor Products Google Workspace Enterprise Plus

Fixed issues

This is the first release of the Splunk Add-on for Google Workspace.

Known issues

Version 1.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

File:Third-party software attributions for the Splunk Add-on for Google Workspace.pdf

Last modified on 31 July, 2024
Installation overview for the Splunk Add-on for Google Workspace   Install the Splunk Add-on for Google Workspace

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters