Splunk® Supported Add-ons

Splunk Add-on for Google Cloud Platform

Download manual as PDF

Download topic as PDF

Configure the Google Cloud Platform service permissions

Configure billing export to Google Cloud Platform

To get your daily usage and cost estimates data in Splunk Add-on for Google Cloud Platform, you must enable billing export data in your Google Cloud Platform instance using your Google login credentials. For more details, see the Export Billing Data to a File topic in the Google Cloud documentation.

Configure log export to Google Cloud Pub/Sub

To gather data from activity logs via the Pub/Sub API, use your Google credentials to configure log export to Cloud Pub/Sub in your Google Developers Console. You must also have the Owner or the Logging/Logs Configuration Writer IAM roles in the project to create, delete, or modify a sink. See the following details of IAM roles:

Role Name Role Title Logging Permissions Resource Type
roles/owner Owner roles/editor logging permissions

logging.privateLogEntries.list
logging.sinks.{create, delete, update}

project
roles/logging.configWriter Logs Configuration Writer
logging.exclusions.{list, create, get, update, delete}

logging.logMetrics.{list, create, get, update, delete}
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
logging.sinks.{list, create, get, update, delete}
resourcemanager.projects.get

project, organization,

folder, billing account

For more information, see the following topic in the Google Cloud documentaton: https://cloud.google.com/logging/docs/export/configure_export.

PREVIOUS
Configure the Google Cloud Service account
  NEXT
Set up the Add-on for Google Cloud Platform

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

An additional permission that was discovered by our cloud team, for Stackdriver metrics (not pub/sub messages), they needed to set the permissions to owner level in GCP.

Jon doll
April 18, 2019

For this document, it would be great not to have to consider all these details when starting to test this app out, and get some basic instructions on getting something up and running that we can tweak and expand later on.

On first setup, most admins will likely just want the equivalent of what they already get from typical Windows or Linux clients, that is, some basic logging and optional performance metrics. That is, they'll simply want a couple of basic streams of events parsed out into CEF if possible. Yes, some will want other things, like elaborate billing data, and so on. But most of us just want a basic recipe that will let us dip our first toe in the water. We don't know what all the cost ramifications are of everything we might do or what things will use too much storage - or which sink is best for what purpose on the Stackdriver end.

As I read through these instructions I'm thinking I really need to be both a Splunk and GCP expert, and I'm neither.

Rgoerwit
April 5, 2018

Hello Kordless, You make a valid point. I've updated the doc to offer this useful detail.

Jrevell splunk, Splunker
December 12, 2017

Docs tend to be worth less when there is no clear action for the user to take. Saying to configure it without providing information on what to configure it WITH (in this case the credentials from Google) is pretty worthless.

Kordless
December 5, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters