Related Answers
Download topic as PDF
Source types for the Splunk Add-on for Google Cloud Platform
The Splunk Add-on for Google Cloud Platform (GCP) provides the index-time and search-time knowledge for Google Cloud Platform logs and billing data in the following formats:
To better align with the Google Cloud Platform, and to provide a better understanding of the data coming from the cloud, the 4.0.0 release of the Splunk Add-on for Google Cloud Platform contains improvements to sourcetyping that affect the google:gcp:pubsub:audit:auth, google:gcp:pubsub:audit:change, and google:gcp:pubsub:message source types.
These improvements provide more granular sourcetyping on incoming data from your GCP deployment, enhancing your ability to investigate and simplifying the development of dashboards in Splunk that use GCP data. Upgrading to version 4.0.0 or higher will cause any inline searches, pivots, or reports that use these source types to not work for the GCP data that is being ingested after upgrading to version 4.0.0 of this add-on.
To ensure continuity of searches and reports on GCP data coming in after the upgrade to version 4.0.0 or later, review and
perform the steps contained in the Upgrade the Splunk Add-on for Google Cloud Platform topic in this manual.
| Source type | Description | CIM data models |
|---|---|---|
google:gcp:pubsub:audit:data_access
|
Data from Pub/Sub (GCP Authentication Audit Logs) | Authentication |
google:gcp:pubsub:audit:admin_activity
|
Data from Pub/Sub | Change |
google:gcp:pubsub:audit:system_event
|
Data from Pub/Sub | Change |
google:gcp:pubsub:audit:policy_denied
|
Data from Pub/Sub | |
google:gcp:pubsub:access_transparency
|
Data from Pub/Sub | |
google:gcp:pubsub:audit:auth
|
Data from Pub/Sub (GCP Authentication Audit Logs) | Authentication |
google:gcp:pubsub:message
|
Data from Pub/Sub | Authentication |
google:gcp:pubsub:platform
|
Data from Pub/Sub | None |
google:gcp:pubsublite:message
|
Data from Pub/Sub Lite | None |
google:gcp:monitoring
|
Data from Cloud Monitor service | None |
google:gcp:billing:standard_usage_cost
|
Data from Standard Usage Cost reports | None |
google:gcp:billing:detailed_usage_cost
|
Data from Detailed Usage Cost reports | None |
google:gcp:billing:pricing
|
Data from Pricing Table reports | None |
google:gcp:buckets:accesslogs
|
Cloud Storage Bucket server access logs for a storage account | Change |
google:gcp:buckets:csvdata
|
CSV contents of objects present in the Cloud Storage Bucket | None |
google:gcp:buckets:data
|
Generic source type for the contents of other file extensions. For example, txt, avro, and parquet | None |
google:gcp:buckets:jsondata
|
JSON contents of objects present in the Cloud Storage Bucket | None |
google:gcp:buckets:metadata
|
Cloud Storage Bucket metadata | None |
google:gcp:resource:metadata
|
Resource Metadata of Compute Engine, Cloud Storage, Kubernetes and VPC Access | None |
google:gcp:buckets:xmldata
|
XML contents of objects present in the Cloud Storage Bucket | None |
| User defined | Modular input. See the REST API reference page for more information. | None |
google:billing:json
|
Data from billing that is in JSON value. | None |
google:billing:csv
|
Data from billing that is in CSV value. | None |
google:gcp:billing:report
|
Data from billing reports. | None |
google:gcp:gsuite:admin:directory:users
|
Data from G Suite users. | None |
google:gcp:compute:instance
|
Data from Compute Engine virtual machine instances. | None |
google:gcp:compute:vpc_flows
|
Data from Compute Engine VPC flow logs. | None |
google:gcp:security:alerts
|
Data from security alerts. | None |
|
PREVIOUS Splunk Add-on for Google Cloud Platform |
NEXT Release notes for the Splunk Add-on for Google Cloud Platform |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Feedback submitted, thanks!