Splunk® Supported Add-ons

Splunk Add-on for Google Cloud Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Google Cloud Platform

General troubleshooting

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Data not showing up

If you are upgrading from a version of the Splunk Add-on for Google Cloud Platform earlier than 1.2.0, you must run the following upgrade script in order for your data to be properly sent.
# python {path_of_google_cloudplatform_addon}/bin/tools/migrate_pubsub_input.py

Accessing logs

You can access internal log data for help with troubleshooting. Data collected with these source types does not appear in any dashboards.

Data source Source type
Logs from splunk_ta_google_pubsub_main.log.

Logs from splunk_ta_google_pubsub_util.log.

google:gcp:pubsub:log
Logs from splunk_ta_google_cloudplatform_cloud_monitor_main.log

Logs from splunk_ta_google-cloudplatform_cloud_monitor_util.log

google:gcp:monitor:log
Logs from splunk_ta_google_billing.log google:gcp:billing:log
Logs from splunk_ta_google-cloudplatform_custom_rest.log google:gcp:custom_rest:log

Configure log levels

  1. Click Splunk Add-on for Google Cloud Platform in your left navigation bar on Splunk Web's home page.
  2. Click Configuration in the app navigation bar.
  3. Click the Logging tab.
  4. Adjust the log levels for each of the Google Cloud Platform services as needed by changing the default of INFO to one of the other available options, DEBUG or ERROR.
  5. (Optional) If you are using pub/sub, restart your Splunk instance to apply changes.

These log level configurations apply only to runtime logs. Some REST endpoint logs from configuration activity log at DEBUG, and some validation logs log at ERROR. These levels cannot be configured.

Large pub/sub subscriptions

For large pub/sub subscriptions, we recommend cloning existing inputs that are ingesting the same subscriptions to increase data throughput and performance. These identical inputs can be in the same instance or in different instances.

To manage a large number of subscriptions to one Splunk instance, aggregate subscriptions belonging to the same Google Cloud Service account into one input to save resources.

Exceed Request Limit

If you see any insufficient tokens for quota group errors such as the following, then you have exceeded the Google Cloud Monitoring request limit, which is 50000 per day. You should limit your request or apply for higher quota in Google:

<"Insufficient tokens for quota group and limit DefaultGroupCLIENT_PROJECT-1d using the limit by ID 342432.">

Python version issues

If you are upgrading from versions 1.2.0 or lower, upgrade your Splunk Enterprise deployment to work with Python 3

  1. Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
  2. Clean up all pycache files from your add-on's directory location. For example, $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform

Billing data not ingesting

If you encounter the following message in your internal logs:

Billing ingestion error. You must use the Cloud BigQuery Billing input in order to ingest billing data.

You must delete your existing billing inputs, upgrade to version 3.2.0 or later of this add-on, and recreate your billing inputs using the Cloud BigQuery Billing input in order to ingest billing data.

Google has deprecated regular file export of your Cloud Billing data to CSV and JSON. To export your Cloud Billing data for analysis, use Cloud Billing export to BigQuery.

See the Configure Cloud BigQuery Billing inputs for the Splunk Add-on for Google Cloud Service topic in this manual.

Missing fields in Events/Larger events not structured in Pub/Sub input

If you get a larger size of events and face an issue with some missing fields in the Events or Events not structured correctly then perform the steps below:

  1. Click on Settings
  2. Click on Source types under the DATA section
  3. Unclick Show only popular checkbox if it is already checked
  4. Search google:gcp:pubsub:message sourcetype
  5. Click on Edit, it will open the Edit Source Type: google:gcp:pubsub:message dialogue box
  6. Click on Advanced
  7. Increase the TRUNCATE value based on Event size and click on the Save button
  8. Perform 4 to 7 steps for google:gcp:pubsub:audit:change sourcetype
Last modified on 22 September, 2022
PREVIOUS
Configure Google Workspace audit logs for the Splunk Add-on for Google Cloud Platform
  NEXT
Performance reference for the Splunk Add-on for Google Cloud Platform

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters