Related Answers
Download topic as PDF
Upgrade the Splunk Add-on for Google Cloud Platform
After upgrading the Splunk Add-on for Google Cloud Platform from 4.3.0 to version 4.4.0 or higher, your Splunk platform deployment might receive duplicate events for the BigQuery Billing input(s) in the first invocation after the upgrade.
Upgrade to the latest version of the Splunk Add-on for Google Cloud Platform (GCP).
To better align with the Google Cloud Platform, and to provide a better understanding of the data coming from the cloud, the 4.0.0 release of the Splunk Add-on for Google Cloud Platform contains improvements to sourcetyping that affect the google:gcp:pubsub:audit:auth, google:gcp:pubsub:audit:change, and google:gcp:pubsub:message source types.
These improvements provide more granular sourcetyping on incoming data from your GCP deployment, enhancing your ability to investigate and simplifying the development of dashboards in Splunk that use GCP data. Upgrading to version 4.0.0 or higher will cause any inline searches, pivots, or reports that use these source types to not work for the GCP data that is being ingested after upgrading to version 4.0.0 of this add-on.
To ensure continuity of searches and reports on GCP data coming in after the upgrade to version 4.0.0 or later, review and perform steps in the Upgrade steps section of this topic.
Mapping table for version 4.0.0 source type enhancements
See the following table for information on which source type should be used when updating your search queries after upgrading to versions 4.0.0 and later.
| Source type on versions 3.2.0 and earlier | Source type on versions 4.0.0 and later |
|---|---|
google:gcp:pubsub:audit:change
|
google:gcp:pubsub:audit:admin_activity
|
google:gcp:pubsub:audit:auth
|
google:gcp:pubsub:audit:data_access
|
google:gcp:pubsub:audit:change
|
google:gcp:pubsub:audit:system_event
|
google:gcp:pubsub:message
|
google:gcp:pubsub:platform
|
google:gcp:pubsub:message
|
google:gcp:pubsub:audit:policy_denied
|
google:gcp:pubsub:message
|
google:gcp:pubsub:access_transparency
|
google:gcp:pubsub:message
|
google:gcp:pubsub:message
|
Upgrade steps
To upgrade this add-on from versions 3.2.0 and earlier to versions 4.0.0 and later, perform the following steps.
- Verify that you are running version 8.0.0 or later of the Splunk platform.
- Disable all running inputs.
- Upgrade to the latest version directly from Splunk web UI or upgrade using the downloaded add-on package.
- Upgrade to latest version directly from Splunk web UI
- From the Splunk web home screen, click the gear icon (Manage Apps) next to Apps.
- Check for Splunk Add-on for Google Cloud Platform in the list of Apps/Add-ons and click "Update to <latest version>".
- Accept the license agreement, enter Splunkbase credentials and download/install the add-on.
- Upgrade the add-on using the downloaded add-on package
- Download latest version of the add-on from Splunkbase
- Install the Splunk Add-on for Google Cloud Platform
- Upgrade to latest version directly from Splunk web UI
- Restart your Splunk platform.
- Enable all inputs.
- If you have constructed searches or reports that reference the
google:gcp:pubsub:audit:auth,google:gcp:pubsub:audit:change, orgoogle:gcp:pubsub:messagesource types, you must update those queries, so that you add, in addition to the aforementioned source types, the following new source types:google:gcp:pubsub:audit:admin_activitygoogle:gcp:pubsub:audit:data_accessgoogle:gcp:pubsub:audit:system_eventgoogle:gcp:pubsub:audit:policy_deniedgoogle:gcp:pubsub:access_transparencygoogle:gcp:pubsub:platform
In order to search on GCP data that was ingested into your Splunk platform deployment through this add-on before your upgrade to version 4.0.0 and later, you need the old source types in your query. To search on new GCP data that comes in after the upgrade, you need to add the new source types to your queries. Adding source types to your existing search queries and reports, instead of replacing source types, lets you search both your old data and your new data, and materialize results for both of them in the same query.
For example, the following query lets you search on both the old and new source types:
Query with old source types before upgrade to 4.0.0 or later:
index="main" sourcetype="google:gcp:pubsub:audit:auth" OR sourcetype="google:gcp:pubsub:audit:change" OR sourcetype="google:gcp:pubsub:message"
Updated query with both old and new source types after upgrade to 4.0.0 or later:
index="main" (sourcetype="google:gcp:pubsub:audit:auth" OR sourcetype="google:gcp:pubsub:audit:data_access") OR (sourcetype="google:gcp:pubsub:audit:change" OR sourcetype="google:gcp:pubsub:admin_activity" OR sourcetype="google:gcp:pubsub:system_event") OR (sourcetype="google:gcp:pubsub:message" OR sourcetype="google:gcp:pubsub:audit:policy_denied" OR sourcetype="google:gcp:pubsub:access_transparency" OR sourcetype="google:gcp:pubsub:platform")
For more information, see the Mapping table for version 4.0.0 sourcetype enhancements section of this topic.
Event types have not been affected by the version 4.0.0 feature improvements. Searching on event types will stay the same as in previous versions. So if your search queries are based on event types and not source types, skip this step.
- Save your changes.
Google has deprecated regular file export of your Cloud Billing data to CSV and JSON. To export your Cloud Billing data for analysis, use Cloud Billing export to BigQuery.
To ingest Cloud BigQuery Billing data, you must delete your existing billing inputs before you upgrade to versions 3.2.0 and later of this add-on. After upgrading, you can then recreate your billing inputs.
See the Configure Cloud BigQuery Billing inputs for the Splunk Add-on for Google Cloud Service topic in this manual.
|
PREVIOUS Install the Splunk Add-on for Google Cloud Platform |
NEXT Configure the Google Cloud account |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!