Splunk® Supported Add-ons

Splunk Add-on for Google Cloud Platform

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Upgrade the Splunk Add-on for Google Cloud Platform

Upgrade to the latest version of the Splunk Add-on for Google Cloud Platform (GCP).

To better align with the Google Cloud Platform, and to provide a better understanding of the data coming from the cloud, the 4.0.0 release of the Splunk Add-on for Google Cloud Platform contains improvements to sourcetyping that affect the google:gcp:pubsub:audit:auth, google:gcp:pubsub:audit:change, and google:gcp:pubsub:message source types.

These improvements provide more granular sourcetyping on incoming data from your GCP deployment, enhancing your ability to investigate and simplifying the development of dashboards in Splunk that use GCP data. Upgrading to version 4.0.0 or higher will cause any inline searches, pivots, or reports that use these source types to not work for the GCP data that is being ingested after upgrading to version 4.0.0 of this add-on.

To ensure continuity of searches and reports on GCP data coming in after the upgrade to version 4.0.0 or later, review and perform steps in the Upgrade steps section of this topic. Documentation:AddOns:GoogleCloud:Upgrade:released

Mapping table for version 4.0.0 source type enhancements

See the following table for information on which source type should be used when updating your search queries after upgrading to versions 4.0.0 and later.

Source type on versions 3.2.0 and earlier Source type on versions 4.0.0 and later
google:gcp:pubsub:audit:change google:gcp:pubsub:audit:admin_activity
google:gcp:pubsub:audit:auth google:gcp:pubsub:audit:data_access
google:gcp:pubsub:audit:change google:gcp:pubsub:audit:system_event
google:gsuite:pubsub:message google:gcp:pubsub:platform
google:gsuite:pubsub:message google:gcp:pubsub:audit:policy_denied
google:gsuite:pubsub:message google:gcp:pubsub:access_transparency
google:gcp:pubsub:message google:gcp:pubsub:message

Upgrade steps

To upgrade this add-on from versions 3.2.0 and earlier to versions 4.0.0 and later, perform the following steps.

  1. Verify that you are running version 8.0.0 or later of the Splunk platform.
  2. In Splunk Web, navigate to Settings > Data Inputs and click on Splunk Add-on for Google Cloud Platform
  3. Upgrade the add-on to version 4.0.0 either by clicking the Upgrade button, or by following the installation steps in the Install topic of this manual.
  4. For Splunk Enterprise users, run the _bump endpoint to reload javascript (.js) files from the Splunk server, run the _bump endpoint to reload javascript (.js) files from the Splunk server.
    1. Using a web browser, navigate to http://<host_ip>:<web_port>/<locale_string>/_bump.
    2. Click the Bump Version button to apply the upgraded .js file changes.
  5. If you have constructed searches or reports that reference the google:gcp:pubsub:audit:auth, google:gcp:pubsub:audit:change, or google:gcp:pubsub:message source types, you must update those queries, so that you add, in addition to the aforementioned source types, the following new source types:
    • google:gcp:pubsub:audit_activity
    • google:gcp:pubsub:data_access
    • google:gcp:pubsub:system_event
    • google:gcp:pubsub:access_transparency
    • google:gcp:pubsub:audit:policy_denied
    • google:gcp:pubsub:platform
    • google:gcp:pubsub:message

    In order to search on GCP data that was ingested into your Splunk platform deployment through this add-on before your upgrade to version 4.0.0 and later, you need the old source types in your query. To search on new GCP data that comes in after the upgrade, you need to add the new source types to your queries. Adding source types to your existing search queries and reports, instead of replacing source types, lets you search both your old data and your new data, and materialize results for both of them in the same query.

    For example, the following query lets you search on both the old and new source types:

    Query with old source types before upgrade to 4.0.0 or later:

    index="main" sourcetype="google:gcp:pubsub:audit:auth" OR sourcetype="google:gcp:pubsub:change" OR sourcetype="google:gcp:pubsub:message"

    Updated query with both old and new source types after upgrade to 4.0.0 or later:

    index="main" sourcetype="google:gcp:pubsub:audit:data_access" OR sourcetype="google:gcp:pubsub:audit:admin_activity" OR sourcetype="google:gcp:pubsub:audit:system_event" OR sourcetype="google:gcp:pubsub:audit:platform" OR sourcetype="google:gcp:pubsub:audit:policy_denied" OR sourcetype="google:gcp:pubsub:audit:access_transparency" OR sourcetype="google:gcp:pubsub:message"

    For more information, see the Mapping table for version 4.0.0 sourcetype enhancements section of this topic.

    Event types have not been affected by the version 4.0.0 feature improvements. Searching on event types will stay the same as in previous versions. So if your search queries are based on event types and not source types, skip this step.

  6. Save your changes.

Google has deprecated regular file export of your Cloud Billing data to CSV and JSON. To export your Cloud Billing data for analysis, use Cloud Billing export to BigQuery.

To ingest Cloud BigQuery Billing data, you must delete your existing billing inputs before you upgrade to versions 3.2.0 and later of this add-on. After upgrading, you can then recreate your billing inputs.
See the Configure Cloud BigQuery Billing inputs for the Splunk Add-on for Google Cloud Service topic in this manual.

Last modified on 22 September, 2022
Install the Splunk Add-on for Google Cloud Platform
Configure the Google Cloud Service account

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters