Splunk® Supported Add-ons

Splunk Add-on for Google Workspace

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure the Splunk Add-on for Google Workspace

Perform the following steps to configure the Splunk Add-on for Google Workspace to collect data from your Google Workspace deployment.

Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called Gmail Logs Migrated and has all of the same parameters as the Gmail Logs modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data. For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.

Add your Google Workspace account information

Add your Google Workspace account information to the Splunk Add-on for Google Workspace using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Click on the Configuration tab.
  3. On the Accounts tab, click the Add button.
  4. In the Add Accounts window, enter the following information:
    1. In the Name field, create a name for your account.
    2. If you are adding a service account to collect activity reports, in the Username field, enter the email address that has the role of Organization Administrator for the same project where you created your service account.
      If you are adding a service account to collect Gmail logs, you can leave this field blank.
    3. In the Certificate field, copy the contents from the JSON file that you created in the Keys section in your Google Cloud Platform deployment, and paste into the Certificate field.
    4. Click the Add button.

Configure activity report data collection using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Click on the Inputs tab.
  3. On the Inputs tab, click the Create New Input button.
  4. In the Add Activity window, fill in the required fields:
    Field Description
    Name A unique name for the new data input.
    Application Name The API that the Splunk software will use to collect your data. Available values are:

    Admin, Login, Drive, SAML, OAuth Token, Context-Aware Access, Google Calendar, Google Cloud Platform, Enterprise Groups, or Rules

    Interval Time interval of the data input, in seconds.
    Lookback Offset The lookback offset is the lag time to collect events (measured in number of seconds), based on the different data lag times for different inputs.


    For recommended values, see the Data retention and lag times topic in the Google Workspace Admin Help manual.

    Service Account to use Connected GWS Service Account
    Index Name of destination index.
  5. Click the Add button.

Configure Gmail headers data collection

Configure Gmail headers data collection for the Splunk Add-on for Google Workspace using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Click on the Inputs tab.
  3. On the Inputs tab, click the Create New Input button.
  4. Click Gmail Logs. If you are a customer who has already migrated to Google Workspace logs and reports in BigQuery, you must choose the """Gmail Logs Migrated""" input.
  5. In the 'Add Gmail Logs window, fill in the required fields:
    Field Description
    Name A unique name for the new data input.
    Interval Time interval of the data input, in seconds.
    Service account to use Google Cloud Platform service account created for Gmail logs.
    Dataset name BigQuery dataset name.
    Dataset location BigQuery dataset location name (US or EU).
    GCP Project ID Google Cloud Platform project ID where Gmail logs BigQuery export was enabled.
    Index Name of destination index.
  6. Click the Add button.

Configure Gmail User Identity data collection

Configure Gmail User Identity collection for the Splunk Add-on for Google Workspace using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Click on the Inputs tab.
  3. On the Inputs tab, click the Create New Input button.
  4. Click GWS Users Identity
  5. In the 'Add GWS User Identity List window, fill in the required fields:
    Field Description
    Name A unique name for the new data input.
    Interval Time interval of the data input, in seconds.
    GWS Service Account Google Cloud Platform service account created for Gmail logs.
    GWS Customer ID GWS Customer ID that will be used for the identity list.


    To find the customer ID see Find your customer ID in the Google Workspace Admin Help.

    Index Name of destination index.
  6. Click the Add button.

Configure Alert Center data collection using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Click on the Inputs tab.
  3. On the Inputs tab, click the Create New Input button.
  4. In the Add Alert Center window, fill in the required fields:
    Field Description
    Name A unique name for the new data input.
    Interval Time interval of the data input, in seconds.
    GWS Service Account Google Cloud Platform service account created for Gmail logs.
    Alert source Alert source to collect data from. There are 2 options: Gmail phishing and Everything except Gmail phishing. The Gmail phishing option has a 4 hour delay and the Everything except Gmail phishing option has a 10 minute delay. See View alert details in the Google Workspace Admin Help.
    Index Name of destination index.
  5. Click the Add button.

Create an identity lookup in Splunk Enterprise Security

Integration can be done through the '''Custom event type'''. The following event type has been configured in the Splunk Add-on for Google Workspace: gws_users_identity

For information on using cloud service provider data to register your identities, create a lookup, and schedule a search to run on a regular basis in Splunk Enterprise Security, see the Create an identity lookup from your cloud service provider data in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.

Configure the Splunk Add-on for Google Workspace through inputs.conf

You can create an inputs.conf file and configure the Splunk Add-on for Google Workspace in this file, instead of using Splunk Web.

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_Google_Workspace/, and create a local folder, if one does not exist.
  2. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_Google_Workspace/local folder.
  3. Using a text editor, open the inputs.conf file.
  4. Add the following stanza and lines, replacing the stanzas with your deployment's configurations.

    [activity_report://<input name>]
account = test1
application = admin
index = activities_token
interval = 3600
lookbackOffset = 10800
  5. Save the file.
  6. Restart your Splunk instance for the new input to take effect.
Last modified on 12 April, 2024
PREVIOUS
Configure your Google Cloud Service account 		  NEXT
Troubleshoot the Splunk Add-on for Google Workspace

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters