Troubleshoot the Splunk Add-on for Google Workspace
General troubleshooting
For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Sample sourcetype searches
Perform the following searches, based on sourcetype, in your Splunk platform deployment in order to verify data ingestion.
Sourcetype | Sample search |
---|---|
gws:reports:admin
|
|
gws:reports:drive
|
|
gws:gmail
|
|
gws:reports:login
|
|
gws:reports:oauthtoken
|
|
gws:reports:saml
|
|
No events appearing in the Splunk platform
If no events are showing up in your Splunk platform, and you have checked the internal Splunk software logs and your Splunk Add-on for Google Workspace, perform the following troubleshooting steps to confirm that you have enabled domain-wide delegation for the service account that you are using.
- Log into your Google Cloud service account.
- Copy Client ID of this service account
- Navigate to https://admin.google.com/ac/owl/domainwidedelegation.
- Check if the Client ID for your service account contains the
https://www.googleapis.com/auth/admin.reports.audit.readonly
scope. If it is not there, add your Client ID, and specify thehttps://www.googleapis.com/auth/admin.reports.audit.readonly
scope. - Navigate to https://console.cloud.google.com/iam-admin/iam.
- Check if the account you are using for the Username field contains the Organization Administrator role.
- Navigate to the Certificate field.
- Verify that you added the entire JSON file that you downloaded as a key for your service account.
- Save your changes.
Unable to ingest Gmail logs
In the third quarter of 2022, Google announced a change to logs routing in BigQuery. As a result, all new Google Workspace customers, as well as all existing Workspace customers that fully migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery, will not be able to collect Gmail logs using versions 2.4.0 and earlier of the Splunk Add-on for Google Workspace.
Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called "Gmail Logs Migrated" and has all of the same parameters as the "Gmail Logs" modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data.
To collect Gmail logs using the Splunk Add-on for Google Workspace, upgrade your deployment to version 2.4.1 or later. See the Google announcement titled Unified experience for Gmail logs in BigQuery, configure your existing Gmail logs to route to Workspace logs.
For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.
401 Error: Access denied
If you receive a 401 error, please check if the correct credentials are used to configure the Splunk Add-on for Google Workspace. You can check your service account for all the permissions needed for the inputs configured. See Configure your Google Cloud Service account for more information.
Configure the Splunk Add-on for Google Workspace | REST API reference |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!