Splunk® Supported Add-ons

Splunk Add-on for Google Workspace

Troubleshoot the Splunk Add-on for Google Workspace

General troubleshooting

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Sample sourcetype searches

Perform the following searches, based on sourcetype, in your Splunk platform deployment in order to verify data ingestion.

Sourcetype Sample search
gws:reports:admin

sourcetype="gws:reports:admin"

gws:reports:drive

sourcetype="gws:reports:drive"

gws:gmail

sourcetype="gws:gmail"

gws:reports:login

sourcetype="gws:reports:login"

gws:reports:oauthtoken

sourcetype="gws:reports:oauthtoken"

gws:reports:saml

sourcetype="gws:reports:saml"

No events appearing in the Splunk platform

If no events are showing up in your Splunk platform, and you have checked the internal Splunk software logs and your Splunk Add-on for Google Workspace, perform the following troubleshooting steps to confirm that you have enabled domain-wide delegation for the service account that you are using.

  1. Log into your Google Cloud service account.
  2. Copy Client ID of this service account
  3. Navigate to https://admin.google.com/ac/owl/domainwidedelegation.
  4. Check if the Client ID for your service account contains the https://www.googleapis.com/auth/admin.reports.audit.readonly scope. If it is not there, add your Client ID, and specify the https://www.googleapis.com/auth/admin.reports.audit.readonly scope.
  5. Navigate to https://console.cloud.google.com/iam-admin/iam.
  6. Check if the account you are using for the Username field contains the Organization Administrator role.
  7. Navigate to the Certificate field.
  8. Verify that you added the entire JSON file that you downloaded as a key for your service account.
  9. Save your changes.

Unable to ingest Gmail logs

In the third quarter of 2022, Google announced a change to logs routing in BigQuery. As a result, all new Google Workspace customers, as well as all existing Workspace customers that fully migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery, will not be able to collect Gmail logs using versions 2.4.0 and earlier of the Splunk Add-on for Google Workspace.

Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called "Gmail Logs Migrated" and has all of the same parameters as the "Gmail Logs" modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data.

To collect Gmail logs using the Splunk Add-on for Google Workspace, upgrade your deployment to version 2.4.1 or later. See the Google announcement titled Unified experience for Gmail logs in BigQuery, configure your existing Gmail logs to route to Workspace logs.

For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.

401 Error: Access denied

If you receive a 401 error, please check if the correct credentials are used to configure the Splunk Add-on for Google Workspace. You can check your service account for all the permissions needed for the inputs configured. See Configure your Google Cloud Service account for more information.

Last modified on 26 July, 2024
Configure the Splunk Add-on for Google Workspace   REST API reference

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters