icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading G Suite For Splunk
SHA256 checksum (g-suite-for-splunk_131.tgz) b163749f721148b77d96aed4f9110e25456abd7077d09cc0835a70fa85a4f20a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

G Suite For Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
The G Suite app for Splunk allows a G Suite Administrator to consume various data from Google APIs.

Welcome to G Suite for Splunk Apps documentation!


About G Suite For Splunk

Author Kyle Smith
App Version 1.3.1
App Build 261
Vendor Products G Suite utilizing OAuth2
Has index-time operations true, the included TA add-on must be placed on the indexers
Creates an index false
Implements summarization Currently, the app does not generate summaries

About G Suite For Splunk

G Suite For Splunk allows a Splunk Enterprise administrator to interface with G Suite, consuming the usage and administrative logs provided by Google. The limitations on collection times are specified: https://support.google.com/a/answer/7061566 .

Scripts and binaries

This App provides the following scripts:

ga.py This python file controls the ability to interface with the Google APIs.
ga_authorize.py This Python custom endpoint allows the authorization of the App to G Suite For Splunk from the web UI.
Diag.py Allows diag-targeted collection of information.
ModularInput.py Inheritable Class to create Modular Inputs
Utilities.py Allows utility interactions with Splunk Endpoints


Release notes

Version 1.3.1

  • Bug

    • [GSUITE-13] - Compiled Library caused AppInspect Exception

Version 1.3.0

  • Bug

    • [GSUITE-8] - IA Builder Multi MI
    • [GSUITE-10] - Remove Sheets after Successful Creation of Input
    • [GSUITE-11] - Error Messages on Data Not Found - Usage reports
  • New Feature

    • [GSUITE-6] - Google Drive Import Export for Sheets and Lookups
    • [EXPERIMENTAL] - BigQuery Integration for GMAIL Logs
  • Improvement

    • [GSUITE-5] - Update Auth to be Front End Only
    • [GSUITE-7] - Refactor GA for Scale
    • [GSUITE-9] - Waiting Indicator for Sheet Names

Version 1.2.3

  • Improvement

    • Remove a logging line.

Version 1.2.2

  • Bug

    • [ASA-245] - Chrome OS API doesnt work
    • [ASA-248] - Timezone Python Error
  • New Feature

    • [ASA-233] - Enrich Google Drive reporting with Drive information
  • Improvement

    • [ASA-164] - Create CIM Fields for Google Apps for Splunk
    • [ASA-228] - G Suite - new dashboard - Token Usage
    • [ASA-231] - Fix Security Concern (file handlers)

Version 1.2.1


  • Bug

    • [ASA-218] - Fix the Extra Config not validating on empty object
  • New Feature

    • [ASA-216] - Update GSuite to store json credentials in encrypted store.
  • Improvement

    • [ASA-211] - Fix Timezone Translation
    • [ASA-217] - Add additional data feed

Version 1.2.0

  • Adds the analytics:report, and analytics:metadata reports (advanced)

  • Adds the report:mobile and report:groups reports (included in report:all)

  • Adds the usage:customer, usage:user, and usage:chrome reports.

  • Support

    • [ASA-11] - Setup page malfunction
    • [ASA-57] - Proxy Support for GApps
  • Bug

    • [ASA-2] - Docs/Drive/Calendar events not timestamping correctly
    • [ASA-3] - Missed Audit Events
    • [ASA-4] - Failure for Usage Events (customer/user)
    • [ASA-5] - Historical Days Configuration Option
    • [ASA-6] - Transforms are old and deprecated
    • [ASA-12] - Setup.xml
    • [ASA-13] - Authorize_Splunk dashboard reset
    • [ASA-20] - Failure to load checkpoint
    • [ASA-41] - Authorization Failure on HF
    • [ASA-120] - Header breaks with 6.5 compat
    • [ASA-198] - Controller Endpoints not supported.
  • New Feature

    • [ASA-19] - Error Dashboard
    • [ASA-103] - Add Access to Google Analytics API
    • [ASA-126] - MC Checklist and Health Path
    • [ASA-206] - Chrome OS Devices
  • Improvement

    • [ASA-9] - Google API - 1 hour buffer.
    • [ASA-10] - debug/refresh endpoint causes modular input to fire
    • [ASA-37] - Support Proxy for calls
    • [ASA-115] - Update MI for backfill

About this release

Version 1.3.1 of G Suite For Splunk is compatible with:

Splunk Enterprise versions 6.6, 7.0
Platforms Splunk Enterprise


Known Issues

Version 1.3.1 of G Suite For Splunk has the following known issues:

Support and resources

Questions and answers

Access questions and answers specific to G Suite For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.


Support is available via email at splunkapps@kyleasmith.info. You can also find the author on IRC (#splunk on efnet.org) or Slack. Feel free to email or ping, most responses will be within 1-2 business days.

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.


Download G Suite For Splunk at https://splunkbase.splunk.com.

Installation steps

NOTE: Where referenced, the IA-GSuiteForSplunk and TA-GSuiteForSplunk versions of this App are located on Splunkbase.

Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. Deploy as you would any App, and restart Splunk.
  2. Install IA-GSuiteForSplunk.
  3. Configure.

Deploy to Splunk Cloud

1. Have your Splunk Cloud Support handle this installation. Do NOT install the IA on the same system as the App. 1. You may consider using an on-premise Heavy Forwarder to install IA-GSuiteForSplunk, and send the logs to Splunk Cloud.

Deploy to a Distributed Environment

1. For each Search Head in the environment, deploy a non-configured copy of the App. DO NOT SEND TA or IA to a Search Head Cluster (SHC). 1. For each indexer in the environment, deploy a copy of the TA-GSuiteForSplunk Add-On that is located as mentioned above. 1. For a single Data Collection Node OR Heavy Forwarder (a full instance of Splunk is required), install IA-GSuiteForSplunk and configure through the GUI.

User Guide

Key concepts for G Suite For Splunk

Configure G Suite For Splunk for use with G Suite Admin Reporting.

Requires: Admin SDK API, and Google Drive API Optional: Google Analytics Reporting API Each API endpoint has individual APIs that need to be enabled within https://console.developers.google.com.

    • report:[all, groups, mobile, admin, calendar, drive, login, token, rules, saml, gplus, chat]

      1. These input service names require the Admin SDK API enabled.
      2. Additionally, the drive report requires the Google Drive API enabled.
      3. These inputs generally do not require Extra Configuration options in the Modular Input. An empty {} is still needed where advanced features are not.
      4. These inputs should be adjusted per Google guidelines for the different activities.
      5. By default, the Modular Input will only pull the previous 24 hours of data to prevent memory overflows.
    • analytics:[metadata, report]

      1. These input service names require the Analytics Reporting API v4 and Analytics API APIs enabled.
      2. These inputs do require Extra Configuration. These inputs should not be enabled lightly, and require a little bit of prior research and planning.
    • usage:[customer, user, chrome]

      1. These input service names require the same as the report services.

        • These inputs can have extra configuration, namely historical_days to do the initial data ingestion.

          1. When configuring the modular input, use the Extra Configuration option of {historical_days: 180}
      2. IMPORTANT: BE CAREFUL WITH USER REPORTING. If you ingest 365 days of data (back fill the information), you will end up with 365 * # of users events to pull and could cause a Splunk/System failure.

      3. If you see a 404 Error in the logs relating to the usage reports, THESE ARE NORMAL.

Configure G Suite For Splunk for use with Google Spreadsheets

Requires: Google Sheets API

  1. When setting up the modular input, make sure you grab the Spreadsheet ID from the URL of the spreadsheet you need. Auto-discovery of available spreadsheets is not available (but an ER is in for it).

Spreadsheet Destinations

    • Index

      1. Takes the information from the sheet and indexes it to the specified index. This is useful to get lookups from a Heavy Forwarder to a Search head.
      2. Use the provided Dashboard to re-assemble via saved scheduled search.
    • KVStore

      1. Takes the information from the sheet and places it into a KVStore collection.
      2. It will create the needed collections and transforms if needed.
      3. Order of the COLUMNS is NOT kept, and the KVStore will be sorted via ASCII sort based on the column name.
    • Ordered KVStore

      1. Takes the information from the sheet and places it into a KVStore collection.
      2. It will create the needed collections and transforms if needed.
      3. Order of the COLUMNS IS kept, the column names are stored in ROW 0
    • CSV Lookup

      1. Takes the information from the sheet and places it into a CSV based lookup.
      2. It will create the needed transforms if needed.
      3. Order of the COLUMNS is NOT kept, and the CSV lookup will be sorted via ASCII sort based on the column name.
    • Ordered CSV Lookup

      1. Takes the information from the sheet and places it into a CSV based lookup.
      2. It will create the needed transforms if needed.
      3. Order of the COLUMNS IS kept, the column names are stored in ROW 0.

Configure G Suite For Splunk for use with Google BigQuery

Requires: `BigQuery API

NOTE: This is EXPERIMENTAL. Enjoy breaking the input. This section to be updated when working correctly.


IMPORTANT: You must Authorize the APIS with the SAME USER that allowed access to the APIs in the developer console (for GSuite customers - GCP see below).

Overview of authorization procedures are found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#overview.

GCP Users: It has been tested to use an Credential generated in the GCP console (same credential type as outlined on the OAuth App Config page). You can use an authorized admin to Approve the OAuth Scopes. It is unknown what happens when the approving Admin user account is disabled.

Modular Input

NOTE: You will need to configure a new modular input for each domain

  1. Follow the steps on the Application Configuration dashboard to configure the modular input.

NOTE: After testing in a much bigger environment, weve been able to set these recommendations for intervals. You will need 4 modular input definitions.

  1. calendar, token, mobile, groups, login, saml, Chrome OS Devices #. These are done at an cron interval of 15 */4 * * *
  2. drive #. Drive is done at a seconds interval of 600 - 1200 depending on organization size, and traffic flow of drive operations.
  3. Usage - User, Customer #. These are done at a seconds interval of 86400
  4. admin, rules, chat, gplus #. These are done at a seconds interval of 600


By default all events will be written to the main index. You should change the index in the configuration files to match your specific index.

Configure Proxy Support

This App Supports proxy configuration. Configure the proxy first in the Application Configuration dashboard, and then choose it during the modular input configuration. The proxy name MUST BE gapps_proxy for the authorization to work correctly.

Troubleshoot G Suite For Splunk

  1. Check the Monitoring Console (>=v6.5) for errors
  2. Visit the Application Health dashboard
  3. Search for eventtype=googleapps_error


As of v1.2.2 of this app, we should support version 4.10 of the CIM.


There are portions of this app that are experimental, or you might see odd code. This is for some up coming features, might work, might not.


G Suite For Splunk contains no lookup files.

Event Generator

G Suite For Splunk does not make use of an event generator. This allows the product to display data, when there are no inputs configured.


  1. Summary Indexing: No
  2. Data Model Acceleration: No
  3. Report Acceleration: No

Binary File Declaration

  1. bin/google/protobuf/internal/_api_implementation.so is apparently a binary file. Required for Google Things.
  2. bin/google/protobuf/internal/_message.so is apparently a binary file. Required for Google Things.

Third Party Notices

Version 1.3.1 of G Suite For Splunk incorporates the following Third-party software or third-party services.

Google Apps APIs

Please visit https://developers.google.com/google-apps/ for full terms and conditions.

2019, alacercogitatus. | Powered by Sphinx 1.6.4 & Alabaster 0.7.10

Release Notes

Version 1.3.1
March 11, 2019



Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.