|Vendor Products||G Suite utilizing OAuth2|
|Has index-time operations||true, the included TA add-on must be placed on the indexers|
|Creates an index||false|
|Implements summarization||Currently, the app does not generate summaries|
About G Suite For Splunk
G Suite For Splunk allows a Splunk Enterprise administrator to interface with G Suite, consuming the usage and administrative logs provided by Google. The limitations on collection times are specified: https://support.google.com/a/answer/7061566 .
This App provides the following scripts:
|ga.py||This python file controls the ability to interface with the Google APIs.|
|ga_authorize.py||This Python custom endpoint allows the authorization of the App to G Suite For Splunk from the web UI.|
|Diag.py||Allows diag-targeted collection of information.|
|ModularInput.py||Inheritable Class to create Modular Inputs|
|Utilities.py||Allows utility interactions with Splunk Endpoints|
NOTE: THIS IS A BREAKING VERSION. YOU MUST REAUTHORIZE THE CLIENT BEFORE THE APP WILL POPULATE DATA.
Adds the analytics:report, and analytics:metadata reports (advanced)
Adds the report:mobile and report:groups reports (included in report:all)
Adds the usage:customer, usage:user, and usage:chrome reports.
Version 1.3.1 of G Suite For Splunk is compatible with:
|Splunk Enterprise versions||6.6, 7.0|
Version 1.3.1 of G Suite For Splunk has the following known issues:
According to stackoverflow, there are indications that the Google Apps Admin API has an unspecified delay introduced into the events that are collected. This is most likely due to how Google collects the events and the global nature of the events. To mitigate this issue, the G Suite For Splunk Modular Input has a built-in delay in the consumption of events. If you run the modular input at 30 minutes, there will be a 30 minute delay of events. If you run at 1 hour, there will be a 1 hour delay in events.
These are the currently requested scopes:
Access questions and answers specific to G Suite For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.
Support is available via email at firstname.lastname@example.org. You can also find the author on IRC (#splunk on efnet.org) or Slack. Feel free to email or ping, most responses will be within 1-2 business days.
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download G Suite For Splunk at https://splunkbase.splunk.com.
NOTE: Where referenced, the IA-GSuiteForSplunk and TA-GSuiteForSplunk versions of this App are located on Splunkbase.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
1. Have your Splunk Cloud Support handle this installation. Do NOT install the IA on the same system as the App. 1. You may consider using an on-premise Heavy Forwarder to install IA-GSuiteForSplunk, and send the logs to Splunk Cloud.
1. For each Search Head in the environment, deploy a non-configured copy of the App. DO NOT SEND TA or IA to a Search Head Cluster (SHC). 1. For each indexer in the environment, deploy a copy of the TA-GSuiteForSplunk Add-On that is located as mentioned above. 1. For a single Data Collection Node OR Heavy Forwarder (a full instance of Splunk is required), install IA-GSuiteForSplunk and configure through the GUI.
Admin SDK API, and
Google Drive API Optional:
Google Analytics Reporting API Each API endpoint has individual APIs that need to be enabled within https://console.developers.google.com.
report:[all, groups, mobile, admin, calendar, drive, login, token, rules, saml, gplus, chat]
usage:[customer, user, chrome]
These input service names require the same as the report services.
These inputs can have extra configuration, namely historical_days to do the initial data ingestion.
IMPORTANT: BE CAREFUL WITH USER REPORTING. If you ingest 365 days of data (back fill the information), you will end up with 365 * # of users events to pull and could cause a Splunk/System failure.
If you see a 404 Error in the logs relating to the usage reports, THESE ARE NORMAL.
Google Sheets API
is NOTkept, and the KVStore will be sorted via ASCII sort based on the column name.
ISkept, the column names are stored in
is NOTkept, and the CSV lookup will be sorted via ASCII sort based on the column name.
Ordered CSV Lookup
ISkept, the column names are stored in
NOTE: This is EXPERIMENTAL. Enjoy breaking the input. This section to be updated when working correctly.
IMPORTANT: You must Authorize the APIS with the SAME USER that allowed access to the APIs in the developer console (for GSuite customers - GCP see below).
Overview of authorization procedures are found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#overview.
GCP Users: It has been tested to use an Credential generated in the GCP console (same credential type as outlined on the OAuth App Config page). You can use an authorized admin to Approve the OAuth Scopes. It is unknown what happens when the approving Admin user account is disabled.
NOTE: You will need to configure a new modular input for each domain
NOTE: After testing in a much bigger environment, weve been able to set these recommendations for intervals. You will need 4 modular input definitions.
By default all events will be written to the main index. You should change the index in the configuration files to match your specific index.
This App Supports proxy configuration. Configure the proxy first in the Application Configuration dashboard, and then choose it during the modular input configuration. The proxy name MUST BE gapps_proxy for the authorization to work correctly.
As of v1.2.2 of this app, we should support version 4.10 of the CIM.
There are portions of this app that are experimental, or you might see odd code. This is for some up coming features, might work, might not.
G Suite For Splunk contains no lookup files.
G Suite For Splunk does not make use of an event generator. This allows the product to display data, when there are no inputs configured.
bin/google/protobuf/internal/_api_implementation.sois apparently a binary file. Required for Google Things.
bin/google/protobuf/internal/_message.sois apparently a binary file. Required for Google Things.
Version 1.3.1 of G Suite For Splunk incorporates the following Third-party software or third-party services.
Please visit https://developers.google.com/google-apps/ for full terms and conditions.
- MEMORY ENHANCEMENTS!!!!! YAY!!!
- FRONT END AUTH SHOULD BE CLOUD HAPPY
- SPREADSHEET SYNCING TO KVSTORE, CSV, OR INDEX!!!!!
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.