icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading G Suite For Splunk
SHA256 checksum (g-suite-for-splunk_142.tgz) b6b8c0a4a21d842a4e9cc7c8c5af2f8d6fc055c31e745493a8addc3908c77cf8 SHA256 checksum (g-suite-for-splunk_141.tgz) f49e7d45257abf7718b6b293b761f63d6976879c0228a887f595f6778b0dee18 SHA256 checksum (g-suite-for-splunk_131.tgz) b163749f721148b77d96aed4f9110e25456abd7077d09cc0835a70fa85a4f20a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

G Suite For Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The G Suite app for Splunk allows a G Suite Administrator to consume various data from Google APIs.

Welcome to G Suite for Splunk Apps documentation!

Overview

About G Suite For Splunk

Author Kyle Smith
App Version 1.4.2
App Build 310
Vendor Products G Suite utilizing OAuth2
Has index-time operations true, the included TA add-on must be placed on the indexers
Creates an index false
Implements summarization Currently, the app does not generate summaries

About G Suite For Splunk

G Suite For Splunk allows a Splunk Enterprise administrator to interface with G Suite, consuming the usage and administrative logs provided by Google. The limitations on collection times are specified: https://support.google.com/a/answer/7061566 .

Scripts and binaries

This App provides the following scripts:

ga.py This python file controls the ability to interface with the Google APIs.
ga_authorize.py This Python custom endpoint allows the authorization of the App to G Suite For Splunk from the web UI.
Diag.py Allows diag-targeted collection of information.
ModularInput.py Inheritable Class to create Modular Inputs
Utilities.py Allows utility interactions with Splunk Endpoints

Scripts

Release notes

Version 1.4.2

  • Improvement

    • [GSUITE-25] - Cloud App Vetting

    • [GSUITE-26] - Fix and Update Proxy settings

Version 1.4.1

    • Test and QA

      • [GSUITE-23] - App inspect Failures
    • Bug

      • [GSUITE-19] - Interval check doesnt adjust for default.

      • [GSUITE-20] - BigQuery not caching last row

    • Improvement

      • [GSUITE-21] - Fix Proxy Code

      • [GSUITE-24] - Create New Dashboards

Version 1.4.0

  • New Feature

    • [GSUITE-4][EXPERIMENTAL] - GMAIL LOGS and BigQuery

    • [GSUITE-15] - Splunk 8 Compatibility

    • [GSUITE-16] - Directory API Ingestion

  • Improvement

    • [GSUITE-12] - Auto Discover Available Spreadsheets

    • [GSUITE-14][Experimental] - Alert Center API

    • Added chat, gcp, meet, jamboard to allowed Reports input.

About this release

Version 1.4.2 of G Suite For Splunk is compatible with:

Splunk Enterprise versions 8.0
Platforms Splunk Enterprise

Compatability

Known Issues

Version 1.4.2 of G Suite For Splunk has the following known issues:

Support and resources

Questions and answers

Access questions and answers specific to G Suite For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.

Support

Support is available via email at splunkapps@kyleasmith.info. You can also find the author on IRC (#splunk on efnet.org) or Slack. Feel free to email or ping, most responses will be within 1-2 business days.

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download G Suite For Splunk at https://splunkbase.splunk.com.

Installation steps

NOTE: Where referenced, the IA-GSuiteForSplunk and TA-GSuiteForSplunk versions of this App are located on Splunkbase.

Deploy to single server instance

1. Deploy as you would any App, and restart Splunk. 1. NOTE: Only the App (or IA for no dashboards) is required. Install only 1 of the G Suite add ons or app. 1. Configure.

Deploy to Splunk Cloud

1. Have your Splunk Cloud Support handle this installation. Do NOT install the IA on the same system as the App. 1. You may consider using an on-premise Heavy Forwarder to install IA-GSuiteForSplunk, and send the logs to Splunk Cloud.

Deploy to a Distributed Environment

1. For each Search Head in the environment, deploy a non-configured copy of the App. DO NOT SEND TA or IA to a Search Head Cluster (SHC). 1. For each indexer in the environment, deploy a copy of the TA-GSuiteForSplunk Add-On that is located as mentioned above. 1. For a single Data Collection Node OR Heavy Forwarder (a full instance of Splunk is required), install IA-GSuiteForSplunk and configure through the GUI.

User Guide

Key concepts for G Suite For Splunk

Configure G Suite For Splunk for use with G Suite Admin Reporting.

Requires: Admin SDK API, and Google Drive API Optional: Google Analytics Reporting API Each API endpoint has individual APIs that need to be enabled within https://console.developers.google.com.

    • report:[all, gcp, chat, meet, jamboard, access_transparency, groups_enterprise, user_accounts, groups, mobile, admin, calendar, drive, login, token, rules]

      1. These input service names require the Admin SDK API enabled.

      2. Additionally, the drive report requires the Google Drive API enabled.

      3. These inputs generally do not require Extra Configuration options in the Modular Input. An empty {} is still needed where advanced features are not.

      4. These inputs should be adjusted per Google guidelines for the different activities.

      5. By default, the Modular Input will only pull the previous 24 hours of data to prevent memory overflows.

    • analytics:[metadata, report]

      1. These input service names require the Analytics Reporting API v4 and Analytics API APIs enabled.

      2. These inputs do require Extra Configuration. These inputs should not be enabled lightly, and require a little bit of prior research and planning.

      3. IF YOU DONT KNOW WHAT THIS IS, DO NOT ENABLE IT

      4. THIS IS A DARK FEATURE.

    • usage:[customer, user, chrome]

      1. These input service names require the same as the report services.

        • These inputs can have extra configuration, namely historical_days to do the initial data ingestion.

          1. When configuring the modular input, use the Extra Configuration option of {historical_days: 180}
      2. IMPORTANT: BE CAREFUL WITH USER REPORTING. If you ingest 365 days of data (back fill the information), you will end up with 365 * # of users events to pull and could cause a Splunk/System failure.

      3. If you see a 404 Error in the logs relating to the usage reports, THESE ARE NORMAL.

      4. The Customer Usage should include classrooms usage by default.

Configure G Suite For Splunk for use with Google Spreadsheets

Requires: Google Sheets API

  1. When setting up the modular input, make sure you grab the Spreadsheet ID from the URL of the spreadsheet you need. Auto-discovery of available spreadsheets is not available (but an ER is in for it).

Spreadsheet Destinations

    • Index

      1. Takes the information from the sheet and indexes it to the specified index. This is useful to get lookups from a Heavy Forwarder to a Search head.

      2. Use the provided Dashboard to re-assemble via saved scheduled search.

    • KVStore

      1. Takes the information from the sheet and places it into a KVStore collection.

      2. It will create the needed collections and transforms if needed.

      3. Order of the COLUMNS is NOT kept, and the KVStore will be sorted via ASCII sort based on the column name.

    • Ordered KVStore

      1. Takes the information from the sheet and places it into a KVStore collection.

      2. It will create the needed collections and transforms if needed.

      3. Order of the COLUMNS IS kept, the column names are stored in ROW 0

    • CSV Lookup

      1. Takes the information from the sheet and places it into a CSV based lookup.

      2. It will create the needed transforms if needed.

      3. Order of the COLUMNS is NOT kept, and the CSV lookup will be sorted via ASCII sort based on the column name.

    • Ordered CSV Lookup

      1. Takes the information from the sheet and places it into a CSV based lookup.

      2. It will create the needed transforms if needed.

      3. Order of the COLUMNS IS kept, the column names are stored in ROW 0.

Configure G Suite For Splunk for use with Google BigQuery

Requires: `BigQuery API

NOTE: This is EXPERIMENTAL. Enjoy breaking the input. This section to be updated when working correctly. NOTE: DOES NOT CURRENTLY WORK WITH PROXIES NOTE: To consume all tables in a dataset, use the table name all

Requirements

  1. Service Account JSON File from GCP. (https://console.developers.google.com/iam-admin/serviceaccounts)

  2. Create a new Splunk credential with Realm: gsuite_bigquery and username is \<your_domain> (your domain as configured in the input)

  3. The password for that credential is the ENTIRE ON ONE LINE JSON file from GCP for the service account.

Configure G Suite For Splunk for use with G Suite Admin Reporting

Requires: G Suite Alert Center API Note: EXPERIMENTAL (scope not valid) #. alerts:[all, takeout, gmail, identity, operations, state, mobile]
1. These inputs generally do not require Extra Configuration options in the Modular Input. An empty {} is still needed where advanced features are not. 2. By default, the Modular Input will only pull the previous 24 hours of data to prevent memory overflows. 3. Uses the https://www.googleapis.com/auth/apps.alerts scope. 4. View more information at https://developers.google.com/admin-sdk/alertcenter/reference/alert-types .

Notes

IMPORTANT: You must Authorize the APIS with the SAME USER that allowed access to the APIs in the developer console (for GSuite customers - GCP see below).

Overview of authorization procedures are found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#overview.

GCP Users: It has been tested to use an Credential generated in the GCP console (same credential type as outlined on the OAuth App Config page). You can use an authorized admin to Approve the OAuth Scopes. It is unknown what happens when the approving Admin user account is disabled.

Modular Input

NOTE: You will need to configure a new modular input for each domain

  1. Follow the steps on the Application Configuration dashboard to configure the modular input.

NOTE: After testing in a much bigger environment, weve been able to set these recommendations for intervals. You will need 4 modular input definitions.

  1. calendar, token, mobile, groups, login, saml, Chrome OS Devices #. These are done at an cron interval of 15 */4 * * *

  2. drive #. Drive is done at a seconds interval of 600 - 1200 depending on organization size, and traffic flow of drive operations.

  3. Usage - User, Customer #. These are done at a seconds interval of 86400

  4. admin, rules, chat, gplus #. These are done at a seconds interval of 600

Indexes

By default all events will be written to the main index. You should change the index in the configuration files to match your specific index.

Configure Proxy Support

This App Supports proxy configuration. Configure the proxy first in the Application Configuration dashboard, and then choose it during the modular input configuration. The proxy name MUST BE gapps_proxy for the authorization to work correctly.

Troubleshoot G Suite For Splunk

  1. Check the Monitoring Console (>=v6.5) for errors

  2. Visit the Application Health dashboard

  3. Search for eventtype=googleapps_error

CIM

As of v1.4.0 of this app, we should support version 4.15 of the CIM.

EXPERIMENTAL

There are portions of this app that are experimental, or you might see odd code. This is for some up coming features, might work, might not.

Lookups

G Suite For Splunk contains the following lookup files:

  1. gsuite_labels.csv : This allows pretty labels on select dashboards.

Event Generator

G Suite For Splunk does not make use of an event generator. This allows the product to display data, when there are no inputs configured.

Acceleration

  1. Summary Indexing: No

  2. Data Model Acceleration: No

  3. Report Acceleration: No

Binary File Declaration

  1. bin/google/protobuf/internal/_api_implementation.so is apparently a binary file. Required for Google Things.

  2. bin/google/protobuf/internal/_message.so is apparently a binary file. Required for Google Things.

For these two, please see https://github.com/protocolbuffers/protobuf/tree/3.6.x/python/google/protobuf/internal for source and attribution.

Third Party Notices

Version 1.4.2 of G Suite For Splunk incorporates the following Third-party software or third-party services.

Google Apps APIs

Please visit https://developers.google.com/google-apps/ for full terms and conditions.

Release Notes

Version 1.4.2
June 15, 2020

1. App Inspect / Cloud vetting
2. Better proxy support.

Version 1.4.1
June 10, 2020

## Version 1.4.1

- Test and QA

- [GSUITE-23] - App inspect Failures

- Bug

- [GSUITE-19] - Interval check doesnt adjust for default.

- [GSUITE-20] - BigQuery not caching last row

- Improvement

- [GSUITE-21] - Fix Proxy Code

- [GSUITE-24] - Create New Dashboards

Version 1.3.1
March 11, 2019

- MEMORY ENHANCEMENTS!!!!! YAY!!!
- FRONT END AUTH SHOULD BE CLOUD HAPPY
- SPREADSHEET SYNCING TO KVSTORE, CSV, OR INDEX!!!!!

592
Installs
3,920
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.