Set up the Splunk Add-on for Google Cloud Platform¶

You can configure the add-on either through Splunk Web or by making changes directly in the configuration files. Due to the complexity of the setup, configure the add-on in Splunk Web.

Configure the Splunk Add-on for Google Cloud Platform using Splunk Web¶

To configure the Splunk Add-on for Google Cloud Platform using Splunk Web, complete the following steps:

Go to the Splunk Add-on for Google Cloud Platform configuration page, either by clicking the name of the add-on on the left navigation banner on the home page, or by going to Manage Apps, and then clicking Launch App in the row of Splunk Add-on for Google Cloud Platform.
Click Configuration tab to set up Google credentials, proxy, and logging level.
On the Google Credentials tab, click Add.
Then enter a name, select Account Type and paste the GoogleAccount JSON object you created in Create account in the Google Account Credentials field. Then click Add.
If you are using a proxy, click on the Proxy tab, check the Enable Proxy checkbox and fill in the fields to specify the Host, Port, Username, and Password and then click Save.
- (Optional) If you checked Enable Proxy, check the DNS resolution box if you want to perform DNS resolution through your proxy.
- (Optional) If you checked Enable Proxy, select the type of proxy to use in the Proxy Type field. Supported proxy types are http and socks5
(Optional) If you want to change the Logging level, click on the Logging tab, select a new level from the drop down menu, and click Save.

Set up the add-on using configuration files¶

Configure credentials of the Splunk Add-on for Google Cloud Platform by completing the following steps:

Create a file named google_cloud_credentials.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/local.

Create a stanza in google_cloud_credentials.conf using the following template:

[<name>]
google_credentials = <value> # Google account key that is in json format and can be downloaded from Google admin console.
account_type = <value> # Google credential type

You can add multiple Google credentials in google_cloud_credentials.conf. You need to remove all the line breaks in the JSON file to make it in one line, and then paste it to google_cloud_credentials.conf.

For example, remove the line breaks in the following JSON file:

{
  "type": "service_account",
  "project_id": "my-project",
  "private_key_id": "32a3be8f2f0dcfe967ea558e486deaereacfas0c2497e",
}

Then, paste the following into the google_cloud_credentials.conf file:

  google_credentials={"type": "service_account","project_id": "my-project","private_key_id": "32a3be8f2f0dcfe967ea558e486deaereacfas0c2497e",}

Configure proxy and logging levels of the Splunk Add-on for Google Cloud Platform¶

Configure proxy and logging levels of the Splunk Add-on for Google Cloud Platform by completing the following steps:

Copy the google_global_settings.conf file from $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/default to $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/local.
Open the local version of the file in a text editor.
Provide the necessary values and change default values as you see fit (See the google_cloud_global_settings.conf.spec, contained in the $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/README directory for reference).
- Enable the proxy by setting proxy_enabled to 1.
- Change the proxy_type to http, or socks5 if necessary.
- Change the proxy_rdns to 1 if you want the DNS lookup to go through the proxy. Leave it at 0 if you want to use the local machine to do a DNS lookup.
- Change loglevel to DEBUG or ERROR if desired.
- If you want the Splunk platform to index only the events when the scan is completed successfully, skipping those that were aborted or are still running, change index_events_for_unsuccessful_scans to 0. This parameter is not exposed in Splunk Web.

After updating google_global_settings.conf, restart the Splunk platform in order to make the changes and encrypt the proxy username and password.