Source types for the Splunk Add-on for Google Cloud Platform¶
The Splunk Add-on for Google Cloud Platform (GCP) provides the index-time and search-time knowledge for Google Cloud Platform logs and billing data in the following formats:
To better align with the Google Cloud Platform, and to provide a better
understanding of the data coming from the cloud, the 4.0.0 release of
the Splunk Add-on for Google Cloud Platform contains improvements to
sourcetyping that affect the google:gcp:pubsub:audit:auth,
google:gcp:pubsub:audit:change, and google:gcp:pubsub:message source
types.
These improvements provide more granular sourcetyping on incoming data
from your GCP deployment, enhancing your ability to investigate and
simplifying the development of dashboards in Splunk that use GCP data.
Upgrading to version 4.0.0 or higher will cause any inline searches,
pivots, or reports that use these source types to not work for the GCP
data that is being ingested after upgrading to version 4.0.0 of this
add-on.
To ensure continuity of searches and reports on GCP data coming in after
the upgrade to version 4.0.0 or later, review and perform the steps
contained in the
Upgrade the Splunk Add-on for Google Cloud Platform topic in this manual.
| Source type | Description | CIM data models |
|---|---|---|
google:gcp:pubsub:audit:data_access |
Data from Pub/Sub (GCP Authentication Audit Logs) | Authentication |
google:gcp:pubsub:audit:admin_activity |
Data from Pub/Sub | Change |
google:gcp:pubsub:audit:system_event |
Data from Pub/Sub | Change |
google:gcp:pubsub:audit:policy_denied |
Data from Pub/Sub | |
google:gcp:pubsub:access_transparency |
Data from Pub/Sub | |
google:gcp:pubsub:audit:auth |
Data from Pub/Sub (GCP Authentication Audit Logs) | Authentication |
google:gcp:pubsub:message |
Data from Pub/Sub | Authentication |
google:gcp:pubsub:platform |
Data from Pub/Sub | None |
google:gcp:pubsublite:message |
Data from Pub/Sub Lite | None |
google:gcp:monitoring |
Data from Cloud Monitor service | None |
google:gcp:billing:standard_usage_cost |
Data from Standard Usage Cost reports | None |
google:gcp:billing:detailed_usage_cost |
Data from Detailed Usage Cost reports | None |
google:gcp:billing:pricing |
Data from Pricing Table reports | None |
google:gcp:buckets:accesslogs |
Cloud Storage Bucket server access logs for a storage account | Change |
google:gcp:buckets:csvdata |
CSV contents of objects present in the Cloud Storage Bucket | None |
google:gcp:buckets:data |
Generic source type for the contents of other file extensions. Depending upon file extension (.csv, .xml and .json), the sourcetypes would be categorised in google:gcp:buckets:csvdata, google:gcp:buckets:xmldata, and google:gcp:buckets:jsondata, respectively |
None |
google:gcp:buckets:jsondata |
JSON contents of objects present in the Cloud Storage Bucket | None |
google:gcp:buckets:metadata |
Cloud Storage Bucket metadata | None |
google:gcp:resource:metadata |
Resource Metadata of Compute Engine, Cloud Storage, Kubernetes and VPC Access | None |
google:gcp:buckets:xmldata |
XML contents of objects present in the Cloud Storage Bucket | None |
| User defined | Modular input. See the REST API reference page for more information. | None |
google:billing:json |
Data from billing that is in JSON value. | None |
google:billing:csv |
Data from billing that is in CSV value. | None |
google:gcp:billing:report |
Data from billing reports. | None |
google:gcp:gsuite:admin:directory:users |
Data from G Suite users. | None |
google:gcp:compute:instance |
Data from Compute Engine virtual machine instances. | None |
google:gcp:compute:vpc_flows |
Data from Compute Engine VPC flow logs. | None |
google:gcp:security:alerts |
Data from security alerts. | None |