Skip to content

Upgrade the Splunk Add-on for Google Cloud Platform

After upgrading the Splunk Add-on for Google Cloud Platform from 4.3.0 to version 4.4.0 or higher, your Splunk platform deployment might receive duplicate events for the BigQuery Billing input(s) in the first invocation after the upgrade.

Standard Upgrade Guide

  1. Disable all your inputs before you upgrade the add-on. Otherwise, you might see errors in the log files, resulting in data loss against your already configured inputs.
  2. Upgrade the Splunk Add-on for Google Cloud Platform to the required version and follow the version-specific upgrade guide.
  3. Enable each desired input to start data collection. Enable Storage Blob inputs in small batches.

Upgrade to versions 4.x or later

To upgrade this add-on from versions 3.2.0 and earlier to versions 4.0.0 and later, perform the following steps.

  1. Verify that you are running version 8.0.0 or later of the Splunk platform.
  2. Disable all running inputs.
  3. Upgrade to the latest version directly from Splunk web UI or upgrade using the downloaded add-on package.
    1. Upgrade to latest version directly from Splunk web UI
      • From the Splunk web home screen, click the gear icon (Manage Apps) next to Apps.
      • Check for Splunk Add-on for Google Cloud Platform in the list of Apps/Add-ons and click “Update to “.
      • Accept the license agreement, enter Splunkbase credentials and download/install the add-on.
    2. Upgrade the add-on using the downloaded add-on package
  4. Restart your Splunk platform, if you are using a Splunk Enterprise deployment.
  5. Enable all inputs.
  6. If you have constructed searches or reports that reference the google:gcp:pubsub:audit:auth, google:gcp:pubsub:audit:change, or google:gcp:pubsub:message source types, you must update those queries, so that you add, in addition to the aforementioned source types, the following new source types:

    • google:gcp:pubsub:audit:admin_activity
    • google:gcp:pubsub:audit:data_access
    • google:gcp:pubsub:audit:system_event
    • google:gcp:pubsub:audit:policy_denied
    • google:gcp:pubsub:access_transparency
    • google:gcp:pubsub:platform

    In order to search on GCP data that was ingested into your Splunk platform deployment through this add-on before your upgrade to version 4.0.0 and later, you need the old source types in your query.

    To search on new GCP data that comes in after the upgrade, you need to add the new source types to your queries. Adding source types to your existing search queries and reports, instead of replacing source types, lets you search both your old data and your new data, and materialize results for both of them in the same query.

    For example, the following query lets you search on both the old and new source types:

    Query with old source types before upgrade to 4.0.0 or later:

    Search

    index="main" sourcetype="google:gcp:pubsub:audit:auth" OR sourcetype="google:gcp:pubsub:audit:change" OR sourcetype="google:gcp:pubsub:message"

    Updated query with both old and new source types after upgrade to 4.0.0 or later:

    Search

    index="main" (sourcetype="google:gcp:pubsub:audit:auth" OR sourcetype="google:gcp:pubsub:audit:data_access") OR (sourcetype="google:gcp:pubsub:audit:change" OR sourcetype="google:gcp:pubsub:admin_activity" OR sourcetype="google:gcp:pubsub:system_event") OR (sourcetype="google:gcp:pubsub:message" OR sourcetype="google:gcp:pubsub:audit:policy_denied" OR sourcetype="google:gcp:pubsub:access_transparency" OR sourcetype="google:gcp:pubsub:platform")

    For more information, see the Mapping table for version 4.0.0 sourcetype enhancements section of this topic.

    Event types have not been affected by the version 4.0.0 feature improvements. Searching on event types will stay the same as in previous versions. So if your search queries are based on event types and not source types, skip this step.

  7. Save your changes.

    Google has deprecated regular file export of your Cloud Billing data to CSV and JSON. To export your Cloud Billing data for analysis, use Cloud Billing export to BigQuery.

    To ingest Cloud BigQuery Billing data, you must delete your existing billing inputs before you upgrade to versions 3.2.0 and later of this add-on. After upgrading, you can then recreate your billing inputs. See the Configure Cloud BigQuery Billing inputs for the Splunk Add-on for Google Cloud Service topic in this manual.

Mapping table for version 4.0.0 source type enhancements

To better align with the Google Cloud Platform, and to provide a better understanding of the data coming from the cloud, the 4.0.0 release of the Splunk Add-on for Google Cloud Platform contains improvements to sourcetyping that affect the google:gcp:pubsub:audit:auth, google:gcp:pubsub:audit:change, and google:gcp:pubsub:message source types.

These improvements provide more granular sourcetyping on incoming data from your GCP deployment, enhancing your ability to investigate and simplifying the development of dashboards in Splunk that use GCP data. Upgrading to version 4.0.0 or higher will cause any inline searches, pivots, or reports that use these source types to not work for the GCP data that is being ingested after upgrading to version 4.0.0 of this add-on.

To ensure continuity of searches and reports on GCP data coming in after the upgrade to version 4.0.0 or later, review and perform steps in the Upgrade steps section of this topic.

See the following table for information on which source type should be used when updating your search queries after upgrading to versions 4.0.0 and later.

Source type on versions 3.2.0 and earlier Source type on versions 4.0.0 and later
google:gcp:pubsub:audit:change google:gcp:pubsub:audit:admin_activity
google:gcp:pubsub:audit:auth google:gcp:pubsub:audit:data_access
google:gcp:pubsub:audit:change google:gcp:pubsub:audit:system_event
google:gcp:pubsub:message google:gcp:pubsub:platform
google:gcp:pubsub:message google:gcp:pubsub:audit:policy_denied
google:gcp:pubsub:message google:gcp:pubsub:access_transparency
google:gcp:pubsub:message google:gcp:pubsub:message