Release history for the Splunk Add-on for Google Workspace¶

The latest version of the Splunk Add-on for Google Workspace is version 3.0.1. See Release notes for the Splunk Add-on for Google Workspace for release notes of this latest version.

Version 3.0.0¶

Version 3.0.0 of the Splunk Add-on for Google Workspace was released on October 30, 2024.

About this release¶

Version 3.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.3, 9.2, 9.1
CIM	5.x
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 3.0.0 of the Splunk Add-on for Google Workspace has the following new features.

Monitoring dashboard
New modinput: Usage reports
Two new sourcetypes for Activity Reports: Data Studio, Access Transparency

Fixed issues¶

Version 3.0.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Added timeout to activity_report input

Known issues¶

Version 3.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 3.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.8.1¶

Version 2.8.1 of the Splunk Add-on for Google Workspace was released on July 31, 2024.

About this release¶

Version 2.8.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.3, 9.2, 9.1
CIM	5.x
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

Fixed issues¶

Version 2.8.1 of the Splunk Add-on for Google Workspace fixes the following issues:

Fixed issues with gmail_logs_migrated input

Known issues¶

Version 2.8.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.8.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.8.0¶

Version 2.8.0 of the Splunk Add-on for Google Workspace was released on July 26, 2024.

About this release¶

Version 2.8.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	9.3, 9.2, 9.1
CIM	5.x
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.8.0 of the Splunk Add-on for Google Workspace has the following new features.

Added 3 new source types:
- gws:reports:chat
- gws:reports:mobile
- gws:reports:chrome

Known issues¶

Version 2.8.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.8.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.7.0¶

Version 2.7.0 of the Splunk Add-on for Google Workspace was released on April 7, 2024.

About this release¶

Version 2.7.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.7.0 of the Splunk Add-on for Google Workspace has the following new features.

Added feature to change view type in User Identity List input
Added feature to use custom tables in Gmail Logs Migrated input

Known issues¶

Version 2.7.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.7.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.6.3¶

Version 2.6.3 of the Splunk Add-on for Google Workspace was released on February 7, 2024.

About this release¶

Version 2.6.3 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

Fixed issues¶

Version 2.6.3 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Known issues¶

Version 2.6.3 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.6.3 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.6.2¶

Version 2.6.2 of the Splunk Add-on for Google Workspace was released on January 22, 2024.

About this release¶

Version 2.6.2 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.6.2 of the Splunk Add-on for Google Workspace has the following new features.

Fixed a security vulnerability found in the urllib3 by upgrading its version from 1.26.14 to 1.26.18.

Known issues¶

Version 2.6.2 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.6.2 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.6.0¶

Version 2.6.0 of the Splunk Add-on for Google Workspace was released on August 2, 2023.

About this release¶

Version 2.6.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.6.0 of the Splunk Add-on for Google Workspace has the following new features.

Checkpoints for “Activity report” modular inputs are being migrated to KVStore. This is an automatic update during the modular input run after you update to the v2.6.0 of the add-on. If you were experiencing issues with “Activity report” modular input in Splunk Cloud, please remove all your inputs, update the add-on and recreate the inputs.
“Activity report” modular input was redesigned to support more data ingestion.
New “Advanced Settings” configuration tab to provide control over speed of data collection. Current functionality has parameter for “Activity report interval size”. By default, the add-on creates 5 threads to collect the data. This is sufficient for most of use cases as it can bring around 120,000 events per minute through one configured modular input.

Do not configure more modular inputs with the same “Application Name” and the same “Service Account to use” as it will result in duplicated data.

To see how many events (per 20 seconds) the particular modular input is bringing in you can run this search: index_internal source; <modular-input-name>; "Total split events ingested";
To see the average amount of events (per 20 seconds) the particular modular input is bringing in you can run this search: index_internal source <modular-input-name>; "Total split events ingested" | rex field_raw "Total split events ingested: (<n_events>)" | stats avg(n_events)
If the number is less than 40000, you can use the default advanced configuration.
If you notice a delay in your data collection, you can change “Activity report interval size” to 2, save the changes and in your next run of the modular input, there will be 10 threads to collect the data, increasing the speed of the data collection even further. Note: changing the interval size to a smaller number requires more resources.

Fixed issues¶

Version 2.6.0 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Known issues¶

Version 2.6.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.6.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.5.1¶

Version 2.5.1 of the Splunk Add-on for Google Workspace was released on April 28, 2023.

About this release¶

Version 2.5.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.5.1 of the Splunk Add-on for Google Workspace has the following new features.

Introduces support for application name “rules” for “Activity report” modular input
Fixes issues found for “Alert Center” modular input.
Optimizes some parts of the data collection for “Activity report”

Fixed issues¶

Version 2.5.1 of the Splunk Add-on for Google Workspace fixes the following issues. If no issues appear below, no issues have yet been fixed.

Known issues¶

Version 2.5.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.5.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.5.0¶

Version 2.5.0 of the Splunk Add-on for Google Workspace was released on April 3, 2023.

About this release¶

Version 2.5.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.5.0 of the Splunk Add-on for Google Workspace has the following new features.

Introduced Alert Center, a modular input for collecting data from Google Workspace. It is recommended to use a different service account to use with this modular input as it needs a different scope.
Both Gmail Logs and Gmail Logs Migrated got an update regarding the checkpointing strategy and should fix an issue where the data ingestion was delayed because of the frequent checkpoint saving.

Known issues¶

Version 2.5.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported.

Third-party software attributions¶

Version 2.5.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.4.1¶

Version 2.4.1 of the Splunk Add-on for Google Workspace was released on December 9, 2022.

About this release¶

Version 2.4.1 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called Gmail Logs Migrated and has all of the same parameters as the Gmail Logs modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data. For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.

Added multiple domain support for Google Workspace data ingestion.
Added support for the Asset and Identity framework in Splunk Enterprise Security.
Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
UI label and help text feature enhancements.
The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
The query for Gmail Logs input was improved to reduce the cost for running each query.

Known issues¶

Version 2.4.1 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 2.4.1 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.4.0¶

Version 2.4.0 of the Splunk Add-on for Google Workspace was released on October 27, 2022.

About this release¶

Version 2.4.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20, 5.0
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Added multiple domain support for Google Workspace data ingestion.
Added support for the Asset and Identity framework in Splunk Enterprise Security.
Implemented gzip compression for the Activity report modular input. Gzip compression should improve the network latency for requests, but will increase the CPU consumption for your input
UI label and help text feature enhancements.
The checkpoint (file-based for Activity report or KVStore-based for Gmail Logs) will be deleted if a corresponding input is deleted.
Custom dataset location for Gmail Logs input is supported (US or EU options are available). If you update from the previous version of the add-on, the US location will be used as the default setting (this setting can be changed in the input).
The query for Gmail Logs input was improved to reduce the cost for running each query.

Known issues¶

Version 2.4.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 2.4.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.3.0¶

Version 2.3.0 of the Splunk Add-on for Google Workspace was released on August 23, 2022.

About this release¶

Version 2.3.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

“Activity” input changes
- Improved the way non-UTF-8 characters are ingested into Splunk. Before this update, if your event had a non-UTF-8 character (for example, “こんにちは世界”, which is “Hello World” in Japanese), it would show as a unicode string (“05309306b06106fe1654c”) in the raw event. This can make it difficult to search for the same exact word using an SPL search. With version 2.3.0, the raw event contains string “こんにちは世界”, which lets you now perform SPL searches.
- Interval for “Activity” input now has low and high boundaries, which are 20 seconds and 3600 seconds respectively. This limitation is only for the new inputs. Inputs created before the 2.3.0 version will continue to work as before.
- The “Activity report” input is now enhanced to improve reliability of the input, especially for big environments. This release completely redesigns how the data is gathered, including better error handling and ingestion, and will solve past issues that occur in bigger environments.
- The add-on now collects data for 20 second chunks, ingests that data to Splunk, and then moves the checkpoint. This approach allows us to be more reliable if network issues occur during data collection.
“Gmail Logs” input changes
- Proxy handling for “Gmail Logs” input is improved and additional environment variables are set before making requests to Google BigQuery API (HTTP_PROXY, https_proxy and http_proxy).
- “Dataset name” option was added to “Gmail Logs” input. This allows you to specify a custom BigQuery dataset name when you export Gmail logs to BigQuery. The default setting is gmail_logs_dataset. All “Gmail Logs” inputs created in previous releases will still work, but you should update the input’s “dataset_name” field to the default one (“gmail_logs_dataset”).
General changes
- Proxy handling for both “Activity” and “Gmail Logs” was changed. Previously, when you enabled and configured a proxy in the “Configuration” tab, the Python code for the modular inputs would make HTTPS requests using https://<your-configured-proxy (specify username:password@ip:port>. With version 2.3.0, HTTP and HTTPS requests will go through http://<<your-configured-proxy>. This change creates a similar proxy configuration to other Splunk-supported add-ons.

Fixed issues¶

Version 2.3.0 of the Splunk Add-on for Google Workspace fixes the following issues:

Known issues¶

Version 2.3.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 2.3.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.2.0¶

Version 2.2.0 of the Splunk Add-on for Google Workspace was released on June 1, 2022.

About this release¶

Version 2.2.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following new features.

Added the following new sourcetypes and CIM mapping

Source type	Event Names
`gws:reports:calendar`	change_calendar_acls create_calendar delete_calendar create_event delete_event add_event_guest change_event restore_event
`gws:reports:context_awa]re_access`	ACCESS_DENY_EVENT
`gws:reports:admin`	CREATE_CALENDAR_RESOURCE UPDATE_CALENDAR_RESOURCE CHANGE_FIRST_NAME CHANGE_LAST_NAME CHANGE_USER_LOCATION RESET_SIGNIN_COOKIES DELETE_GMAIL_SETTING DELETE_ROLE REMOVE_PRIVILEGE RENAME_ROLE UNASSIGN_ROLE DISALLOW_SERVICE_FOR_OAUTH2_ACCESS ORG_LICENSE_REVOKE USER_LICENSE_ASSIGNMENT

Updated existing sourcetypes for gws:reports:groups_enterprise and added CIM mapping support for event name invite_member
Token expiration Fix
When an activity report is running for more than 1 hour, the add-on reported a 401 status code while trying to make another request to the Google Workspace API. One of the potential scenarios that could lead to this issue - an input that was enabled, then stopped for a while and then reenabled. This caused the activity report input to gather all the data for that period of time (from when the input stopped until reenabling). The amount of data the add-on was trying to pull was too large for the 1 hour (API token expiration time) given to collect all that data.
Proxy improvements
This release brings in an improvement regarding the proxy support.

Fixed issues¶

Version 2.2.0 of the Splunk Add-on for Google Workspace fixes the following issues:

Known issues¶

Version 2.2.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 2.2.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.1.0¶

Version 2.1.0 of the Splunk Add-on for Google Workspace was released on March 14, 2022.

About this release¶

Version 2.1.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following new features.

Added the following new sourcetypes:
gws:reports:groups_enterprise
The gws:reports:groups_enterprise sourcetype is designated for Enterprise Groups Audit activity events. For more information, see the Enterprise Groups Audit Activity Events topic in the Google Workspace Admin SDK manual.
gws:reports:gcp
The gws:reports:gcp sourcetype is designated for Google Cloud Platform activity events. For more information, see the Google Cloud Platform Activity Events topic in the Google Workspace Admin SDK manual.
Added CIM mapping support for the gws:reports:groups_enterprise sourcetype for the following event names:
- add_member
- add_member_role
- add_security_setting
- add_service_account_permission
- change_security_setting
- create_group
- delete_group
- join
- unban_member
Added CIM mapping support for the gws:reports:gcp sourcetype for the following event names:
- GET_LOGIN_PROFILE
- GET_SSH_PUBLIC_KEY
- IMPORT_SSH_PUBLIC_KEY
- UPDATE_SSH_PUBLIC_KEY
Added CIM mapping support for the gws:reports:login sourcetype for the following event names:
- account_disabled_generic
- account_disabled_hijacked
- account_disabled_spamming
- account_disabled_spamming_through_relay
- email_forwarding_out_of_domain
- gov_attack_warning
- titanium_enroll
- titanium_unenroll
Added CIM mapping support for the gws:reports:drive sourcetype for the following event names:
- CHANGE_DOCS_SETTING
- DRIVE_DATA_RESTORE
- MOVE_SHARED_DRIVE_TO_ORG_UNIT
- TRANSFER_DOCUMENT_OWNERSHIP
Added CIM mapping support for the gws:reports:admin sourcetype for the following event names:
- ADD_PRIVILEGE
- ADD_TO_BLOCKED_OAUTH2_APPS
- ALLOW_SERVICE_FOR_OAUTH2_ACCESS
- ASSIGN_ROLE
- BLOCK_ALL_THIRD_PARTY_API_ACCESS
- BLOCK_ON_DEVICE_ACCESS
- CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS
- CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID
- CHANGE_CAA_APP_ASSIGNMENTS
- CHANGE_EMAIL_SETTING
- CHANGE_GMAIL_SETTING
- CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION
- CHANGE_TWO_STEP_VERIFICATION_FREQUENCY
- CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION
- CHANGE_TWO_STEP_VERIFICATION_START_DATE
- CREATE_GMAIL_SETTING
- CREATE_ROLE
- DROP_FROM_QUARANTINE
- EMAIL_UNDELETE
- ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY
- ENFORCE_STRONG_AUTHENTICATION
- REJECT_FROM_QUARANTINE
- RELEASE_FROM_QUARANTINE
- REMOVE_FROM_BLOCKED_OAUTH2_APPS
- REMOVE_FROM_TRUSTED_OAUTH2_APPS
- SESSION_CONTROL_SETTINGS_CHANGE
- TRUST_DOMAIN_OWNED_OAUTH2_APPS
- UNBLOCK_ALL_THIRD_PARTY_API_ACCESS
- UNBLOCK_ON_DEVICE_ACCESS
- UNTRUST_DOMAIN_OWNED_OAUTH2_APPS
- UPDATE_ROLE
- WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED
The lookbackOffset parameter for activity-related events minimal and default values were also revisited. The minimum value is 5 minutes, and the default value is 30 minutes.
The bug with gws:reports:token sourcetype events was fixed, so now respected events have proper CIM-mapping support.

Known issues¶

Version 2.1.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 2.1.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 2.0.0¶

Version 2.0.0 of the Splunk Add-on for Google Workspace was released on February 2, 2022.

About this release¶

Version 2.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.20
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

New features¶

Version 2.0.0 of the Splunk Add-on for Google Workspace contains the following new features.

HTTPS proxy support for collecting activity report and Gmail headers information
This version of the Splunk Add-on for Google Workspace introduces a new configuration tab containing HTTPS proxy configurations that, when enabled, are used to proxy all requests to Google APIs.
Split some events into multiple events
Some Google Workspace Reports API events contain multiple subevents. For example, moving a file to a folder in Google Drive generates one event, which has four subevents (create, change_user_access, change_acl_editors and add_to_folder). This causes potential issues with CIM mapping support for these events.
This version of the Splunk Add-on for Google Workspace introduces a change to split four subevents to four separate events ingested into your Splunk platform deployment. Each of the four new related events have the same etag field.
For example, if a system revokes Google Workspace licenses for two users, the event in previous versions of the Splunk Add-on for Google Workspace will look like the following:

Previous version Event

{
  “kind”:”admin#reports#activity”,
  “id”:{
    “time”:”2021-06-28T18:25:42.247Z”,
    “uniqueQualifier”:”123”,
    “applicationName”:”admin”,
    “customerId”:”some-customerId”
  },
  “etag”:”some-etag”,
  “actor”:{
    “callerType”:”KEY”,
    “key”:”SYSTEM”
  },
  “events”:[
    {
      “type”:”LICENSES_SETTINGS”,
      “name”:”USER_LICENSE_REVOKE”,
      “parameters”:[
        {
          “name”:”USER_EMAIL”,
          “value”:”user1@example.com”
        },
        {
          “name”:”PRODUCT_NAME”,
          “value”:”Google Workspace”
        },
        {
          “name”:”OLD_VALUE”,
          “value”:”Google Workspace Enterprise Plus”
        }
      ]
    },
    {
      “type”:”LICENSES_SETTINGS”,
      “name”:”USER_LICENSE_REVOKE”,
      “parameters”:[
        {
          “name”:”USER_EMAIL”,
          “value”:”user2@example.com”
        },
        {
          “name”:”PRODUCT_NAME”,
          “value”:”Google Workspace”
        },
        {
          “name”:”OLD_VALUE”,
          “value”:”Google Workspace Enterprise Plus”
        }
      ]
    }
  ]
}

This release of the Splunk Add-on for Google Workspace splits this single event into two separate events and ingests them in the following format into your Splunk platform deployment:

Event 1

{
  “kind”:”admin#reports#activity”,
  “id”:{
    “time”:”2021-06-28T18:25:42.247Z”,
    “uniqueQualifier”:”123”,
    “applicationName”:”admin”,
    “customerId”:”some-customerId”
  },
  “etag”:”some-etag”,
  “actor”:{
    “callerType”:”KEY”,
    “key”:”SYSTEM”
  },
  “event”: {
    {
      “type”:”LICENSES_SETTINGS”,
      “name”:”USER_LICENSE_REVOKE”,
      “parameters”:[
        {
          “name”:”USER_EMAIL”,
          “value”:”user1@example.com”
        },
        {
          “name”:”PRODUCT_NAME”,
          “value”:”Google Workspace”
        },
        {
          “name”:”OLD_VALUE”,
          “value”:”Google Workspace Enterprise Plus”
        }
      ]
    }
  }
}

Event 2

{
  “kind”:”admin#reports#activity”,
  “id”:{
    “time”:”2021-06-28T18:25:42.247Z”,
    “uniqueQualifier”:”123”,
    “applicationName”:”admin”,
    “customerId”:”some-customerId”
  },
  “etag”:”some-etag”,
  “actor”:{
    “callerType”:”KEY”,
    “key”:”SYSTEM”
  },
  “event”: {
    {
      “type”:”LICENSES_SETTINGS”,
      “name”:”USER_LICENSE_REVOKE”,
      “parameters”:[
        {
          “name”:”USER_EMAIL”,
          “value”:”user2@example.com”
        },
        {
          “name”:”PRODUCT_NAME”,
          “value”:”Google Workspace”
        },
        {
          “name”:”OLD_VALUE”,
          “value”:”Google Workspace Enterprise Plus”
        }
      ]
    }
  }
}

If you want to identify a specific event, and other events occur at the same time, you can search for the etag field, which can show you all the related events.

Support for collecting Gmail headers information
This release includes support for Gmail headers ingestion into your Splunk platform deployment. This feature is supported for the following types of Google Workspace editions: Enterprise, Education Standard, and Plus. For more information, see the Prepare to use Gmail logs in BigQuery topic in the Google Workspace Admin documentation.
Extend CIM mapping support for all sourcetypes
This release includes CIM mapping support for the following event names:
gws:reports:saml sourcetype. For more information, see the SAML Audit Activity Events topic in the Workspace Admin SDK documentation.
```
- login_failure
- login_success
```

gws:reports:login sourcetype. For more information, see the Login Audit Activity Events topic in the Workspace Admin SDK documentation.

- 2sv_disable
- 2sv_enroll
- account_disabled_password_leak
- login_failure
- login_success
- logout
- password_edit
- recovery_email_edit
- recovery_phone_edit
- recovery_secret_qa_edit
- suspicious_login
- suspicious_login_less_secure_app
- suspicious_programmatic_login

gws:reports:oauthtoken sourcetype. For more information, see the OAuth Token Audit Activity Events topic in the Workspace Admin SDK documentation.
```
- authorize
- revoke
```

gws:reports:drive sourcetype. For more information, see the Drive Audit Activity Events topic in the Workspace Admin SDK documentation.

- add_to_folder
- change_document_access_scope
- change_document_access_scope_hierarchy_reconciled
- change_document_visibility
- change_document_visibility_hierarchy_reconciled
- change_user_access
- change_user_access_hierarchy_reconciled
- copy
- create
- delete
- download
- edit
- email_as_attachment
- move
- print
- publish_change
- remove_from_folder
- rename
- shared_drive_membership_change
- sheets_import_range
- trash
- untrash
- upload
- view

gws:reports:admin sourcetype. For more information, see the Reports API: Admin Activity Report Event Names topic in the Workspace Admin SDK documentation.

- ADD_RECOVERY_EMAIL
- ADD_RECOVERY_PHONE
- ARCHIVE_USER
- AUTHORIZE_API_CLIENT_ACCESS
- CHANGE_PASSWORD
- CHANGE_PASSWORD_ON_NEXT_LOGIN
- CHANGE_RECOVERY_EMAIL
- CHANGE_RECOVERY_PHONE
- CREATE_EMAIL_MONITOR
- CREATE_USER
- DELETE_EMAIL_MONITOR
- DELETE_USER
- ENABLE_USER_IP_WHITELIST
- GENERATE_2SV_SCRATCH_CODES
- GMAIL_RESET_USER
- GRANT_ADMIN_PRIVILEGE
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- MAIL_ROUTING_DESTINATION_ADDED
- MAIL_ROUTING_DESTINATION_REMOVED
- MOVE_USER_TO_ORG_UNIT
- REMOVE_RECOVERY_EMAIL
- REMOVE_RECOVERY_PHONE
- RENAME_USER
- REVOKE_ADMIN_PRIVILEGE
- SECURITY_KEY_REGISTERED_FOR_USER
- SUSPEND_USER
- TURN_OFF_2_STEP_VERIFICATION
- UNARCHIVE_USER
- UNBLOCK_USER_SESSION
- UNDELETE_USER
- UNENROLL_USER_FROM_STRONG_AUTH
- UNENROLL_USER_FROM_TITANIUM
- UNSUSPEND_USER
- USER_LICENSE_REVOKE
- USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD

Common Information Model mapping changes
The following table displays the changes to the Common Information Model (CIM) mapping for this add-on:

Source type	Event name	Change
`gws:reports:login`	`login_success`	Field `authentication_method` is now taken from`login_type` first and if there is nothing there, it is taken from `login_challenge_method` Added `dest_name` field equal to Google Workspace Added `vendor_product` field equal to Google Workspace
`gws:reports:login`	`login_failure`	Field `authentication_method` is now taken from `login_type` first and if there is nothing there, it is taken from `login_challenge_method` Added `dest_name` field equal to Google Workspace Added `vendor_product` field equal to Google Workspace
`gws:reports:login`	`logout`	Added `dest_name` field equal to Google Workspace Removed `src_ip` field mapping Added `src_user_id` field mapping Added `src_user_name` field mapping
`gws:reports:oauthtoken`	`token_authorize`	Added `dest_url` field equal to `dest` field
`gws:reports:oauthtoken`	`token_revoke`	Field `action` was changed to `modified` from `logoff` Added `app` field mapping Added `dest_url` field equal to `dest` field Field `object` is now taken from `cliend_id` field Field `object_id` is now taken from `cliend_id` field Field `result` is equal to `revoke` Field `result_id` is equal to `revoke` Added `src_user_id` field Field `user` is now taken from `client_id` field Field `user_id` is now taken from `client_id` field Field `user_name` is now taken from `client_id` field
`gws:reports:admin`	`USER_LICENSE_REVOKE`	Field `object_attrs` is now equal to `USER_LICENSE`
`gws:reports:admin`	`AUTHORIZE_API_CLIENT_ACCESS`	Added `dest_url` field equal to `dest` field Field `object_attrs` is now equal to `API_CLIENT` Added `src_user_id` field
`gws:reports:admin`	`DELETE_USER`	Field `object_attrs` is now equal to `USER_SETTINGS` Added `src_user_id` field
`gws:reports:admin`	`SUSPEND_USER`	Added `dest_name` field equal to `dest` Added `src_user_id` field
`gws:reports:admin`	`CHANGE_MOBILE_SETTING`	Field `dest` is now taken from `ORG_UNIT_NAME` field Added `dest_name` field equal to `dest` Field `object_attrs` is now equal to `NEW_VALUE` field
`gws:reports:admin`	`CREATE_USER`	Added `dest_name` field equal to `dest` Field `object_attrs` is now equal to `USER_SETTINGS` Added `src_user_id` field
`gws:reports:admin`	`ADD_TO_TRUSTED_OAUTH2_APPS`	Field `action` was changed from `modified` to `created` Field `object_attrs` is now equal to `SECURITY_SETTINGS`

Known issues¶

Version 2.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 2.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace

Version 1.0.0¶

Version 1.0.0 of the Splunk Add-on for Google Workspace was released on September 1, 2021.

About this release¶

Version 1.0.0 of the Splunk Add-on for Google Workspace is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.18
Platforms	Platform independent
Vendor Products	Google Workspace Enterprise Plus

Known issues¶

Version 1.0.0 of the Splunk Add-on for Google Workspace contains the following known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 1.0.0 of the Splunk Add-on for Google Workspace incorporates the following third-party software or libraries:

Third-party software attributions for the Splunk Add-on for Google Workspace