Skip to content

Troubleshoot the Splunk Add-on for Google Workspace

General troubleshooting

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Sample sourcetype searches

Perform the following searches, based on sourcetype, in your Splunk platform deployment in order to verify data ingestion.

Sourcetype Sample search
gws:reports:admin sourcetype=“gws:reports:admin”
gws:reports:drive sourcetype=“gws:reports:drive”
gws:gmail sourcetype=“gws:gmail”
gws:reports:login sourcetype=“gws:reports:login”
gws:reports:oauthtoken sourcetype=“gws:reports:oauthtoken”
gws:reports:saml sourcetype=“gws:reports:saml”

No events appearing in the Splunk platform

If no events are showing up in your Splunk platform, and you have checked the internal Splunk software logs and your Splunk Add-on for Google Workspace, perform the following troubleshooting steps to confirm that you have enabled domain-wide delegation for the service account that you are using.

  1. Log into your Google Cloud service account.
  2. Copy Client ID of this service account
  3. Navigate to https://admin.google.com/ac/owl/domainwidedelegation.
  4. Check if the Client ID for your service account contains the https://www.googleapis.com/auth/admin.reports.audit.readonly scope. If it is not there, add your Client ID, and specify the https://www.googleapis.com/auth/admin.reports.audit.readonly scope.
  5. Navigate to https://console.cloud.google.com/iam-admin/iam.
  6. Check if the account you are using for the Username field contains the Organization Administrator role.
  7. Navigate to the Certificate field.
  8. Verify that you added the entire JSON file that you downloaded as a key for your service account.
  9. Save your changes.

Unable to ingest Gmail logs

In the third quarter of 2022, Google announced a change to logs routing in BigQuery. As a result, all new Google Workspace customers, as well as all existing Workspace customers that fully migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery, will not be able to collect Gmail logs using versions 2.4.0 and earlier of the Splunk Add-on for Google Workspace.

Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called “Gmail Logs Migrated” and has all of the same parameters as the “Gmail Logs” modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data.

To collect Gmail logs using the Splunk Add-on for Google Workspace, upgrade your deployment to version 2.4.1 or later. See the Google announcement titled Unified experience for Gmail logs in BigQuery, configure your existing Gmail logs to route to Workspace logs.

For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.

401 Error: Access denied

If you receive a 401 error, please check if the correct credentials are used to configure the Splunk Add-on for Google Workspace. You can check your service account for all the permissions needed for the inputs configured. See Configure your Google Cloud Service account for more information.