All Apps and Add-ons

Give me Advice for setup GSuite app.

Explorer

I installed GSuite App on Splunk 8.0.4.1 and configured input etc.
* Before I installed old versions GSuite App on Splunk 8.0 but didn't work it .
   then deleted old version and setting and installed from scratch after support both versions.

But I cannot get user information / Gmail information on current version.
I could get below information.

Do you know any advice for get user and another information?
(Or if you know any documentation,website for setup include GSuite side, please let me know.)
I could get information when I used old version of GSuite App.

- Source information which is I can get now.
gapps:report:drive
gapps:report:calendar
gapps:report:mobile
gapps:report:groups:modular_input_result
gapps:report:mobile:modular_input_result
GSuiteForSplunk:error
gapps:report:admin:modular_input_result
gapps:report:calendar:modular_input_result
gapps:report:[all:modular_input_result

-Service Settings.
report:all,report:access_transparency,report:admin,report:calendar,report:drive,report:token,report:gcp,report:meet,report:mobile,report:groups,report:groups_enterprise,report:login,report:user_accounts,report:gplus,report:saml,admin:users,usage:chrome,usage:user

- Error
In "GSuiteForSplunk:error", It logged "HttpError 503 when requesting https://www.googleapis.com/discovery/v1/apis/drive/v3/rest returned "Backend Error""

Labels (2)
Tags (2)
0 Karma
1 Solution

Explorer

Thank you for your reply.

Looks strange but after 1-2 weeks, started to display information.

Maybe Splunk didn't get enough information from G-Suite.

 

View solution in original post

0 Karma

Ultra Champion

Not a direct answer to your question, but it might be worth looking at this recently published blog on how to send GSuite logs to HEC (through Google Cloud Platform pub/sub methods): https://www.splunk.com/en_us/blog/partners/google-gsuite-to-splunk-hec-configuration.html

0 Karma

Explorer

Thank you for your reply.

Looks strange but after 1-2 weeks, started to display information.

Maybe Splunk didn't get enough information from G-Suite.

 

View solution in original post

0 Karma