Gsuite for Splunk logs error

praneshjan · ‎07-24-2018

I tried configuring the GsuiteforSplunk App. Configuration, authorization part and the google apps input all have been configured and saved. But I have issues receiving the logs in Splunk App. All I receive is the error logs. Can someone help me out here. If there is any documentation on the configuration, it would be additional help.

Thanks in advance.

jkat54 · ‎07-25-2018

All the instructions are found on splunkbase:

https://splunkbase.splunk.com/app/2714/#/details

praneshjan · ‎07-25-2018

I also get the error message while token authentication

[Errno 22] invalid mode ('a+b') or filename: u'C:\Program Files\Splunk\etc\apps\GoogleAppsForSplunk\local/GoogleApps.https://accounts.google.com/o/oauth2/auth.cred'

praneshjan · ‎07-26-2018

After changing few configurations, this is a new error that I am getting now.

{"timestamp": "Thu, 26 Jul 2018 12:13:22 +0000", "log_level": "ERROR", "errors": [{"exception_arguments": "error=http_error message='<HttpError 400 when requesting https://www.googleapis.com/admin/reports/v1/usage/dates/2018-07-24?alt=json returned \"Data for dates later than 2018-07-21 is not yet available. Please check back later\">'", "line": 268, "exception_type": "unicode", "filename": "GoogleAppsForSplunkModularInput.py", "msg": "error=http_error message='<HttpError 400 when requesting https://www.googleapis.com/admin/reports/v1/usage/dates/2018-07-24?alt=json returned \"Data for dates later than 2018-07-21 is not yet available. Please check back later\">'", "input_name": "ga://splunktest1"}], "modular_input_consumption_time": "Thu, 26 Jul 2018 12:13:22 +0000"}

Hoping to find an answer to this.

vik_splunk · ‎03-22-2019

What was changed? to get to this state? We are encountering the exact same issue.

1)I've setup and configured IA-GSuiteForSplunk ( on a standalone Splunk instance)

2)Added parameters from the UI that results in the below stanza in inputs.com (our domain name does contain a "-".

[ga://GCI_TestData_abccba]
disabled = false
domain = abc-cba.com
extraconfig = {}
index = main
interval = 25 7 * * *
proxy_name = GCI_Proxy
servicename = report:all

Error seen in logs

{"timestamp": "Fri, 22 Mar 2019 11:25:00 +0000", "errors": [{"exception_type": "TypeError", "exception_arguments": "expected string or buffer", "input_name": "ga://GCI_TestData_abccba", "msg": "expected string or buffer", "line": 103, "filename": "ga.py"}], "log_level": "ERROR", "modular_input_consumption_time": "Fri, 22 Mar 2019 11:25:00 +0000"}

Any inputs would help. Thanks!

vik_splunk · ‎03-22-2019

The cron is complete but it does not seem to appear in this output

jkat54 · ‎07-25-2018

Wait, is there a file on that path? ... auth.cred?

praneshjan · ‎07-25-2018

no there is no such file

jkat54 · ‎07-25-2018

You’re failing to authenticate and that’s causing the other error.

praneshjan · ‎07-25-2018

I receive the below error log. Can you explain what this error about and where the problem is?

{"timestamp": "Wed, 25 Jul 2018 08:21:11 +0000", "errors": [{"msg": "expected string or buffer", "line": 101, "filename": "ga.py", "exception_type": "TypeError", "exception_arguments": "expected string or buffer", "input_name": "ga://splunk"}], "log_level": "ERROR", "modular_input_consumption_time": "Wed, 25 Jul 2018 08:21:11 +0000"}

Gsuite for Splunk logs error

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?