All Apps and Add-ons

Why can I not collect google drive logs by using G Suite For Splunk?

syokota_splunk
Splunk Employee
Splunk Employee

I setup G Suite app and TA in single Splunk server (7.0.0) to collect google drive access log among of all team usage.

I setup step by step like below

  1. Install App and TA
  2. Setup Client ID and Client Secret
  3. Setup Authorized step1 and step2
  4. Create a new input (check only Activity - Drive) alt text
  5. Error messages was appeared alt text

What is the meaning of ga.py error?

When I type below command with CLI, then no response after a minute and type Ctrl+C, error message was appeared.

[root@ip-172-31-16-21 bin]# /opt/splunk/bin/splunk cmd python ga.py 
^CTraceback (most recent call last):
  File "ga.py", line 246, in <module>
    run()
  File "ga.py", line 74, in run
    MI.start()
  File "/opt/splunk/etc/apps/GSuiteForSplunk/bin/ModularInput.py", line 468, in start
    self.run()
  File "/opt/splunk/etc/apps/GSuiteForSplunk/bin/ModularInput.py", line 477, in run
    self._config = self._get_config()
  File "/opt/splunk/etc/apps/GSuiteForSplunk/bin/ModularInput.py", line 387, in _get_config
    config_str = sys.stdin.read()
KeyboardInterrupt
Does anyone know how to solve this type of error?
0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Hi, app author here. What is the actual error? Expand the JSON and ping me in slack with the actual error message.
Additionally, you can't run the modular input from the command line with out some additional items to pull the configuration. So the fact that is stops atsys.stdin.read() is indicative of correct operation.

View solution in original post

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Hi, app author here. What is the actual error? Expand the JSON and ping me in slack with the actual error message.
Additionally, you can't run the modular input from the command line with out some additional items to pull the configuration. So the fact that is stops atsys.stdin.read() is indicative of correct operation.

0 Karma

bernardoortega
Path Finder

Hello @alacercogitatus.

I have an error on splunk on SHs :
servername.xxx.xxx] Eventtype 'gsuite_internal' does not exist or is disabled.

The eventype do exist if i look on search heads. I did use the HF for the collector to send to idx.

On SH, with the non configured app, we have that eventtype:
index=internal sourcetype=ga*

On HF with the collector add-on:
same eventtype enabled as on SH

thanks

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

Finally I did it because of @alacercogitatus.
I need to separate install App and IA add-on, App into SH and IA into HF.
Then, modular inputs set both "google:drive report" and "other report", separately.

0 Karma

hoangnguyen
Explorer

Hi Syokota,

I am in a Splunk project which need to integrate G Suite/G Sheets with Splunk Enterprise. Could you help to send me the guide to do that?
My mail is hoangnlm1511@gmail.com.
Thanks so much in advance.

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

Hi hoangnguyen,
Sorry I only have the instruction guide in Japanese.

G Suite
https://qiita.com/odorusatoshi/items/6874a983e37cad423fbf

Google Spread sheet
https://qiita.com/odorusatoshi/items/2d00edbd074c9b267195

Hope you help.

0 Karma

hoangnguyen
Explorer

It is good enough.
Thank you for sharing.

0 Karma

hoangnguyen
Explorer

Hi Syokota,

I have followed your guide but only GSuiteForSplunk:error sourcetype we can get:

{"errors": [{"exception_type": "AttributeError", "filename": "ga.py", "msg": "'NoneType' object has no attribute 'tb_frame'", "line": 108, "exception_arguments": "'NoneType' object has no attribute 'tb_frame'", "input_name": "ga://gsuit_sarakura"}], "log_level": "ERROR", "timestamp": "Tue, 28 May 2019 02:39:27 +0000", "modular_input_consumption_time": "Tue, 28 May 2019 02:39:27 +0000"}

Please advise how to fix. Thank you so much.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...