All Apps and Add-ons

"Expected string or buffer" error on GSuite Input Add-on for Splunk

Communicator

I have attempted to set this input add-on for quite some time without any luck. Below are the steps I have performed thus far.

Input Add-on version : Latest(1.3.1)

  1. In the existing project in https://console.developers.google.com/ , had a super admin create Client ID and Client Secret by navigating to API Project  APIs & Auth  Credentials. Create Client ID  Other -[Please help verify if we should choose other or web application. If it’s a web app, what URI should be used as the calling application?. We did not have to create a service account in the process but just a client ID and secret]

  2. Had the super admin enable the Admin SDK API and the Google Drive API. Also, had the super admin enable the below scopes.
    admin.reports.audit.readonly,admin.reports.usage.readonly,analytics.readonly,admin.directory.user.readonly,admin.directory.device.chromeos.readonly,drive.metadata.readonly,bigquery and cloud-platform

2-3 bullet points on the google admin dev console setup would help.

  1. In the input add-on, setup the proxy under the name gapps_proxy without SSL and proxy policy change was done to allow traffic without authentication. Oddly we don’t see any logs in the proxy saying there’s a call from the server but we see that the Admin SDK call count increases in developer console with errors. Unable to view the errors.

  2. We then input our domain, client and secret and had the super admin authorize the app. We get the messages “Credentials successfully written to store”. We do see a credential entry in the credential tab?. (Does this require us to save the changes by clicking save at the bottom?)

  3. We then create a new input using Create new Gsuite input with custom index, Activity – Admin selected with 600 as interval with the proxy gapps_proxy setup in Step 3.

  4. Almost immediately, we see the below error in Splunk.
    <{"loglevel": "ERROR", "modularinputconsumptiontime": "Wed, 10 Apr 2019 09:11:01 +0000", "timestamp": "Wed, 10 Apr 2019 09:11:01 +0000", "errors": [{"filename": "ga.py", "msg": "expected string or buffer", "line": 103, "exceptionarguments": "expected string or buffer", "inputname": "ga://gcipoc", "exceptiontype": "TypeError"}]}>

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This is first and foremost, most likely to be caused by co-location of the IA, TA, and App. Remove all except the App. Configure that. This only applies in standalone instance configurations.

View solution in original post

0 Karma

Communicator

Thanks @alacercogitatus for your inputs. A slight rewording of the documentation or promoting this to the top of the documentation would be wonderful!

0 Karma

SplunkTrust
SplunkTrust

This is first and foremost, most likely to be caused by co-location of the IA, TA, and App. Remove all except the App. Configure that. This only applies in standalone instance configurations.

View solution in original post

0 Karma