Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cannot View Logs in Splunk after Integrating with Google Workspace

ShuKinTa
Engager
‎10-15-2024 07:28 PM

This is regarding the integration between Splunk and Google Workspace.

I have followed the documentation below to configure the integration, but the log data is not being ingested into the specified index in Splunk, and I cannot view the Google Workspace logs on Splunk. Additionally, there are no apparent errors after the integration setup.

I would appreciate any advice or precautions to take when installing the Add-on for Google Workspace.

# Additional info
Upon checking the log files, the following errors were found. However, no 40x errors were found.

Could not refresh service account credentials because of ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})


# Referenced Documentation
## Installation of the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Installation

## Issuing Authentication Keys for Accounts Created on the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs1
-> Refer to the "Google Workspace activity report prerequisites" section in the above document.

## Add-on Configuration
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs2
-> Refer to the "Add your Google Workspace account information" and "Configure activity report data collection using Splunk Web" sections in the above document.

## Troubleshooting
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot
-> Refer to the "No events appearing in the Splunk platform" section in the above document.

https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-Add-on-for-Google-Workspace-inputs-get...

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ShuKinTa
Engager
‎11-06-2024 05:32 PM

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful. 

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ShuKinTa
Engager
‎11-06-2024 05:32 PM

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful. 

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

Tags (1)
0 Karma
Reply
Solved! Jump to solution

sainag_splunk
Splunk Employee
Splunk Employee
‎10-18-2024 05:43 PM

I think its a permission issue, Google Workspace user should have a “Organization Administrator” role. That’s the only requirement for the account. you account might be read only?



If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...