Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Google Workspace giving 400 Error

cbyrd
New Member
‎03-04-2025 12:36 PM
We are using the Splunk Add-On for GWS Version3.0.3 for Splunk Cloud and receiving this error when attempting to pull in the (user) identities portion. I have tried both 'admin_view' and 'domain_public' in the Inputs config with same error. All other functions are working fine. I need to bring in this sourcetype "gws_users_identity" to populate our identities lookup. Has anyone else encountered this? Maybe you found a "fix"?

 

ERROR pid=<redacted> tid=MainThread file=log.py:log_exception:351 | exc_l="User Identity Error" Exception raised while ingesting data for users: <HttpError 400 when requesting https[:]//admin.googleapis.com/admin/directory/v1/users?customer=<redacted>&orderBy=email&maxResults=500&viewType=domain_public&alt=json returned "Bad Request". Details: "[{'message': 'Bad Request', 'domain': 'global', 'reason': 'badRequest'}]">. Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_user_identity.py", line 139, in stream_events service.users()

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
‎03-04-2025 02:07 PM

Hi @cbyrd 

Given that the 400 error is coming from the Google API, I'd start off by checking for config issues on the Google side.

  1. Check API Permissions:
  2. Verify API Scopes:
    • Double-check that the OAuth 2.0 scopes configured for the service account include the necessary permissions. You might need to add or adjust scopes in the Google Cloud Console.
  3. Customer ID:
    • Ensure that the customer parameter in the API request is correct. It should be the unique ID of your Google Workspace account. You can find this ID in the Admin console under Account settings.
  4. View Type:
    • The viewType parameter can be either admin_view or domain_public. Make sure that the view type you are using is appropriate for your use case and that the account has the necessary permissions to access the data with that view type.
  5. API Quotas and Limits:
    • Check if you are hitting any API quotas or limits. Google APIs have usage limits, and exceeding them can result in errors.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top