Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Google Workspace giving 400 Error

cbyrd
Observer
‎03-04-2025 12:36 PM
We are using the Splunk Add-On for GWS Version3.0.3 for Splunk Cloud and receiving this error when attempting to pull in the (user) identities portion. I have tried both 'admin_view' and 'domain_public' in the Inputs config with same error. All other functions are working fine. I need to bring in this sourcetype "gws_users_identity" to populate our identities lookup. Has anyone else encountered this? Maybe you found a "fix"?

 

ERROR pid=<redacted> tid=MainThread file=log.py:log_exception:351 | exc_l="User Identity Error" Exception raised while ingesting data for users: <HttpError 400 when requesting https[:]//admin.googleapis.com/admin/directory/v1/users?customer=<redacted>&orderBy=email&maxResults=500&viewType=domain_public&alt=json returned "Bad Request". Details: "[{'message': 'Bad Request', 'domain': 'global', 'reason': 'badRequest'}]">. Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_user_identity.py", line 139, in stream_events service.users()

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-04-2025 02:07 PM

Hi @cbyrd 

Given that the 400 error is coming from the Google API, I'd start off by checking for config issues on the Google side.

  1. Check API Permissions:
  2. Verify API Scopes:
    • Double-check that the OAuth 2.0 scopes configured for the service account include the necessary permissions. You might need to add or adjust scopes in the Google Cloud Console.
  3. Customer ID:
    • Ensure that the customer parameter in the API request is correct. It should be the unique ID of your Google Workspace account. You can find this ID in the Admin console under Account settings.
  4. View Type:
    • The viewType parameter can be either admin_view or domain_public. Make sure that the view type you are using is appropriate for your use case and that the account has the necessary permissions to access the data with that view type.
  5. API Quotas and Limits:
    • Check if you are hitting any API quotas or limits. Google APIs have usage limits, and exceeding them can result in errors.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...