Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk Add-on for Google Workspace inputs getting 401 response?

splunk_w_ro
Explorer
‎06-22-2022 01:13 PM

I have configured the Splunk Add-on for Google Workspace on a Heavy Forwarder that is performing data collection and then forwarding the data to Splunk Cloud.

We followed the instructions at https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/About both when configuring the Google Cloud service account and configuring the Add-On. I configured the Add-On with the Google Cloud service account with the JSON key generated on console.cloud.google.com and then configured the inputs.

We are not getting any data and when we look at the internal logs from the Heavy Forwarder where the Splunk Add-on for Google Workspace is deployed we are seeing 401 responses like the following:

 

 

 

 

requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.464Z&endTime=2022-06-22T19%3A07%3A10.464Z
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive?maxResults=1000&startTime=2022-06-22T19%3A07%3A10.521Z&endTime=2022-06-22T19%3A07%3A10.521Z

 

 

 

 

We also went through the troubleshooting section of the docs: https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot to no avail

Any guidance from some one who has deployed the GWS Add-On and gotten a 401 after configuring the inputs will be greatly appreciated

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ostap_med
Engager
‎07-01-2022 05:23 AM

You need to grand admin privileges in GWS for the account you use in the Username field (the email address that you use as your Google Workspace).

View solution in original post

Reply
Solved! Jump to solution

pablobarquin
Explorer
‎08-08-2022 06:34 AM

Hello,

Did you have any luck fixing the issue? we are getting exactly the same error and we are getting crazy trying to make it work but with no luck so far. Any help will be very welcome.

Thanks!

0 Karma
Reply
Solved! Jump to solution

pablobarquin
Explorer
‎08-11-2022 03:53 AM

We now have the input working for the admin SDK via GCP for Splunk- Addon, the root cause of the authorization issue was a GCP service account needing to do user impersonation of a GWS account with proper admin rights (not what Splunk support advised).

https://medium.com/google-cloud/impersonating-users-with-google-cloud-platform-service-accounts-ba76...

0 Karma
Reply
Solved! Jump to solution

splunk_w_ro
Explorer
‎08-08-2022 07:02 AM

The service account used for this integration needs to have the super admin role as @ostap_med noted. It also needs to match the account in the JSON key that is used when setting up the account within the Splunk TA for Google Workspace

0 Karma
Reply
Solved! Jump to solution
Solution

ostap_med
Engager
‎07-01-2022 05:23 AM

You need to grand admin privileges in GWS for the account you use in the Username field (the email address that you use as your Google Workspace).

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...