PARTNERS

Getting Started with Splunk on Google Cloud

In April 2021, Splunk launched Splunk Cloud on Google Cloud. Since then, a large and growing number of integrations, applications, tools, and solutions have been created to enable or enhance use cases across data protection, productivity, safer remote working and other security visibility needs. 

We’ve highlighted a few of the more noteworthy additions below for any current or prospective users of Splunk Cloud on Google Cloud. 

First Things First

To get the benefits of Splunk data analysis for all of the high-value events generated by Google Cloud, you either need to sign-up for Splunk Cloud on Google Cloud or you need to install and configure Splunk Enterprise on a Google Cloud instance.

Splunk Cloud on Google Cloud provides rich capabilities covering a broad set of use cases across IT operations, observability, and security, including end-to-end visibility across cloud, on-premises, and hybrid environments. Using Splunk Cloud on Google Cloud provides real-time visibility into events across your multi-cloud deployment including Google Cloud workload, logs, performance metrics, and billing data. Splunk enables faster security investigations, alerting, and deeper forensic analysis to accelerate incident resolution. In addition, you can better orchestrate security infrastructure using Splunk SOAR apps for Google Vault, Google Workspace, Safe Browsing, BigQuery, and more. To find out more, visit Splunk on Google Cloud

Now let’s take a look at the following 11 solutions that can help you get more out of Splunk Cloud on Google Cloud. 

Explore and Learn

Splunk Hands-On Lab on Cloud Skills Boost

Google's new hands-on-lab “Splunk on Google Cloud,” guides users through the installation of the Splunk Add-on for Google Cloud along with how to create Splunk indexes, HTTP Event Collectors (HECs), log sinks, Cloud Storage buckets, and Pub/Sub topics and subscriptions. Users then launch the Cloud Dataflow template for Splunk to on-board that data, configure Google Cloud-TA inputs, perform sample Splunk searches across ingested data, and monitor and troubleshoot Dataflow pipelines. 

To try the lab for yourself and get started with Splunk Cloud GDI on Google Cloud.

Splunk Security Essentials App

The Splunk Security Essentials App is a great tool that includes 25+ example Splunk searches for detection of potential threats in your Google Cloud (and multi-cloud) environment. You can easily deploy the App in your Splunk Cloud or Splunk Enterprise deployment to get started with your security operations.

For a deep dive into the Security Essentials App and other Splunk security content applicable to Google Cloud, such as Splunk ES Content Updates and the Splunk SOAR (formerly Phantom) apps for Google Cloud see Elevate Your Cloud Security Posture with Splunk and Google Cloud.

Splunk IT Essentials Learn

Splunk IT Essentials Learn (ITE Learn) enables you to get started easily with Splunk for IT use cases. This app provides a hands-on onboarding and learning experience for anyone new to Splunk or anyone looking to build their knowledge around IT use cases. 

Tailored, pre-built SPL searches (called “procedures”) let you focus on learning a single IT task at a time, and they span a variety of use cases, such as monitoring and troubleshooting the Google Cloud. Every procedure also offers an explanation of the importance of the task and situation that would require it, required SPL and which data sources are involved. To start learning immediately, you can run the search command in-app with live or demo data without needing to bring your own data into Splunk.

Get started with IT Essentials Learn.

Splunk IT Essentials Work

Splunk IT Essentials Work (ITE Work) speeds up the task of troubleshooting by using log-based analysis and offers pre-built dashboards that are automatically populated once your data is in Splunk. By correlating logs and metrics for each of your entities, you’re able to use that information to observe, investigate, and understand the performance of your entities.

For customers who are currently using individual Splunkbase infrastructure apps (Splunk App for Infrastructure, Unix, Linux, Windows, VMware, NetApp, Exchange, AWS, Azure, and Google Cloud) with Splunk IT Essential, you can now get a more cohesive, unified, cross-data source experience to pinpoint root causes faster.

Get Started with Splunk IT Essentials Work.

Google Cloud Application Template

The community-supported application template provides a starting point for various use cases in monitoring, operational and security areas involving Google Cloud data. Once you begin to use the template and learn about the value available, you can add to, delete from, and modify this template to fit your unique requirements, and also correlate with other data sources, including other Google Cloud data, to provide greater operational, security, and observability insights.

The application supports the use of data gathered using all the various methods of data collection of Google Cloud data into Splunk, including metrics from Splunk Infrastructure Monitoring, providing users with a range of flexibility for how you can use the app. 

As this is a template application, it offers numerous monitoring, operational, and security dashboards to enable a wide variety of useful capabilities for your cloud teams. 

Get started exploring the value of your Google Cloud logs and metrics.

Collect More Data Points 

Pub/Sub to Splunk Dataflow Template

The Splunk Dataflow template is an indispensable tool that helps Google Cloud customers manage the variety, velocity, and volume of data coming out of Google Cloud. With this template, Google Cloud customers can quickly and easily deploy a cloud-native streaming data pipeline that pushes high volume Google Cloud logs, alerts and events into Splunk. 

The Splunk Dataflow template was the first third-party template that Google Cloud launched, and it’s been battle-tested by some of our largest customers. It’s commonly used to export multiple terabytes of logs per day. The Google Cloud Dataflow engineering team continuously make enhancements to the template, which have provided better compatibility with the Splunk Add-On for Google Cloud, support for inserting Splunk HTTP Event Collector (HEC) fields metadata, and enhanced Dataflow pipeline reliability and observability. 

Please refer to Introducing Dataflow template to stream data to Splunk.

Splunk Add-On for Google Cloud 

Using Splunk Add-on for Google Cloud you can collect Google Cloud events, logs, performance metrics and billing data using Google Cloud API. Use Splunk Add-on for Google Cloud in conjunction with Splunk Dataflow template to take advantage of all pre-built sourcetypes to data ingested via Pub/Sub to Splunk Dataflow pipeline into Splunk HTTP Event Collector (HEC) endpoint.  The Add-on also provides Common Information Model (CIM) compliance, with CIM models that are required for compatibility with premium applications like Splunk Enterprise Security (ES) and IT Service Intelligence (ITSI).

After the Splunk platform indexes the events, you can analyze the data using the prebuilt panels included with the Add-on. Using Splunk you will be able to directly analyze the data or use it as a contextual data feed to correlate with other Google Cloud-related data in the Splunk platform.

You can get Splunk Add-On for Google Cloud on SplunkBase.

Splunk Add-On for Google Workspace

Google Cloud provides rich offerings for productive and secure web-based working environments via Google Workspace. There are myriad opportunities for monitoring the security, compliance, and user experience within Google Workspace services using Splunk. This is both the motivation and the reason for delivering the Splunk Add-On for Google Workspace to our customers, which enables users to collect data and audit events as a first step in generating unique insights on security and user experience within Google Workspace.

With the launch of the Splunk Add-On for Google Workspace, Splunk customers now have a Splunk-supported, high-quality option for collecting and preparing key audit events from their Google Workspace deployment. The Google Workspace integration uses the reports API to collect activity audit events including Admin, Login, OAuthToken, SAML and Google Drive. These audit events are automatically tagged with proper source types, compliant with the Splunk Common Information Model (CIM), and can be leveraged using premium Splunk apps, such as Splunk Enterprise Security or any other CIM-compliant security content and dashboard to analyze these events. 

If this add-on is something you’re interested in, I recommend reading the deep-dive blog Enhance Your Security Posture with Splunk + Google Workspace and getting started with the Splunk Add-on For Google Workspace

Cloud IDS Integration

One of most interesting data sources for Splunk Cloud on Google Cloud, is Cloud IDS traffic logs and threat logs Cloud IDS (Cloud Intrusion Detection System) provides cloud-native network threat detection that includes anti-malware, anti-virus and vulnerability detection, traffic visibility to monitor east-west (within the VPC) and north-south traffic. Cloud IDS generates high-quality network-based threat data and traffic logs for threat investigation and correlation. Splunk’s integration with Cloud IDS enables Splunk customers to access all the rich data right in your dashboards and use a full set of Splunk capabilities to collect, analyze, and extract insights from these valuable security events.

Please stay tuned for Splunk updates regarding Cloud IDS support and follow IDS/IPS Alert Activity documentation for more details.

Splunk Observability Cloud

Splunk Observability Cloud makes it easy for users to conquer the complexity caused by modern applications and infrastructure with analytics-powered, enterprise-grade observability built for any scale. This allows you to quickly find, analyze, and resolve incidents anywhere in your stack, deliver high-performing applications and world-class customer experiences, and increase developer productivity by reducing unplanned work. 

Splunk Observability Cloud is purpose-built for enterprise scale. It provides a single user experience across all infrastructure monitoring, application performance management, log analytics views, metrics, traces, and log data. Plus, it’s easy to get started since you only instrument once with OpenTelemetry. Powered by real-time analytics, one seamless workflow can be used during the entire life cycle of issues for monitoring, troubleshooting, and investigation, reducing your tool sprawl. 

Get started with a free Observability trial on Google Cloud.

Splunk Connect for Kubernetes

Splunk Connect for Kubernetes provides a way to import and search your Kubernetes logging, object, and metrics data in your Splunk platform deployment using Helm charts. Splunk Connect for Kubernetes supports importing and searching your container logs on GKE logging, objects and metrics technologies. 

Please refer to Collect logs on Anthos with Splunk Connect and Splunk Connect for Kubernetes for more details.

OpenTelemetry Collector

OpenTelemetry is an open source observability framework. It offers vendor-agnostic or vendor-neutral APIs, software development kits (SDKs), and other tools for collecting telemetry data from cloud-native applications and their supporting infrastructure to understand their performance and health. Splunk’s distribution is a project that bundles components from OpenTelemetry Core, OpenTelemetry Contrib, and other sources to provide data collection for multiple source platforms. The OpenTelemetry Collector has both a core version and a contributions version. 

Please follow Data Insider: What Is OpenTelemetry?  and How to Deploy the Splunk OpenTelemetry Collector to Gather Kubernetes Metrics for more information.

GKE Autopilot

Splunk also has built OpenTelemetry Distribution in order to natively support GKE Autopilot. A Splunk agent running on GKE Autopilot enables customers to send metrics, traces, and logs directly from GKE into Splunk products.  

Please take a look at Enabling the Self Driving Cloud with Splunk Observability Cloud and GKE Autopilot.

Alexey Bokov
Posted by

Alexey Bokov

C++ developer and team lead, then public cloud technical evangelist and enterprise architect, in Splunk cover technical alliance partnership with Google.

Join the Discussion