Connect Cribl Search to Google Workspace API
Configure Cribl Search to query a Google Workspace API endpoint.
A Google Workspace plan offers business-specific email as well as collaboration tools such as Gmail, Calendar, Meet, Chat, Drive, Docs, Sheets, Slides, Forms, and Sites.
In this guide, you’ll set up a Dataset Provider and a Dataset to search the activities of the admin, devices, drives, logins, and tokens endpoints on your Google Workspace account.
Google Workspace API Authorization
To allow Cribl Search to read your data, do the following on the Google Workspace side:
- Create or use an existing Google Workspace service account.
- Configure the service account with
domain-wide delegation
for the following scope:Read more on domain-wide delegation.
https://www.googleapis.com/auth/admin.reports.audit.readonly - Obtain the service account credentials. You’ll need the API keys in JSON format when creating the Google Workspace API Dataset Provider.
- Create or use an existing Google Workspace user account. This can be a real user or just a service placeholder. You’ll need the user account’s email address when creating the Google Workspace API Dataset Provider.
- Authorize the user account with the Super Admin role. Due to how the Google Workspace APIs work, the user account must have the full Super Admin permissions for the resources that you want to search.
Add a Google Workspace API Dataset Provider
A Dataset Provider tells Cribl Search where to query and contains access credentials. Here, you will add a Google Workspace API Dataset Provider.
To add a new Dataset Provider, select Data, then Dataset Providers, then Add Provider.
Set the following configurations in the New Dataset Provider modal:
- ID is a unique identifier for the Dataset Provider. This is how you’ll reference it when assigning Datasets to
it. Start the ID with a letter; the rest of the ID can use letters, numbers, and underscores (for example,
my_dataset_provider_1). - Description is optional.
- Set Dataset Provider Type to Google Workspace API.
- Select Add Configuration to specify your Google Workspace account(s).
- Account Name is the name of your Google Workspace account.
- Impersonated Account’s Email Address is the email address of the user account that’s used for searching the APIs. For details, see Authorization.
- Service Account Credentials is the JSON keys of your Google Workspace service account. For details, see Authorization.
- Select Save when finished.
Add a Google Workspace API Dataset
Now you’ll add a Dataset that tells Cribl Search what data to search from the Dataset Provider.
To add a new Dataset, select Data, then Datasets, then Add Dataset.
Set the following configurations in the New Dataset modal:
- ID is an identifier unique for both Cribl Search and Cribl Lake. You’ll use this to specify the
Dataset in a query’s scope, telling Cribl Search to search the Dataset. Start the ID with a letter; the rest of the ID can use letters, numbers, and underscores (for example,
my_dataset_1). - Description is optional.
- Set Dataset Provider to the ID of a Google Workspace Dataset Provider.
- Select Add endpoint to select the endpoints for your Dataset.
- Enabled endpoints: Select an endpoint from the drop-down menu. For details on the endpoints, see the
Reports API Overview reference docs. Your
options are:
adminmobiledevicesdrivelogintoken
- In Processing, you can apply rules for breaking data into discrete events. For more information, see Datatypes.
- In Snapshots, you can set up API Snapshots.
- Select Save when finished.
Search Google Workspace API
Now that you have a Dataset Provider and Dataset, you’re ready to start searching.
Search results can start showing up within a second or two, but when the search completes depends on how much data there is in the account.