Does anyone know where I can find some already created Splunk use cases for github webhook logs?
I am having a really hard time googling for a dump of github based splunk searches because of the keyword github.
I am trying to look for commits in github with no approvals. I have identified the search for all commits and the search for finding approvals for those commits but I am unsure how to stich them together in a single query to produce actionable results.
The commit log and the approval log are separate logs but both have a unique identifier for the commit.
More info:
Here is the query for the approval and the corresponding log. These logs are heavily redacted and I am only including what is relevant. Logs come in through HEC so they are JSON.
index=github action=submitted review.state=approved pull_request.head.sha!=""
{
action: submitted
pull_request: {
head: {
sha: <commit-id>
}
}
review: {
state: approved
}
}
Here is the log of the merge, it has no action so I'm using this query:
index=github after!=""
{
after: <commit-id>
before: <previous-commit-id>
enterprise: {}
head_commit: {}
organization: {}
pusher: {}
repository: {}
sender: {}
}
I've been trying to create a table that includes both of these logs with no luck.
index=github after!=""
[search index=github action=submitted review.state=approved pull_request.head.sha!=""
|table pull_request.head.sha review.state
| rename pull_request.head.sha as commit-id]
|table after
|rename after as commit-id
So I am essentially looking for commit logs with no approval and trying to link the tables together with after/pull_request.head.sha as both of these values are unique commit ID's.
Ideally I would want to alert on each occurrence of an unapproved merge.
... View more