Does anyone know where I can find some already created Splunk use cases for github webhook logs? I am having a really hard time googling for a dump of github based splunk searches because of the keyword github. I am trying to look for commits in github with no approvals. I have identified the search for all commits and the search for finding approvals for those commits but I am unsure how to stich them together in a single query to produce actionable results. The commit log and the approval log are separate logs but both have a unique identifier for the commit. More info: Here is the query for the approval and the corresponding log. These logs are heavily redacted and I am only including what is relevant. Logs come in through HEC so they are JSON. index=github action=submitted review.state=approved pull_request.head.sha!="" { action: submitted pull_request: { head: { sha: <commit-id> } } review: { state: approved } } Here is the log of the merge, it has no action so I'm using this query: index=github after!="" { after: <commit-id> before: <previous-commit-id> enterprise: {} head_commit: {} organization: {} pusher: {} repository: {} sender: {} } I've been trying to create a table that includes both of these logs with no luck. index=github after!="" [search index=github action=submitted review.state=approved pull_request.head.sha!="" |table pull_request.head.sha review.state | rename pull_request.head.sha as commit-id] |table after |rename after as commit-id So I am essentially looking for commit logs with no approval and trying to link the tables together with after/pull_request.head.sha as both of these values are unique commit ID's. Ideally I would want to alert on each occurrence of an unapproved merge. ... View more