Does anyone know where I can find some already created Splunk use cases for github webhook logs?
I am having a really hard time googling for a dump of github based splunk searches because of the keyword github.
I am trying to look for commits in github with no approvals. I have identified the search for all commits and the search for finding approvals for those commits but I am unsure how to stich them together in a single query to produce actionable results.
The commit log and the approval log are separate logs but both have a unique identifier for the commit.
Here is the query for the approval and the corresponding log. These logs are heavily redacted and I am only including what is relevant. Logs come in through HEC so they are JSON.
index=github action=submitted review.state=approved pull_request.head.sha!=""
Here is the log of the merge, it has no action so I'm using this query:
I've been trying to create a table that includes both of these logs with no luck.
[search index=github action=submitted review.state=approved pull_request.head.sha!=""
|table pull_request.head.sha review.state
| rename pull_request.head.sha as commit-id]
|rename after as commit-id
So I am essentially looking for commit logs with no approval and trying to link the tables together with after/pull_request.head.sha as both of these values are unique commit ID's.
Ideally I would want to alert on each occurrence of an unapproved merge.
... View more