/github_app_for_splunk

A collection of dashboards and knowledge objects for Github data

Primary LanguageJavaScriptMIT LicenseMIT

GitHub App for Splunk

The GitHub App for Splunk is a collection of out of the box dashboards and Splunk knowledge objects designed to give GitHub Admins and platform owners immediate visibility into GitHub.

This App is designed to work across multiple GitHub data sources however not all all required. You may choose to only collect a certain set of data and the parts of this app that utilize that set will function, while those that use other data sources will not function correctly, so please only use the Dashboards that relate to the data you are collecting.

The GitHub App for Splunk is designed to work with the following data sources:

Dashboard Instructions

Installation

The GitHub App for Splunk is available for download from Splunkbase. For Splunk Cloud, refer to Install apps in your Splunk Cloud deployment. For non-Splunk Cloud deployments, refer to the standard methods for Splunk Add-on installs as documented for a Single Server Install or a Distributed Environment Install.

This app should be installed on both your search head tier as well as your indexer tier.

Configuration

Settings>Advanced Search>Search macros

  1. The GitHub App for Splunk uses macros so that index and sourcetype names don't need to be updated in each dashboard panel. You'll need to update the macros to account for your selected indexes.
  2. The macro github_source is the macro for all audit log events, whether from GitHub Enterprise Cloud or Server. The predefined macro includes examples of BOTH. Update to account for your specific needs.
  3. The macro github_webhooks is the macro used for all webhook events. Since it is assuming a single index for all webhook events, that is the predefined example, but update as needed.
  4. Finally, the macro github_collectd is the macro used for all collectd metrics sent from GitHub Enterprise Server. Please update accordingly.

Integration Overview dashboard

There is an Integration Overview dashboard listed under Dashboards that allows you to monitor API rate limits, audit events fetched, or webhooks received. This dashboard is primarily meant to be used with the GitHub Audit Log Monitoring Add-On for Splunk and uses internal Splunk logs. To be able to view them you will probably need elevated privileges in Splunk that include access to the _internal index. Please coordinate with your Splunk team if that dashboard is desired.

Examples

Expand for screenshots

Code Scanning Alerts

Code Scanning Dashboard

Audit Log Dashboard

Audit Log Dashboard

Repository Audit Dashboard

Repository Changes Audit

User Changes Audit

System Health Monitor

System Health Monitor

Process Monitor

Process Monitor

Support

Support for GitHub App for Splunk is run through GitHub Issues. Please open a new issue for any support issues or for feature requests. You may also open a Pull Request if you'd like to contribute additional dashboards, eventtypes for webhooks, or enhancements you may have.