Dependabot Alerts (and other dashbards) from Github Cloud enterprise not showing results due to bad SPL

[NeilJed]

Describe the bug Data for dependabot alerts gathered from Github Webhooks returns no results despite their being data in the index.

To Reproduce Steps to reproduce the behavior:

1. Set-up a Github Webhook to push to Splunk via HEC as per the instructions
2. View Dependabot Alerts under the Advanced Security tab

Expected behavior Data related to dependabot alerts should be shown, there is nothing shown.

Desktop (please complete the following information):

• OS: OSX 12.4
• Browser Brave
• Version 1.39.122

Additional context The issue is due to the fact that the events sent in the Webhook do not contain an "eventtype" field which is the first field the base search filters on hence it gets no results. It's not even documented on the official docs: https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#repository_vulnerability_alert

To fix it, for Github Cloud at least, I had to change base search to match on the valid actions values and that and action.id field is set as follows:

`github_webhooks` action IN ("create", "dismiss", "resolve") | where isnotnull("action.id") | | eval action='action',...

This seems to be a persistent problem with a lot of the other dashboards that the basesearch is looking for some qualifier that doesn't exist.

[NeilJed]

I believe the issue is as per the description in PR #39

[derkkila-splunk]

This is happening because the macros are not being replicated to the indexers. There is a fix for this that I am testing out.