search

splunk / github_app_for_splunk

A collection of dashboards and knowledge objects for Github data
MIT License
32 stars 25 forks source link

Dashboard is empty but events are being ingested #56

Closed Jasmine-8i8 closed 2 years ago

Jasmine-8i8 commented 2 years ago

I can see all Github data is being ingested successfully, but the dashboards all show 0 or 'no data', any idea what is wrong here?

israelbgf commented 2 years ago

Same problem here, do we need to do some manual changes on the queries?

derkkila-splunk commented 2 years ago

No, no changes to queries, but did you update the macro to include your indexes?

derkkila-splunk commented 2 years ago

You can see the required macro changes in the documentation: https://github.com/splunk/github_app_for_splunk#readme

If that doesn't help please comment here!

Jasmine-8i8 commented 2 years ago

Hi Doug, I definitely looked in the documentation but it is not specific about which macros to change or how to change them. For example if I see all my github data coming in under the index 'github' how would I then change these macros?

israelbgf commented 2 years ago

Indeed, noob mistake. You have to search your macros, and edit it with the name of your index (in your case @Jasmine-8i8 github). That makes it work.

Jasmine-8i8 commented 2 years ago

Ah ok I didn't realize we must change the index of every macro. Thanks both

shakerg commented 2 years ago

I'm getting the same issue, going though the build a few times.. I can manually search the data and it's coming in from GHES, but the dashboard has none of the data. I have verified the macro index as well as the connections, everything looks good and as per documentation.

GHES = 3.6 Splunk Enterprise = 9.0.1 Apps: Splunk Add-on for Github 2.0.0 GitHub Audit Log Monitoring Add-On for Splunk 1.1.1 GitHub App for Splunk 1.2.3

HTTP_Event_Collector___Splunk_9_0_1 Settings___Splunk Search___Splunk_9_0_1 Code_Scanning_Alerts___Splunk_9_0_1_and_shaker_—_root_splunk___opt_splunk_etc_apps_Splunk_TA_github_local_—_ssh_splunk_—_116×32 Audit_Log_Activity___Splunk_9_0_1
leftrightleft commented 2 years ago

Just to close out the loop here, @shakerg and I talked offline and got this issue resolved. Seems like there were issues convincing GitHub to send webhooks to his Splunk instance :)

derkkila-splunk commented 2 years ago

Thanks for the update @leftrightleft ! I'll sync up offline to see if I need to update any documentation to help in the future.

shakerg commented 2 years ago

After a rebuild, I'm still running into the same issue where I see data coming in but it's not being represented in the dashboard. @leftrightleft and I are going to have another look later this week, if anything comes out of that which I can provide more details around, happy to share those.

shakerg commented 2 years ago

*There's a bug in GHES 3.6.0 that affects these webhooks, users should upgrade to 3.6.1+ and then Spunk integration will work as expected.