search

splunk / github_app_for_splunk

A collection of dashboards and knowledge objects for Github data
MIT License
32 stars 25 forks source link

Dashboard is empty but data is being ingested #58

Closed shakerg closed 2 years ago

shakerg commented 2 years ago

Same as Issue #56

I'm getting the same issue, going though the build a few times.. I can manually search the data and it's coming in from GHES, but the dashboard has none of the data. I have verified the macro index as well as the connections, everything looks good and as per documentation.

GHES = 3.6 Splunk Enterprise = 9.0.1 Apps: Splunk Add-on for Github 2.0.0 GitHub Audit Log Monitoring Add-On for Splunk 1.1.1 GitHub App for Splunk 1.2.3

HTTP_Event_Collector___Splunk_9_0_1 Settings___Splunk Search___Splunk_9_0_1 Code_Scanning_Alerts___Splunk_9_0_1_and_shaker_—_root_splunk___opt_splunk_etc_apps_Splunk_TA_github_local_—_ssh_splunk_—_116×32 Audit_Log_Activity___Splunk_9_0_1

_Originally posted by @shakerg in https://github.com/splunk/github_app_for_splunk/issues/56#issuecomment-1257090890_

shakerg commented 2 years ago

adding search results

Search___Splunk_9_0_1_and_shaker_—_shaker_splunk____—_-bash_—_116×32
leftrightleft commented 2 years ago

Hey @shakerg mind grabbing a screen cap of the results of this search: 

`github_webhooks` | chart count by eventtype
shakerg commented 2 years ago

piping chart count by eventtype returns zero results

shakerg commented 2 years ago

Looks like it works, I think it's safe to note that webhooks won't pull historic values but only new ones post install. Although some of the configuration details lined up... it started working at some point.

shakerg commented 2 years ago

There's a bug in GHES 3.6.0 that affects these webhooks, users should upgrade to 3.6.1+ and then Spunk integration will work as expected.