From bcee5ffe8e489eee48e37b440a0295aea8a98144 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Tue, 24 Jan 2023 11:38:42 -0500
Subject: [PATCH 01/10] Update props.conf

---
 github_app_for_splunk/default/props.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index 8b79c0e..d3d341f 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -73,6 +73,7 @@ EVAL-commits_timestamp_list = if(isnotnull('commits{}.timestamp'), 'commits{}.ti
 EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
 EVAL-current_push = if(isnotnull('after'), 'after', null())
 EVAL-description = "Secrete Leakage: ".'alert.secret_type'
+EVAL-dest = "((repo)|(full_name))":"(?<dest>[^/]+)
 EVAL-dvc = replace(host, ":\d+", "")
 EVAL-earliest_commit_author_user = if(isnotnull(mvindex('commits{}.author.username', 0)), mvindex('commits{}.author.username', 0) , null())
 EVAL-earliest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', ""))

From 1213a07b80a2afe789d349dbb47886b8e25e2c04 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Tue, 24 Jan 2023 11:41:26 -0500
Subject: [PATCH 02/10] Update props.conf

---
 github_app_for_splunk/default/props.conf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index d3d341f..9664547 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -35,13 +35,11 @@ NO_BINARY_CHECK = true
 SHOULD_LINEMERGE = false
 category = Metrics
 description = Collectd daemon format. Uses the write_http plugin to send metrics data to a Splunk platform data input via the HTTP Event Collector.
-disabled = false
 pulldown_type = 1
 
 [github_json]
 # Basic settings
 TRUNCATE = 100000
-disabled = false
 KV_MODE = json
 pulldown_type = true
 DATETIME_CONFIG =

From 65f71dcbbbc41579d5c9d020425378486ef67427 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Tue, 24 Jan 2023 11:41:34 -0500
Subject: [PATCH 03/10] Update transforms.conf

---
 github_app_for_splunk/default/transforms.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/github_app_for_splunk/default/transforms.conf b/github_app_for_splunk/default/transforms.conf
index f80b081..37537ed 100644
--- a/github_app_for_splunk/default/transforms.conf
+++ b/github_app_for_splunk/default/transforms.conf
@@ -6,8 +6,8 @@ MV_ADD = true
 DELIMS = .
 FIELDS = change_type,command
 SOURCE_KEY = action
-disabled = 1
+
 
 [issueNumber]
 MV_ADD = 1
-REGEX = (?<issueNumber>(?<=refs\/heads\/|\"ref\":\")[\d]*)
+REGEX = (?<issueNumber>(?<=refs\/heads\/|\"ref\":\")[\d]*)
\ No newline at end of file

From 2e5a5d4bac7a4ab90dfb703d3da1a7914f9b9fef Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Wed, 25 Jan 2023 10:16:50 -0500
Subject: [PATCH 04/10] Update props.conf

fix for broken severity field
---
 github_app_for_splunk/default/props.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index 9664547..cc1c3df 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -119,7 +119,7 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization
 EVAL-result = "success"
 EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
 EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
-EVAL-severity = if(isnotnull(secret_type),"critical","")
+EVAL-severity = if(isnotnull(secret_type),"critical",severity)
 EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1)
 EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
 EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())

From 664669ae3d1476c8bc0d74f997bddee077920231 Mon Sep 17 00:00:00 2001
From: Alex Kinnane <17098249+akinnane@users.noreply.github.com>
Date: Fri, 10 Mar 2023 15:58:02 +0000
Subject: [PATCH 05/10] Narrow CodeScanning eventtypes again

Narrow CodeScanning eventtype definition.

In PR https://github.com/splunk/github_app_for_splunk/pull/35 @leftrightleft narrowed the eventtype for CodeScanning events but then was (accidently?) reverted by https://github.com/splunk/github_app_for_splunk/pull/37. This change narrows the eventtype again.
---
 github_app_for_splunk/default/eventtypes.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf
index e46971e..47e3b42 100644
--- a/github_app_for_splunk/default/eventtypes.conf
+++ b/github_app_for_splunk/default/eventtypes.conf
@@ -5,7 +5,7 @@ search = `github_webhooks` ref_type=branch
 search = `github_source` action=* sourcetype="github:enterprise:audit" OR sourcetype="github_audit"
 
 [GitHub::CodeScanning]
-search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=*
+search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "commit_oid"=*
 
 [GitHub::CodeVulnerability]
 search = `github_webhooks` (eventtype="GitHub::CodeScanning") "alert.html_url"="*/security/code-scanning/*"

From 04f313663a483bd3c648ba3ae0790ff44dc94773 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Thu, 6 Apr 2023 13:10:11 -0400
Subject: [PATCH 06/10] Update default.meta

Export tags to the system
---
 github_app_for_splunk/metadata/default.meta | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/github_app_for_splunk/metadata/default.meta b/github_app_for_splunk/metadata/default.meta
index 1c8f783..ba4dfaa 100644
--- a/github_app_for_splunk/metadata/default.meta
+++ b/github_app_for_splunk/metadata/default.meta
@@ -10,6 +10,11 @@ export = system
 [eventtypes]
 export = system
 
+### TAGS
+
+[tags]
+export = system
+
 
 ### PROPS
 

From f893a05da3116c105c157778b61cd7ef4e9699e3 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Mon, 25 Sep 2023 15:47:43 -0400
Subject: [PATCH 07/10] Update props.conf

---
 github_app_for_splunk/default/props.conf | 69 +++++++++++++++---------
 1 file changed, 43 insertions(+), 26 deletions(-)

diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index cc1c3df..2cdac5a 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -1,6 +1,7 @@
 [default]
 
 [GithubEnterpriseServerLog]
+# Basic settings
 DATETIME_CONFIG =
 LINE_BREAKER = ([\r\n]+)
 NO_BINARY_CHECK = true
@@ -8,6 +9,7 @@ category = Application
 pulldown_type = true
 TIME_FORMAT =
 TZ =
+#Calculated Fields
 EXTRACT-audit_event = github_audit\[\d+\]\:\s(?<audit_event>.*)
 EXTRACT-audit_fields = \"(?<_KEY_1>.*?)\"\:\"*(?<_VAL_1>.*?)\"*,
 EXTRACT-github_log_type = \d+\:\d+\:\d+\s[\d\w\-]+\s(?<github_log_type>.*?)\:
@@ -16,14 +18,18 @@ FIELDALIAS-source = github_log_type AS source
 FIELDALIAS-user = actor AS user
 
 [GithubEnterpriseServerAuditLog]
-EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?<source_host>\S+)\s+(?<app>[^:]+)+:\s+(?<authentication_service>\S+) : TTY=(?<authentication_method>\S+) ; PWD=(?<path>\S+) ; USER=(?<src_user>\S+) ; COMMAND=(?<service>.*)
-EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL))
-EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service"
+#Calculated Fields
 EVAL-action = "success"
+EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service"
 EVAL-src = replace(source_host, "\-", ".")
+EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL))
+# Field Extractions
+EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?<source_host>\S+)\s+(?<app>[^:]+)+:\s+(?<authentication_service>\S+) : TTY=(?<authentication_method>\S+) ; PWD=(?<path>\S+) ; USER=(?<src_user>\S+) ; COMMAND=(?<service>.*)
+# Field Aliases
 FIELDALIAS-user = actor AS user
 
 [collectd_github]
+# Basic settings
 ADD_EXTRA_TIME_FIELDS = false
 ANNOTATE_PUNCT = false
 BREAK_ONLY_BEFORE_DATE =
@@ -119,7 +125,6 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization
 EVAL-result = "success"
 EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
 EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
-EVAL-severity = if(isnotnull(secret_type),"critical",severity)
 EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1)
 EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
 EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())
@@ -128,47 +133,59 @@ EVAL-submitter_user = if(isnotnull('issue.user.login'), 'issue.user.login', null
 EVAL-submission_date = if(isnotnull('issue.created_at'), 'issue.created_at', null())
 EVAL-vendor_product = "github"
 EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path)
-# Field Aliases
-FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
-FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
-FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
-FIELDALIAS-user = actor AS user
-FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
 # Field Extractions
 EXTRACT-change_type = "action":"(?<change_type>[^\.]+).*","((actor)|(workflow)|(_document))
 EXTRACT-commit_branch = (?<commit_branch>(?<=refs\/heads\/)[\-\w\d\s]*)
 EXTRACT-commit_hash = | spath commits{} output=commits  | mvexpand commits  | rex field=commits "(?<=\"id\"\:\")(?<commit_hash>\w*)"
 EXTRACT-release_tags = "ref":"refs\/tags\/(?<release_tags>[0-9|aA-zZ.]*)"
 EXTRACT-object = "repo":".+/{1}(?<object>[^"]+)",
+# Field Aliases
+FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
+FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
+FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
+FIELDALIAS-user = actor AS user
+FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
+# Other
 REPORT-issueNumber = issueNumber
 
 [github_audit]
+# Basic settings
 KV_MODE = JSON
-FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc
-EVAL-command = mvdedup(action)
-EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+DATETIME_CONFIG = 
+LINE_BREAKER = ([\r\n]+)
+SHOULD_LINEMERGE = false
+pulldown_type = true
+# Calculated Fields
 EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
+EVAL-command = mvdedup(action)
 EVAL-dvc = replace(host, ":\d+", "")
-EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
-EVAL-user = mvdedup(user)
+EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL))))
 EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
+EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
 EVAL-protocol = mvdedup(transport_protocol_name)
-EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL))))
-EVAL-vendor_product = "github"
 EVAL-status = "success"
-EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
+EVAL-user = mvdedup(user)
+EVAL-vendor_product = "github"
+# Field Extractions
+EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
+# Field Aliases
+FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc
 
 [github:enterprise:audit]
+# Calculated Fields
+EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
 EVAL-command = mvdedup(action)
+EVAL-dvc = replace(host, ":\d+", "")
+EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
+EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
+EVAL-protocol = mvdedup(transport_protocol_name)
+EVAL-status = "success"
 EVAL-user = mvdedup(user)
+EVAL-vendor_product = "github"
+# Field Extractions
 EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
+# Field Aliases
 FIELDALIAS-field mapping = "data.public_repo" ASNEW is_public_repo org ASNEW vendor sc4s_container ASNEW dvc
-EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
 FIELDALIAS-user = actor AS user
-EVAL-dvc = replace(host, ":\d+", "")
-EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
-EVAL-protocol = mvdedup(transport_protocol_name)
-EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
-EVAL-vendor_product = "github"
-EVAL-status = "success"
-EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))

From f6075e6cbc94ad34e50ed42068f443d8b017b00c Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Mon, 23 Oct 2023 16:21:54 -0400
Subject: [PATCH 08/10] Updated views

Fixed the time ranges on value stream analytics and spacing on the security alert overview.
---
 .../default/data/ui/views/security_alert_overview.xml       | 2 +-
 .../default/data/ui/views/value_stream_analytics.xml        | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
index 80a681f..bb2742f 100644
--- a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
+++ b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
@@ -258,4 +258,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
\ No newline at end of file
diff --git a/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml b/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml
index 5cadbbc..acf1518 100644
--- a/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml
+++ b/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml
@@ -21,8 +21,8 @@
       <fieldForValue>repository.name</fieldForValue>
       <search>
         <query>`github_webhooks` eventtype="GitHub::Push"|dedup repository.name| table repository.name</query>
-        <earliest>-30d@d</earliest>
-        <latest>now</latest>
+        <earliest>$timeTkn.earliest$</earliest>
+        <latest>$timeTkn.latest$</latest>
       </search>
       <choice value="*">All</choice>
       <default>*</default>
@@ -139,4 +139,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
\ No newline at end of file

From 37b4df1129306a0bd3cbdb03b202f93eb2546a0c Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Mon, 23 Oct 2023 16:37:37 -0400
Subject: [PATCH 09/10] Update props.conf

Added fields for workflows
---
 github_app_for_splunk/default/props.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index 2cdac5a..8778338 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -58,6 +58,7 @@ EVAL-asset_name = if(isnotnull('release.assets{}.name'), 'release.assets{}.name'
 EVAL-asset_uploader_login = if(isnotnull('release.assets{}.uploader.login'), 'release.assets{}.uploader.login', null())
 EVAL-assigned_reviewers = if(isnotnull('pull_request.requested_reviewers{}.login'), 'pull_request.requested_reviewers{}.login', null())
 EVAL-assigned_user = if(isnotnull('issue.assignee.login'), 'issue.assignee.login', 'assignee.login')
+EVAL-attempt_number = if(isnotnull('workflow_run.run_attempt'), 'workflow_run.run_attempt',null())
 EVAL-branch = if(('ref_type'=="branch" AND 'ref'!=""), 'ref', if(isnotnull('commit_branch'), 'ref', null()))
 EVAL-body = "Secrete Leakage: ".'alert.secret_type'
 EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency",  if(isnotnull(secret_type), "secret", "")))
@@ -74,6 +75,7 @@ EVAL-commits_author_list = if(isnotnull('commits{}.author.username'), 'commits{}
 EVAL-commits_list = if(isnotnull('commits{}.id'), 'commits{}.id', null())
 EVAL-commits_message_list = if(isnotnull('commits{}.message'), 'commits{}.message', null())
 EVAL-commits_timestamp_list = if(isnotnull('commits{}.timestamp'), 'commits{}.timestamp', null())
+EVAL-completed = if(action="completed",_time, NULL)
 EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
 EVAL-current_push = if(isnotnull('after'), 'after', null())
 EVAL-description = "Secrete Leakage: ".'alert.secret_type'
@@ -99,9 +101,11 @@ EVAL-latest_commit_author_user = if((isnotnull('commits{}.id') AND isnull('commi
 EVAL-latest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', ""))
 EVAL-latest_commit_hash = if((isnotnull('commits{}.id') AND isnull('commit_hash')), 'head_commit.id', if((isnotnull('commits{}.id') AND isnotnull('commit_hash')), 'commit_hash', if(isnotnull(after), after, null())))
 EVAL-latest_commit_message = if((isnotnull('commits{}.id') AND isnull('commit_message')), 'head_commit.message', if((isnotnull('commits{}.id') AND isnotnull('commit_message')), 'commit_message', ""))
+EVAL-name = if(isnotnull('workflow_job.name'), 'workflow_job.name',if(isnotnull('workflow_run.name'), 'workflow_run.name',null()))
 EVAL-object_attrs = "branch:" + pull_request_title + "|business:" + business
 EVAL-object_category = if(isnotnull(workflow_run.event), "workflow", if(isnotnull(repo), "repository", ""))
 EVAL-organization_name = if(isnotnull('organization.login'), 'organization.login', null())
+EVAL-pipeline_id = if(isnotnull('workflow.id'), 'workflow.id', if(isnotnull('workflow_job.id'), 'workflow_job.id', null()))
 EVAL-pr_author_login = if(isnotnull('sender.login'), 'sender.login', null())
 EVAL-pr_created_date = if(isnotnull('pull_request.created_at'), 'pull_request.created_at', null())
 EVAL-pr_id = if((isnotnull('pull_request.number')), 'pull_request.number', if((isnotnull('number')), 'number', null()))
@@ -125,8 +129,15 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization
 EVAL-result = "success"
 EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
 EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
+EVAL-run_id = if(isnotnull('workflow_job.run_id'), 'workflow_job.run_id', if(isnotnull('workflow_run.id'), 'workflow_run.id', null()))
+EVAL-run_number = if(isnotnull('workflow_run.run_number'), 'workflow_run.run_number', null())
+EVAL-severity = if(isnotnull(secret_type),"critical",severity)
 EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1)
 EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
+EVAL-started = if(action="requested",_time, if(isnotnull('workflow_run.run_started_at'),round(strptime('workflow_run.run_started_at', "%Y-%m-%dT%H:%M:%SZ"),0), if(isnotnull('workflow_job.started_at'), round(strptime('workflow_job.started_at', "%Y-%m-%dT%H:%M:%SZ"),0), null())))
+EVAL-started_by_id = if(isnotnull('sender.login'), 'sender.login', null())
+EVAL-started_by_name = if(isnotnull('sender.login'), 'sender.login', null())
+EVAL-status = if(isnotnull('workflow_job.status'), 'workflow_job.status', if(isnotnull('workflow_run.status'), 'workflow_run.status', null()))
 EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())
 EVAL-status_current = if(action=="deleted", "deleted", 'issue.state')
 EVAL-submitter_user = if(isnotnull('issue.user.login'), 'issue.user.login', null())

From 054bc1215ec0252a448f97e45c8136d69f9ccce3 Mon Sep 17 00:00:00 2001
From: Doug Erkkila <derkkila@users.noreply.github.com>
Date: Mon, 23 Oct 2023 17:09:12 -0400
Subject: [PATCH 10/10] Update workflow_analytics.xml

Fixed action names and got rid of queue times as workflow run events don't have them.
---
 .../default/data/ui/views/workflow_analytics.xml            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml b/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml
index e6ea68c..3890639 100644
--- a/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml
+++ b/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml
@@ -30,7 +30,7 @@
       <title>Average Workflow Overview</title>
       <single>
         <search>
-          <query>`github_webhooks` eventtype="GitHub::Workflow" repository.name IN("$repoTkn$") | eval queued=if(action="queued",_time,NULL), started=if(action="in_progress",_time,NULL),completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(started) as started, min(completed) as completed by repository.name,workflow_job.name,workflow_job.id | eval queueTime=started-queued, runTime=completed-started, totalTime=completed-queued | fields repository.name,workflow_job.name, workflow_job.id, queueTime, runTime, totalTime | stats avg(queueTime) as queueTime, avg(runTime) as runTime, avg(totalTime) as totalTime | eval queueTime=toString(round(queueTime),"Duration"), runTime=toString(round(runTime),"Duration"),totalTime=toString(round(totalTime),"Duration")</query>
+          <query>`github_webhooks` eventtype="GitHub::Workflow" repository.name IN(""*"") | eval queued=if(action="requested",_time,NULL), completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(completed) as completed by repository.name,workflow_run.name,workflow_run.id | eval totalTime=completed-queued | fields repository.name,workflow_run.name, workflow_run.id, totalTime | stats avg(totalTime) as totalTime | eval totalTime=toString(round(totalTime),"Duration")</query>
           <earliest>$timeTkn.earliest$</earliest>
           <latest>$timeTkn.latest$</latest>
           <sampleRatio>1</sampleRatio>
@@ -60,7 +60,7 @@
       <title>Workflow Analytics by Job Name</title>
       <table>
         <search>
-          <query>`github_webhooks` eventtype="GitHub::Workflow" repository.name IN("$repoTkn$") | eval queued=if(action="queued",_time,NULL), started=if(action="in_progress",_time,NULL),completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(started) as started, min(completed) as completed by repository.full_name,workflow_job.name,workflow_job.id | eval queueTime=started-queued, runTime=completed-started, totalTime=completed-queued | fields repository.full_name,workflow_job.name, workflow_job.id, queueTime, runTime, totalTime | stats avg(queueTime) as queueTime, avg(runTime) as runTime, avg(totalTime) as totalTime by repository.full_name,workflow_job.name | eval queueTime=toString(round(queueTime),"Duration"), runTime=toString(round(runTime),"Duration"),totalTime=toString(round(totalTime),"Duration")</query>
+          <query>`github_webhooks` eventtype="GitHub::Workflow" repository.name IN(""*"") | eval queued=if(action="requested",_time,NULL),completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(completed) as completed by repository.full_name,workflow_run.name,workflow_run.id | eval totalTime=completed-queued | fields repository.full_name,workflow_run.name, workflow_run.id, totalTime | stats avg(totalTime) as totalTime by repository.full_name,workflow_run.name | eval totalTime=toString(round(totalTime),"Duration")</query>
           <earliest>$timeTkn.earliest$</earliest>
           <latest>$timeTkn.latest$</latest>
           <sampleRatio>1</sampleRatio>
@@ -76,4 +76,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
\ No newline at end of file

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://github.com/splunk/github_app_for_splunk/compare/v1.3.1...v1.3.2.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://github.com/splunk/github_app_for_splunk/compare/v1.3.1...v1.3.2.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://github.com/splunk/github_app_for_splunk/compare/v1.3.1...v1.3.2.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://github.com/splunk/github_app_for_splunk/compare/v1.3.1...v1.3.2.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>