Skip to content

Commit 52a9f45

Browse files
derkkiladerkkila
committed
Update props.conf
removed default fieldalias per AppInspect
1 parent d4b6033 commit 52a9f45

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

github_app_for_splunk/default/props.conf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
11
[default]
2-
FIELDALIAS-user = actor AS user
32

43
[GithubEnterpriseServerLog]
54
DATETIME_CONFIG =
@@ -14,13 +13,15 @@ EXTRACT-audit_fields = \"(?<_KEY_1>.*?)\"\:\"*(?<_VAL_1>.*?)\"*,
1413
EXTRACT-github_log_type = \d+\:\d+\:\d+\s[\d\w\-]+\s(?<github_log_type>.*?)\:
1514
EXTRACT-github_document_id = \"_document_id\"\:\"(?<document_id>.*?)\"
1615
FIELDALIAS-source = github_log_type AS source
16+
FIELDALIAS-user = actor AS user
1717

1818
[GithubEnterpriseServerAuditLog]
1919
EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?<source_host>\S+)\s+(?<app>[^:]+)+:\s+(?<authentication_service>\S+) : TTY=(?<authentication_method>\S+) ; PWD=(?<path>\S+) ; USER=(?<src_user>\S+) ; COMMAND=(?<service>.*)
2020
EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL))
2121
EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service"
2222
EVAL-action = "success"
2323
EVAL-src = replace(source_host, "\-", ".")
24+
FIELDALIAS-user = actor AS user
2425

2526
[collectd_github]
2627
ADD_EXTRA_TIME_FIELDS = false
@@ -55,10 +56,12 @@ EVAL-issue_assigned_date = if("issue.updated_at"!="" AND action="assigned", 'is
5556
EVAL-issue_tags = if(isnotnull('issue.labels{}.name'), 'issue.labels{}.name', null())
5657
EVAL-repository_organization = if(isnotnull('organization.login'), 'organization.login', null())
5758
EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
59+
FIELDALIAS-user = actor AS user
5860

5961
[github_audit]
6062
KV_MODE = JSON
6163
FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc
64+
FIELDALIAS-user = actor AS user
6265
EVAL-command = mvdedup(action)
6366
EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
6467
EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
@@ -78,6 +81,7 @@ EVAL-user = mvdedup(user)
7881
EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
7982
FIELDALIAS-field mapping = "data.public_repo" ASNEW is_public_repo org ASNEW vendor sc4s_container ASNEW dvc
8083
EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
84+
FIELDALIAS-user = actor AS user
8185
EVAL-dvc = replace(host, ":\d+", "")
8286
EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
8387
EVAL-protocol = mvdedup(transport_protocol_name)

0 commit comments

Comments
 (0)