Update macros.conf

Added new macros to enable complex searches for field extraction that isn't possible with standard field extractions.

Author: derkkila

github_app_for_splunk/default/macros.conf

@@ -4,7 +4,7 @@ definition = index=github_collectd
 iseval = 0
 
 [github_source]
-definition = (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit)
+definition = (index="github" source="ghe_audit_log_monitoring://*") OR (index=ghes source=github_audit) OR (index=gitops source="github:enterprise:audit") OR (index=gh_audit_stream)
 iseval = 0
 
 [github_webhooks]
@@ -14,3 +14,32 @@ iseval = 0
 [github_workflow_logs]
 definition = index="github_workflow_logs"
 iseval = 0
+
+[devops_indexes]
+definition = index="github_webhook" OR index="github_webhook2"
+iseval = 0
+
+[individual_commits]
+definition = | spath commits{} output=commits \
+| mvexpand commits \
+| rex field=commits "(?<=\"id\"\:\")(?<commit_hash>\w*)"\
+| rex field=commits "(?<=\"message\"\:\")(?<commit_message>(\w|\s)*)"\
+| rex field=commits "(?<=\"username\"\:\")(?<commit_username>(\w|-)*(?=\"))"\
+| rex field=commits "(?<=\"timestamp\"\:\")(?<commit_timestamp>[^\"]*(?=\"))"\
+| rex field=commits "(?<=\"added\"\:\[)(?<commit_files_added>[^\]]*(?=\]))"\
+| rex field=commits "(?<=\"removed\"\:\[)(?<commit_files_removed>[^\]]*(?=\]))"\
+| rex field=commits "(?<=\"modified\"\:\[)(?<commit_files_modified>[^\]]*(?=\]))"
+iseval = 0
+
+[extract_branch_issuenumber]
+definition = | eval branch = if(('ref_type'=="branch" AND 'ref'!=""), 'ref', "") \
+| eval ref = if((isnull('ref') AND isnotnull('pull_request.head.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.head.ref', if((isnull('ref') AND isnotnull('pull_request.base.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.base.ref', 'ref'))\
+| rex field="ref" "(?<commit_branch>(?<=refs\/heads\/).*)" \
+| eval commit_branch = if((isnull('commit_branch') AND isnotnull('pull_request.head.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.head.ref', if((isnull('commit_branch') AND isnotnull('pull_request.base.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.base.ref', if((isnull('commit_branch') AND isnotnull('ref')), 'ref', 'commit_branch')))\
+| rex field="commit_branch" "(?<issueNumber>^\d*)"
+iseval = 0
+
+[extract_release_push_tags]
+definition = | eval ref_tags = if((isnotnull('ref') AND eventtype="GitHub::Release::Push"), ref, null())\
+| rex field="ref_tags" "(?<release_tag_name>(?<=refs\/tags\/).*)"
+iseval = 0