splunk · yavoort · May 10, 2023 · May 10, 2023
diff --git a/github_app_for_splunk/default/data/ui/nav/default.xml b/github_app_for_splunk/default/data/ui/nav/default.xml
@@ -1,7 +1,10 @@
 <nav search_view="search" color="#24292e">
   <view name="welcome_page" default='true'/>
   <collection label="Enterprise Server Monitor">
-    <view source="all" match="monitor" />
+    <view name="1_system_health_monitor" />
+    <view name="2_process_monitor" />
+    <view name="3_authentication_monitor" />
+    <view name="8_storage_monitor" />
   </collection>
   <collection label="Audit">
     <view name="audit_log_activity" />

diff --git a/github_app_for_splunk/default/data/ui/views/audit_log_activity.xml b/github_app_for_splunk/default/data/ui/views/audit_log_activity.xml
@@ -1,5 +1,13 @@
-<form version="1.1" script="tabs.js" stylesheet="tabs.css">
+<form version="1.1.1" script="tabs.js" stylesheet="tabs.css">
   <label>Audit Log Activity</label>
+  <search id="baseSearch">
+    <query>
+      `github_source` action=* | spath input=message | dedup data._document_id | table *
+      | search environment IN ($envTkn$)
+    </query>
+    <earliest>$timeRng.earliest$</earliest>
+    <latest>$timeRng.latest$</latest>
+  </search>
   <fieldset submitButton="false" autoRun="true">
     <input type="time" token="timeRng">
       <label></label>
@@ -8,15 +16,27 @@
         <latest>now</latest>
       </default>
     </input>
+    <input type="dropdown" token="envTkn" searchWhenChanged="true">
+      <label>Environment</label>
+      <choice value="*">All</choice>
+      <default>*</default>
+      <initialValue>*</initialValue>
+      <fieldForLabel>host</fieldForLabel>
+      <fieldForValue>host</fieldForValue>
+      <search>
+        <query>| mstats count prestats=true WHERE `github_collectd` AND metric_name="cpu.*" span=10s BY host
+| dedup host | table host</query>
+        <earliest>-24h@h</earliest>
+        <latest>now</latest>
+      </search>
+    </input>
   </fieldset>
   <row>
     <panel>
       <chart>
         <title>Events over time</title>
-        <search>
-          <query>`github_source` action=* | timechart count by action</query>
-          <earliest>$timeRng.earliest$</earliest>
-          <latest>$timeRng.latest$</latest>
+        <search base="baseSearch">
+          <query> | timechart count by action</query>
         </search>
         <option name="charting.axisTitleX.visibility">collapsed</option>
         <option name="charting.chart">column</option>
@@ -28,10 +48,8 @@
     <panel>
       <single>
         <title>Total events</title>
-        <search>
-          <query>`github_source` action=* | stats count</query>
-          <earliest>$timeRng.earliest$</earliest>
-          <latest>$timeRng.latest$</latest>
+        <search base="baseSearch">
+          <query>| stats count</query>
         </search>
         <option name="colorMode">block</option>
         <option name="drilldown">none</option>
@@ -61,7 +79,7 @@
     <panel>
       <map>
         <search>
-          <query>`github_source` | rename actor_location.country_code AS iso2 | stats count by iso2 | lookup geo_attr_countries iso2 OUTPUT country | append [ | inputlookup geo_attr_countries] | dedup country | fillnull value=0 | fields+ count, country, geom | geom geo_countries featureIdField="country"</query>
+          <query>`github_source`       | search environment IN ($envTkn$) | rename actor_location.country_code AS iso2 | stats count by iso2 | lookup geo_attr_countries iso2 OUTPUT country | append [ | inputlookup geo_attr_countries] | dedup country | fillnull value=0 | fields+ count, country, geom | geom geo_countries featureIdField="country"</query>
           <earliest>$timeRng.earliest$</earliest>
           <latest>$timeRng.latest$</latest>
           <sampleRatio>1</sampleRatio>
@@ -98,11 +116,8 @@
   <row id="tab_activityCount">
     <panel>
       <table>
-        <search>
-          <query>`github_source` action=* | rename actor_location.country_code AS iso2 | stats count by iso2 | lookup geo_attr_countries iso2 OUTPUT country | fields country, count</query>
-          <earliest>$timeRng.earliest$</earliest>
-          <latest>$timeRng.latest$</latest>
-          <sampleRatio>1</sampleRatio>
+        <search base="baseSearch">
+          <query> | rename actor_location.country_code AS iso2 | stats count by iso2 | lookup geo_attr_countries iso2 OUTPUT country | fields country, count</query>
         </search>
         <option name="count">20</option>
         <option name="dataOverlayMode">none</option>
@@ -119,10 +134,8 @@
     <panel>
       <chart>
         <title>Top 5 event types</title>
-        <search>
-          <query>`github_source` action=* | stats count by action | sort 5 - count</query>
-          <earliest>$timeRng.earliest$</earliest>
-          <latest>$timeRng.latest$</latest>
+        <search base="baseSearch">
+          <query>| stats count by action | sort 5 - count</query>
         </search>
         <option name="charting.axisTitleX.visibility">collapsed</option>
         <option name="charting.axisTitleY.visibility">collapsed</option>
@@ -137,10 +150,8 @@
     <panel>
       <chart>
         <title>Top 5 active users</title>
-        <search>
-          <query>`github_source` action=* | stats count by actor | sort 5 - count</query>
-          <earliest>$timeRng.earliest$</earliest>
-          <latest>$timeRng.latest$</latest>
+        <search base="baseSearch">
+          <query>| stats count by actor | sort 5 - count</query>
         </search>
         <option name="charting.axisTitleX.visibility">collapsed</option>
         <option name="charting.axisTitleY.visibility">collapsed</option>
@@ -153,10 +164,8 @@
     <panel>
       <chart>
         <title>Events per org</title>
-        <search>
-          <query>`github_source` action=* | stats count by org</query>
-          <earliest>$timeRng.earliest$</earliest>
-          <latest>$timeRng.latest$</latest>
+        <search base="baseSearch">
+          <query> | stats count by org</query>
         </search>
         <option name="charting.chart">pie</option>
         <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
@@ -168,7 +177,7 @@
       <chart>
         <title>Workflow runs</title>
         <search>
-          <query>`github_source` | stats count by conclusion</query>
+          <query>`github_source` | search environment IN ($envTkn$) | stats count by conclusion</query>
           <earliest>$timeRng.earliest$</earliest>
           <latest>$timeRng.latest$</latest>
         </search>
@@ -183,7 +192,7 @@
       <chart>
         <title>Top 10 active repositories</title>
         <search>
-          <query>`github_source` | rename repo as repository | stats count by repository | sort 10 - count</query>
+          <query>`github_source` | search environment IN ($envTkn$) | rename repo as repository | stats count by repository | sort 10 - count</query>
           <earliest>$timeRng.earliest$</earliest>
           <latest>$timeRng.latest$</latest>
         </search>