👋 This issue tracks the work to migrate the freno service from the freno Splunk index to GitHub's new logging platform.
🛑 Blocked until Mid or End of July 2026
This issue is being opened now so that your team can plan to fund this work before the end of Q1. However, this work is blocked by the following issue: https://github.com/github/observability/issues/12604. The Observability team is waiting on the fix from Azure Monitor, and we expect that fix to be generally available by mid-July.
You will be informed on this issue when the work is unblocked, and asked to assign someone to complete this work before the end of the quarter.
Due Date and Time Committment
| Due Date |
Engineering Effort |
| End of Q1 |
3-5 days |
Instructions
Step 1. Onboard to the Logging Platform
Follow the onboarding guide.
You will use a Copilot skill or GitHub action to onboard your service. These tools will open a detailed onboarding issue and walk you through completion.
Please link to that issue here:
Onboarding Issue:
Once onboarding is complete, you can find and query your logs in the new platform using this guide.
Step 1.1 Inform SecOps
If this service is on the list of services below, then yours logs are used in security detections. Once you have completed onboarding, please inform SecOps in the #tdr Slack channel so that they can migrate your detections.
**SecOps Detections List**
[
"sec-corp-microsoft-defender",
"sec-corp-okta",
"sec-prod-audit",
"sirt-scm-aws_cloudtrail",
"sec-azure-ad-logs",
"sec-prod-osquery",
"sec-azure-activity-logs",
"glb",
"sec-corp-gsuite",
"rails",
"sec-corp-odns",
"sec-corp-slack",
"sec-prod-ssh",
"sec-prod-thinkst-canary",
"sec-vault-audit",
"net-proxy",
"prod-hubot",
"sec-events-dev",
"sec-packetbeat-dns",
"sec-prod-obsidian",
"sirt-scm-aws_guardduty",
"_audit",
"ldap",
"prod-babeld",
"sec-corp-jamf",
"sec-prod-iam",
"sec-corp-1password",
"sec-corp-controld",
"actions-network-gateway",
"greenseer",
"prod-janky",
"rails-gitauth",
"sec-corp-redcanary",
"wiz",
"zoom",
]
Step 2. Off-board your service from Splunk
Your service logs will remain available in Splunk until you complete this step.
To offboard your service from Splunk, ship the offboarding PR that will have been automatically opened for you as part of Step 2.
You should off-board from Splunk when:
- Onboarding to the new platform is complete, including shipping any playbook updates
- Your team has confirmed they can access logs and are comfortable using logs in the new platform
- ** ⚠️ Important:** If your service is on the SecOps Detections List, do not off board from Splunk until you inform SecOps via the #tdr Slack channel and get their approval. Your off boarding is blocked until they migrate your detections from Splunk to Azure Monitor.
Definition of Done
Getting Help
For help, ping @github/observability in a comment on this issue or visit #logging-platform-migration.
Help, I think this issue was opened incorrectly
If you think that this Splunk index does not in fact belong to this service, do one of the following:
- If you know which service this index does belong to, please move this issue to that service repo
- Otherwise, add the
blocked label to this issue and leave a comment explaining why.
Supporting Docs
👋 This issue tracks the work to migrate the freno service from the freno Splunk index to GitHub's new logging platform.
🛑 Blocked until Mid or End of July 2026
This issue is being opened now so that your team can plan to fund this work before the end of Q1. However, this work is blocked by the following issue: https://github.com/github/observability/issues/12604. The Observability team is waiting on the fix from Azure Monitor, and we expect that fix to be generally available by mid-July.
You will be informed on this issue when the work is unblocked, and asked to assign someone to complete this work before the end of the quarter.
Due Date and Time Committment
Instructions
Step 1. Onboard to the Logging Platform
Follow the onboarding guide.
You will use a Copilot skill or GitHub action to onboard your service. These tools will open a detailed onboarding issue and walk you through completion.
Please link to that issue here:
Onboarding Issue:
Once onboarding is complete, you can find and query your logs in the new platform using this guide.
Step 1.1 Inform SecOps
If this service is on the list of services below, then yours logs are used in security detections. Once you have completed onboarding, please inform SecOps in the #tdr Slack channel so that they can migrate your detections.
**SecOps Detections List**
[ "sec-corp-microsoft-defender", "sec-corp-okta", "sec-prod-audit", "sirt-scm-aws_cloudtrail", "sec-azure-ad-logs", "sec-prod-osquery", "sec-azure-activity-logs", "glb", "sec-corp-gsuite", "rails", "sec-corp-odns", "sec-corp-slack", "sec-prod-ssh", "sec-prod-thinkst-canary", "sec-vault-audit", "net-proxy", "prod-hubot", "sec-events-dev", "sec-packetbeat-dns", "sec-prod-obsidian", "sirt-scm-aws_guardduty", "_audit", "ldap", "prod-babeld", "sec-corp-jamf", "sec-prod-iam", "sec-corp-1password", "sec-corp-controld", "actions-network-gateway", "greenseer", "prod-janky", "rails-gitauth", "sec-corp-redcanary", "wiz", "zoom", ]Step 2. Off-board your service from Splunk
Your service logs will remain available in Splunk until you complete this step.
To offboard your service from Splunk, ship the offboarding PR that will have been automatically opened for you as part of Step 2.
You should off-board from Splunk when:
Definition of Done
Getting Help
For help, ping @github/observability in a comment on this issue or visit #logging-platform-migration.
Help, I think this issue was opened incorrectly
If you think that this Splunk index does not in fact belong to this service, do one of the following:
blockedlabel to this issue and leave a comment explaining why.Supporting Docs