In regards to configuring webhooks in github (github_webhooks.MD) you can use basic auth instead.

Advantages: HEC token isn't passed as part of the URL (which is visible and will get logged everywhere)
Does not require allowQueryStringAuth = true on the HEC Endpoint. In Splunk Cloud, you gotta get Splunk support to enable it even.

All that needs to change in the webhook configuration is:

AuthQueryToken:
https://YOUR SPLUNK URL:8088/services/collector/raw?token=THE TOKEN FROM ABOVE.

BasicAuth:
https://xxxxx:THETOKENFROMABOVE@YOUR SPLUNK URL:8088/services/collector/raw

Username doesn't matter (xxxxx). Token is used as the password for basic auth.