Creating a Dashboard for Jamf Protect Data

You can add your search results in panel form to a new dashboard or an existing dashboard, and then customize the dashboard to meet your organization's needs.

  1. In Splunk, click the Search & Reporting app.
  2. In the Search tab, enter a search that will return results you want to display in a dashboard.
  3. Click Save As.
  4. Choose Dashboard Panel from the pop-up menu.
  5. Do one of the following:
    • Select New and configure settings for your dashboard.

    • Select Existing and select a dashboard.

  6. Click Save.
  7. Click View Dashboard to view your data in the dashboard.

Customizing the Dashboard for Jamf Protect

You can do the following to customize Splunk dashboards:
  • Switch between light and dark mode.

  • Edit the layout of panels.

  • Edit the visualization of individual panels.

The following dashboard is an example of how you can customize a Jamf Protect dashboard:

For more information about customizing the dashboard, including instructions, see Dashboards and Visualizations documentation from Splunk.

Jamf Protect Search and Visualization Examples

This section contains examples of search and visualization pairs that can be used as a starting point to display your data in a dashboard.

The following examples use searches based on data collected from Jamf Protect for Splunk.

Logs and Alerts by Event Types

source = "http:Jamf Protect" | stats count by input.eventType | rename input.eventType AS "Event Type", input.match.facts{}.name AS "Event", count AS "Count"

Detected Analytics Count

source = "http:Jamf Protect" | stats count by input.eventType, input.match.facts{}.name | rename input.eventType AS "Event Type", input.match.facts{}.name AS "Event", count AS "Count" | sort Count desc | head 10

Event Type Breakdown

source = "http:Jamf Protect" input.eventType="GPFSEvent" | stats count by input.match.facts{}.name | rename input.match.facts{}.name AS "Event", count AS "Count"

Executables Blocked by Gatekeeper

source = "http:Jamf Protect" input.eventType="GPGatekeeperEvent" | stats count by input.match.facts{}.name, input.match.event.path | rename input.match.facts{}.name AS "Block Type", input.match.event.path AS "Executable" | head 10