Installing and Configuring the Jamf Pro Add-on for Splunk

The Jamf Pro Add-on for Splunk allows users to easily integrate Jamf Pro with Splunk. This integration uses the advanced search APIs in Jamf Pro with Splunk’s modular input framework.

The Jamf Pro Add-on also provides a framework for the development of additional API integrations for further analysis of Jamf Pro data in Splunk.

Key features include the following:

  • Import Computer and Mobile Device data from multiple Jamf Pro instances

  • Import several system settings fields using the Custom API field

  • Create and expand on visuals using tools in Splunks ecosystem

Jamf Pro Add-on Installation

Steps to install the Jamf Pro Add-on vary based on your Splunk environment. For instructions, see About installing Splunk add-ons from Splunk's documentation.

To download the Jamf Pro Add-on, see the Jamf Pro Add-on for Splunk webpage on Splunkbase.

Configuring the Jamf Pro Add-on

You must configure the Jamf Pro Add-on to connect it with your Jamf Pro instance by creating inputs. Each input specifies a Jamf Pro API endpoint to collect data from.

  1. In Splunk, click the Jamf Pro Add-on from the list of installed apps.

  2. Click Create New Input.

  3. Configure the input settings. The following example shows how to configure an input that collects results from a Jamf Pro advanced search once per week:

    images/download/attachments/81934913/SplunkyInputs.png

    See the "Input Settings" table below for more information.

  4. Click Save.

The Jamf Pro Add-on should now start collecting data from your Jamf Pro instance API endpoint at the configured interval. To configure additional inputs for different API endpoints, repeat the steps above for each endpoint or clone and edit your first input.

Input Settings

The following table describes each input setting:

Setting

Description

Name

A descriptive name for the input, such as "JamfPro_computers"

Interval

How frequently Splunk will collect data in seconds. Daily is 86,400 seconds; weekly is 604,800 seconds. Unless deleted, Splunk will retain historical data to permit change detection and time-trend reporting.

Index

The Splunk index used for the data. Most Splunk configurations use the "main" index by default index.

Name of the Modular Input

A modular name for the input that can be used for Splunk searches

JSS URL

Your Jamf Pro instance URL

Username

The Jamf Pro user account used to make API calls. For security purposes, you should only grant read-only permissions to the data that Splunk collects.

Password

The password of the Jamf Pro user account used to make API calls.

API Call Name

The type of Jamf Pro API call that will be made by this input. The Jamf Pro add-on interfaces with Jamf's Classic API. The three options for specifying the API call type are the following:

  • Computers

  • Mobile Devices

  • Custom API

The Computers and Mobile Devices options are used when you want Splunk to collect the output of Jamf Pro advanced searches. Advanced searches can be configured in Jamf Pro and the fields that will be included in the report.

For more information, see Advanced Computer Searches and Advanced Mobile Device Searches in the Jamf Pro Administrator's Guide.

If you want to retrieve all records and all fields exposed by any other Jamf Pro API end-point, select the Custom API option.

Search Name

If Computers or Mobile Devices options are selected, enter the name of the advanced search you want to collect.

If Custom API is used, enter the Jamf Pro Classic API endpoint you want to call.

Commonly used endpoints include /JSSResource/computers and /JSSResource/mobiledevices

Many API endpoints also allow data to be retrieved for a specific record. For example, you can specify JSSResource/computers/id/10 to collect data for a specific computer.

Some endpoints offer a /subset option, which allows for more granular data collection.

For more information about the Jamf Pro Classic API, see The Classic API Reference from the Jamf Pro Developer Portal.

Custom Host Name/Custom Index Name

The host and index name populate an event metadata field for collected data. You can enter your Jamf Pro instance URL or a custom value across multiple inputs to make your metadata match across multiple sources.

Troubleshooting

If the Jamf Pro Add-on does not begin collecting data from Jamf Pro, verify the following:

  • You entered the correct Jamf Pro instance URL, username, and password.

  • Your Jamf Pro Classic API endpoint is correct.

  • Your Jamf Pro user account has read-only permissions on the API endpoints you are contacting.

    Note: Some endpoints, such as /JSSResource/computers, require read-only access to multiple objects.

You can also access the Jamf Pro Add-on logs in the following locations:

  • macOS and Linux—/opt/splunk/var/log/splunk/jamf_pro_addon_for_splunk_jamf.log

  • Windows—\Program Files\splunk\var\log\splunk\jamf_pro_addon_for_splunk_jamf.log

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.