Integrating Splunk with Jamf Pro

If you use Jamf Pro, you can send computer and mobile device data to Splunk for collection and presentation.

The Jamf Pro Add-on for Splunk allows users to integrate Jamf Pro with Splunk. This integration uses the advanced search APIs in Jamf Pro with Splunk's modular input framework.

The Jamf Pro Add-on for Splunk also provides a framework for the development of additional API integrations for further analysis of Jamf Pro data in Splunk.

This integration allows you to do the following:
  • Import computer and mobile device data from multiple Jamf Pro instances

  • Import several system settings fields using the Custom API field

  • Create and expand on visuals using tools in Splunk's ecosystem

Integrating with Splunk involves the following steps:

  1. Installing the Jamf Pro Add-on for Splunk

  2. Configuring the Jamf Pro Add-on for Splunk

  3. Confirming Data Collection

General Requirements

  • Jamf Pro 10.9.0 or later

  • A dedicated Jamf Pro API user account with the Auditor privilege set

  • A Splunk instance

  • Version 1.0.4 or later of the Jamf Pro Add-on for Splunk
    Important:

    If you are using Python 3 in your environment, Jamf Pro Add-on 1.0.5 or later is required.

Installing the Jamf Pro Add-on for Splunk

The steps needed to install the Jamf Pro Add-on for Splunk depend on your Splunk environment.

Download the Jamf Pro Add-on for Splunk from the Jamf Pro Add-on for Splunk webpage on Splunkbase.

Then follow the general instructions for installing Splunk add-ons in the About installing Splunk add-ons documentation from Splunk.

Configuring the Jamf Pro Add-on for Splunk

You must configure the Jamf Pro Add-on for Splunk by creating inputs to connect it with your Jamf Pro instance. Each input specifies a Jamf Pro API endpoint to collect data from.

  1. In Splunk, click the Jamf Pro Add-on from the list of installed apps.
  2. Click Create New Input.
  3. Configure the input settings.

    The following example shows how to configure an input that collects results from a Jamf Pro advanced search once per week:

  4. Click Save.
The Jamf Pro Add-on should now start collecting data from your Jamf Pro instance API endpoint at the configured interval.

To configure additional inputs for different API endpoints, repeat the steps above for each endpoint or clone and edit your first input.

Confirming Data Collection

Do the following to confirm your host and inputs are collecting data from Jamf Pro:

  1. In Splunk, click the Search & Reporting app.
  2. Click What to Search > Data Summary.
  3. Confirm the following:
    1. (Optional) Click the Hosts tab and search for the custom host name value used for your inputs, if configured.
    2. Click the Sources tab and find your inputs.
Your Jamf Pro data source should appear in the source list and display the number of events and last update time.
If the Jamf Pro Add-on does not begin collecting data from Jamf Pro, verify the following:
  • You entered the correct Jamf Pro instance URL, username, and password.

  • Your Jamf Pro Classic API endpoint is correct.

  • Your Jamf Pro user account has read-only permissions on the API endpoints you are contacting.
    Note:

    Some endpoints, such as /JSSResource/computers, require read-only access to multiple objects.

You can also access the Jamf Pro Add-on logs in the following locations:
macOS and Linux
/opt/splunk/var/log/splunk/jamf_pro_addon_for_splunk_jamf.log
Windows
\Program Files\splunk\var\log\splunk\jamf_pro_addon_for_splunk_jamf.log

Input Settings for the Jamf Pro Add-on for Splunk

The following table describes each input setting:

SettingDescription

Name

A descriptive name for the input, such as "JamfPro_Computers"

Interval

How frequently Splunk will collect data in seconds. Daily is 86,400 seconds; weekly is 604,800 seconds. Unless deleted, Splunk will retain historical data to permit change detection and time-trend reporting.

Index

The Splunk index used for the data. Most Splunk configurations use the "main" index by default index.

Name of the Modular Input

A modular name for the input that can be used for Splunk searches, such as "JamfPro_Computers"

JSS URL

Your Jamf Pro instance's URL

Username

The Jamf Pro user account used to make API calls. For security purposes, you should only grant read-only permissions to the data that Splunk collects.

Password

The password of the Jamf Pro user account used to make API calls.

API Call Name

The type of Jamf Pro API call that will be made by this input. The Jamf Pro add-on interfaces with Jamf's Classic API.

The three options for specifying the API call type are the following:
  • Computers
  • Mobile Devices
  • Custom API

The Computers and Mobile Devices options are used when you want Splunk to collect the output of Jamf Pro advanced searches. Advanced searches can be configured in Jamf Pro for the fields to be included in the report.

For more information, see Advanced Computer Searches and Advanced Mobile Device Searches in the Jamf Pro Documentation.

If you want to retrieve all records and all fields exposed by any other Jamf Pro API endpoint, select the Custom API option.

Search Name

If the Computers or Mobile Devices option is selected, enter the name of the advanced search you want to collect.

If Custom API is used, enter the Jamf Pro Classic API endpoint you want to call.

Commonly used endpoints include /JSSResource/computers and /JSSResource/mobiledevices.

Many API endpoints also allow data to be retrieved for a specific record. For example, you can specify JSSResource/computers/id/10 to collect data for a specific computer.

Some endpoints offer a /subset option, which allows for more granular data collection.

For more information about the Jamf Pro Classic API, see the Classic API Reference on the Jamf Developer Portal.

Custom Host Name/Custom Index Name

The host and index name populate an event metadata field for collected data. You can enter your Jamf Pro instance URL or a custom value across multiple inputs to make your metadata match across multiple sources.