Integrating Splunk with Jamf Pro
If you use Jamf Pro, you can send computer and mobile device data to Splunk for collection and presentation.
The Jamf Pro Add-on for Splunk allows users to integrate Jamf Pro with Splunk. This integration uses the advanced search APIs in Jamf Pro with Splunk's modular input framework.
The Jamf Pro Add-on for Splunk also provides a framework for the development of additional API integrations for further analysis of Jamf Pro data in Splunk.
-
Import computer and mobile device data from multiple Jamf Pro instances
-
Import several system settings fields using the Custom API field
-
Create and expand on visuals using tools in Splunk's ecosystem
Integrating with Splunk involves the following steps:
-
Installing the Jamf Pro Add-on for Splunk
-
Configuring the Jamf Pro Add-on for Splunk
-
Confirming Data Collection
General Requirements
Jamf Pro 10.9.0 or later
A dedicated Jamf Pro API user account with the Auditor privilege set
A Splunk instance
- Version 1.0.4 or later of the Jamf Pro Add-on for SplunkImportant:
If you are using Python 3 in your environment, Jamf Pro Add-on 1.0.5 or later is required.
Installing the Jamf Pro Add-on for Splunk
The steps needed to install the Jamf Pro Add-on for Splunk depend on your Splunk environment.
Download the Jamf Pro Add-on for Splunk from the Jamf Pro Add-on for Splunk webpage on Splunkbase.
Then follow the general instructions for installing Splunk add-ons in the About installing Splunk add-ons documentation from Splunk.
Configuring the Jamf Pro Add-on for Splunk
You must configure the Jamf Pro Add-on for Splunk by creating inputs to connect it with your Jamf Pro instance. Each input specifies a Jamf Pro API endpoint to collect data from.
To configure additional inputs for different API endpoints, repeat the steps above for each endpoint or clone and edit your first input.
Confirming Data Collection
Do the following to confirm your host and inputs are collecting data from Jamf Pro:
- In Splunk, click the Search & Reporting app.
- Click .
- Confirm the following:
- (Optional) Click the Hosts tab and search for the custom host name value used for your inputs, if configured.
- Click the Sources tab and find your inputs.
-
You entered the correct Jamf Pro instance URL, username, and password.
-
Your Jamf Pro Classic API endpoint is correct.
-
Your Jamf Pro user account has read-only permissions on the API endpoints you are contacting.Note:
Some endpoints, such as /JSSResource/computers, require read-only access to multiple objects.
- macOS and Linux
- /opt/splunk/var/log/splunk/jamf_pro_addon_for_splunk_jamf.log
- Windows
- \Program Files\splunk\var\log\splunk\jamf_pro_addon_for_splunk_jamf.log
Input Settings for the Jamf Pro Add-on for Splunk
The following table describes each input setting:
Setting | Description |
---|---|
Name | A descriptive name for the input, such as "JamfPro_Computers" |
Interval | How frequently Splunk will collect data in seconds. Daily is 86,400 seconds; weekly is 604,800 seconds. Unless deleted, Splunk will retain historical data to permit change detection and time-trend reporting. |
Index | The Splunk index used for the data. Most Splunk configurations use the "main" index by default index. |
Name of the Modular Input | A modular name for the input that can be used for Splunk searches, such as "JamfPro_Computers" |
JSS URL | Your Jamf Pro instance's URL |
Username | The Jamf Pro user account used to make API calls. For security purposes, you should only grant read-only permissions to the data that Splunk collects. |
Password | The password of the Jamf Pro user account used to make API calls. |
API Call Name |
The type of Jamf Pro API call that will be made by this input. The Jamf Pro add-on interfaces with Jamf's Classic API. The three options for specifying the API call type are the following:
The Splunk to collect the output of Jamf Pro advanced searches. Advanced searches can be configured in Jamf Pro for the fields to be included in the report. and options are used when you wantFor more information, see Advanced Computer Searches and Advanced Mobile Device Searches in the Jamf Pro Documentation. If you want to retrieve all records and all fields exposed by any other Jamf Pro API endpoint, select the option. |
Search Name |
If the or option is selected, enter the name of the advanced search you want to collect.If Jamf Pro Classic API endpoint you want to call. is used, enter theCommonly used endpoints include Many API endpoints also allow data to be retrieved for a specific record. For example, you can specify Some endpoints offer a For more information about the Jamf Pro Classic API, see the Classic API Reference on the Jamf Developer Portal. |
Custom Host Name/Custom Index Name | The host and index name populate an event metadata field for collected data. You can enter your Jamf Pro instance URL or a custom value across multiple inputs to make your metadata match across multiple sources. |