Searching Jamf Pro Data in Splunk

You can use the Search & Reporting app in Splunk to search data that has been collected by Splunk.

  1. In Splunk, click the Search & Reporting app.
  2. In the Search tab, enter a search for your Jamf Pro Add-on in the following format using the input you entered earlier in the Name of the Modular Input field (e.g., "JamfPro_Computers"):
    source="jamf://NameOfModularInput"
  3. (Optional) Use the pop-up menu next to the search bar to adjust the time interval.
  4. Press Return or click the Search button .
Splunk will display event records from the database that match to your search criteria, similar to the following example:

This example returns 49 events, which is the amount of mobile devices in Jamf Pro that reported data in the last 24 hours. Each event contains data collected from the Jamf Pro Classic API in XML format.

Basic Search Components

The following table explains the core components of searches used to view Jamf Pro data:

Search ComponentDescription
source="" Defines the field to search (source)
jamf:// Narrows the search to data collected from the Jamf Pro Add-on
input_name The name of the input you created within the Jamf Pro Add-on. In the example above, "JamfPro_Computers" is used.