Searching Jamf Protect Data in Splunk

You can use the Search & Reporting app in Splunk to search data that has been collected by Splunk.

  1. In Splunk, click the Search & Reporting app.
  2. In the Search tab, enter a search using your Jamf Protect source HTTP event collector name:
    source="http:Your-Event-Collector"
  3. (Optional) Use the pop-up menu next to the search bar to adjust the time interval.
  4. Press Return or click the Search button .
Splunk will display event records from the database that match to your search criteria, similar to the following example:

This example returns seven events, which is the number of Jamf Protect alerts reported in the last 24 hours.