Searching macOS Security Data in Splunk

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

You can use the Search & Reporting app in Splunk to search data that has been collected by Splunk.

  1. In Splunk, click the Search & Reporting app.
  2. In the Search tab, enter a search using your Jamf Protect source HTTP event collector name:
    source="http:Your-Event-Collector"
  3. (Optional) Use the pop-up menu next to the search bar to adjust the time interval.
  4. Press Return or click the Search button .

Splunk will display event records from the database that match to your search criteria.

For example, eventtype=jamf_protect_alerts | `core_table` returns a table of Jamf Protect alerts. You can use this search to ensure that Splunk has integrated with Jamf Protect successfully.

source="JamfProtect"

This example returns seven events, which is the number of Jamf Protect alerts reported in the last 24 hours.