Testing Your Splunk Event Collector Token

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
  1. Obtain the following values from your Splunk instance:
    • Your Splunk instance URL in the following format:
      https://your-splunk-instance:8088/services/collector/raw
      Note:

      Add /services/collector/raw to the end of your instance URL. This allows Splunk to collect JSON data from Jamf Protect.

    • Your previously created event collector token value in the following format:

      2b9e8b2d-927e-4b38-68e2-622588c39123

  2. Using the values obtained in step 1, execute the following command:
    curl https://your-splunk-instance:8088/services/collector/raw -H "Authorization: Splunk 0f9b8b2d-927e-4b38-88e2-622588c39123" -d '{"event": "Hello World"}'

If the event collector token is functioning correctly, you should receive a response similar to the following:

{"text":"Success","code":0}

If you do not receive a successful response, you may need to modify your Splunk instance URL in one of the following ways:

  • Splunk Enterprise
    Add inputs- to the beginning of your instance URL: 
    https://inputs-your-splunk-instance:8088/services/collector/raw
  • Splunk Cloud
    Add http-inputs- to the beginning of your instance URL: 
    https://http-inputs-your-splunk-instance:433/services/collector/raw