This discussion may be a good start.

Mike Dodge from Facebook used to use Casper and Splunk but is no longer using Casper.

What are you running your JSS on? Splunk has forwarding tools you might want to use:
https://www.splunk.com/en_us/download/universal-forwarder.html

My current implementation reads directly off the database. I'm thinking of a better way to do this but i'm ok with it at the moment. There's no shortage of options to get the information you need.

Does any one have experience in using the database backend to provide data to Splunk? I saw an old post suggesting it was a viable option. I already have Splunk enterprise so it's just a data feed thats needed. I am using API calls but the post https://jamfnation.jamfsoftware.com/discussion.html?id=7291 looks much better. I had heard that JAMF do not support the direct database access - only through the API. Can anyone confirm?