Help

Find Duplicate Computer Records with Splunk

dwaterbury
New Contributor III

Posted on ‎02-04-2020 12:27 PM

It pays to stay at JNUC until the very end. The last session at JNUC 2019 gave me the inspiration to finally solve the issue of finding duplicate computer serial numbers using Splunk.

This is extremely helpful in finding computer records after a computer has had a mainboard replaced by Apple. The Serial Number is the same, but a new JSS Computer ID is created.

  1. Download the .tgz here:
    https://www.splunk.com/en_us/download/splunk-enterprise.html#tabs/macos
    *The .dmg didn't seem to install properly for me, but the .tgz did.

  2. Create a read-only user in JamfPro that Splunk can use to access an Advanced Search.

  3. Create an Advanced Search where
    Criteria "Managed Is Managed" or "Managed Is Unmanaged".
    Display: Serial Number, Computer Name, and JSS Computer ID.

  4. Install the Jamf Pro Add-On and configure it with your instance and the Advanced Search:
    https://splunkbase.splunk.com/app/4729/

  5. Use this code and set a 1-hour Window:

sourcetype="jamfmodularinput" 
| stats count, values(computer.Computer_Name), values(computer.JSS_Computer_ID) by "computer.Serial_Number"
| sort-count 
| where count>1
Labels:
Reply
1 REPLY 1

david_edgar
New Contributor III

Posted on ‎02-06-2024 11:26 AM

I wonder if anyone else has run into this same scenario but has been able to utilize customer searches or attribute extensions. We've started to find these ghost accounts present due to mainboard changes, and it's getting rather...annoying.

0 Kudos
Reply