It pays to stay at JNUC until the very end. The last session at JNUC 2019 gave me the inspiration to finally solve the issue of finding duplicate computer serial numbers using Splunk.
This is extremely helpful in finding computer records after a computer has had a mainboard replaced by Apple. The Serial Number is the same, but a new JSS Computer ID is created.
Download the .tgz here:
https://www.splunk.com/en_us/download/splunk-enterprise.html#tabs/macos
*The .dmg didn't seem to install properly for me, but the .tgz did.
Create a read-only user in JamfPro that Splunk can use to access an Advanced Search.
Create an Advanced Search where
Criteria "Managed Is Managed" or "Managed Is Unmanaged".
Display: Serial Number, Computer Name, and JSS Computer ID.
Install the Jamf Pro Add-On and configure it with your instance and the Advanced Search:
https://splunkbase.splunk.com/app/4729/
Use this code and set a 1-hour Window:
sourcetype="jamfmodularinput"
| stats count, values(computer.Computer_Name), values(computer.JSS_Computer_ID) by "computer.Serial_Number"
| sort-count
| where count>1
