Jamf Nation Community

Here are a some we use.

Mind sharing the search string that split off the App Versions from the app?

assuming you have the jamf splunk plugin installed. We have an Extension Attribute to pull versions of the apps we care about. Those EAs are listed in the advance search that splunk reads. Then its a pretty simple search:

index=name sourcetype=JamfModularInput | rare limit=20000 "computer.*EA_Name*"

Darn, If you are pulling from /JSSResrouce/computers the data comes in as a nested object in computers.applications.application and I have been having a hard time wrangling this.

@ddcdennisb Just curious, where did you get those funky colour themes for Splunk?

@txhaflaire are you talking about the colors used for the Numbered items like these?

@ddcdennisb Exactly and can you share the query you use for the active within 30 days and inactive for 90+ days ?

@txhaflaire For the colors, Its a single Value Visualization. When you looking at the format for it, you can Set colors for the values.

For the Active 30 Days and Inactive 90+, I have smart groups that are part of my Advanced search that Splunk reads its data from. So the search is like this:

index=app sourcetype=JamfModularInput computer.Computer_Group.Computer_Group_Membership.Group!="Out of Contact 30+"|rare limit=20000 "computer.name" | stats sum(count)

and

index=app sourcetype=JamfModularInput computer.Computer_Group.Computer_Group_Membership.Group="Out of Contact 90+" | rare limit=20000 computer.name | stats sum(count)

Here is one that I have been working on that is still growing. I'm using PowerBI for the reports using the published Jamf Pro PowerBI connector.

This search time regex worked for me for pulling the version of an application:

| rex "<Available_Update>Google Chrome.app</Available_Update><Application_Version>(?<Ex_Chrome_Version>[^<]*)"

Basically says look for this string about Google Chrome, then grab everything after the "Application_Version" until you see a less than sign (which denotes the beginning of the end tag for "Application_Version"). Hop this helps you all in extracting versions.

@bejohnson That looks great! I haven't even looked at using Splunk in my environment, but, the dashboard you have looks like something that would put permanent ear-to-ear grins on my Management.

Does anyone have any links to detailed instructions on how to install, configure, and, setup Splunk/dashboards? I would greatly appreciate it. Thanks!

@bcbackes You're in luck!
Jamf & Splunk - Blog Post
Jamf & Splunk - Video Series
Jamf & Splunk - Technical Paper

Thank you @jamf_sam! I'm certainly going to look into it.

@ddcdennisb Ah check! can you show screenshots of the Jamf Pro side, as i can't select in an Advanced Search to export the Computer Group, i can but only under the tab "Export Only".

Or did you create an particular Advanced Search with computers member of that group and create an new modular input in Splunk?

@txhaflaire For my advanced search I used the "Export Only" checkbox for Computer Group. When Splunk pulls the data, the groups are in there.

One of our dashboards... with redactions

These are some great dashboards. @bejohnson , I see you're tracking frequency of Kernel Panics. How often is JAMF collecting inventory from your machines? weekly?

@mgshepherd A python script is used as an Extension Attribute result so the output is due to the averaging of results in the script.

@bejohnson What does your EA look like?

I also would be interested in the EA if you can share since we would like to track KPs as well.

@jmahlman This was implemented by @jhbush before I was here. He made a comment in this post https://www.jamf.com/jamf-nation/discussions/23976/kernal-panic-reporting

@bejohnson mind sharing how you configured that dashboard with PowerBI?

@evaldes We just published a Power BI segment in our Jamf Pro Reporting Solution series on YouTube.

Here is a link to Part 1 for Power BI.
You can see an overview of all our reporting solution videos here.

@jamf_sam thanks! I was in the web series at 6am lol... it sparked my interest doing the Reporting, and yeah I have been building the dashboard from scratch lately, and I'm no expert but having fun with this...

Right on, thanks for joining @evaldes and we're excited to see what you come up with!

We are currently looking into Splunk and seen how we might can use it.
We made a API check against /JSSResources/computers as in there learning videos.

I have seen @DBrowning did a lookup against group memberships. I wonder how/if this is working for the API lookup they do as well or is is more wise to create a new Source that uses a Search with the fields displaying we want?

Thanks

There's a more verbose version of Jamf's Splunk Integration Guide available on Github. It goes into things like integrating data from multiple sources and more step by step on building searches than we wanted in the product documentation. And lots more screen-shots. :)

There are also some scripts there to pull things like mdm command history and application usage data that need some transformations that we haven't yet built into the standard plugin, and complete dashboards you can download as source code that you can just copy-paste into your Splunk. We'd love to see others share their dashboard code as well.

For those using PowerBI, this non-Jamf Blog is very helpful.

With Power Bi, has anyone found a way of filtering the results of last check in date so that it just highlights everything that hasn't checked in in greater than a certain period of time, such as hasn't checked in for more than 2 weeks?

Hi,

Just started getting a Power BI dashboard together and its going pretty well.

Just wondered if anyone can help with one dashboard we really want to view.

I have 2 smart groups, one to show devices in the office and one to show devices out of office (WFH).
I want this to tick along daily/monthly showing a nice line graph of the change in numbers each day. So along the bottom of the graph would be the date and then device count up the side.
I cant for the life of me find a date field so this is impossible without it?!?! Any ideas?

@AndrewShooter , you could set a "Active" column where it is True/False and then have where you have a slicer with the Active values and when someone interacts with it you can change the interaction from Filter to Highlight(I think that's the name) and it should highlight the items instead on that specific visual.