Show off your reporting dashboard!

jamf_sam
Contributor

Jamf Pro has built-in dashboards, but many admins want the flexibility of Business Intelligence (BI) or reporting tools. JNUC 2019 introduced integrations with some of the most popular tools. We have been hard at work creating resources to help you get the most out of your data, and now we want to see your dashboard!

If you have a great dashboard to share, please post it here! If you have tips or tricks that helped you build it, share it with your fellow admins. Remember to sanitize any sensitive data before posting.

Integrating Jamf with Splunk

48 REPLIES 48

Kelli_Conlin
New Contributor

This is an example dashboard that I use for Jamf Protect with Splunk! I know that using Splunk as a SIEM is a standard for most SOCs and the data was easy to search and create visualizations. Really looking forward to see others dashboards for inspiration!

c40e6de1a61b4235ae457fad93439d37

DBrowning
Valued Contributor

Here are a some we use. b52046707bab41c181213478ec7f90ef

5105f03d4ba5478b88f54bdae42478bd

e0be9e128cba4382813e34f28f377a83

pazdak
New Contributor II

Mind sharing the search string that split off the App Versions from the app?

DBrowning
Valued Contributor

assuming you have the jamf splunk plugin installed. We have an Extension Attribute to pull versions of the apps we care about. Those EAs are listed in the advance search that splunk reads. Then its a pretty simple search:

index=name sourcetype=JamfModularInput | rare limit=20000 "computer.*EA_Name*"

pazdak
New Contributor II

Darn, If you are pulling from /JSSResrouce/computers the data comes in as a nested object in computers.applications.application and I have been having a hard time wrangling this.

ThijsX
Valued Contributor

@ddcdennisb Just curious, where did you get those funky colour themes for Splunk?

DBrowning
Valued Contributor

@txhaflaire are you talking about the colors used for the Numbered items like these?
cab5501bf2164f4e96a71dae70a2d72b

ThijsX
Valued Contributor

@ddcdennisb Exactly and can you share the query you use for the active within 30 days and inactive for 90+ days ?

DBrowning
Valued Contributor

@txhaflaire For the colors, Its a single Value Visualization. When you looking at the format for it, you can Set colors for the values. 82e3034c525b4b4495e2fc2da0fa1aa5

For the Active 30 Days and Inactive 90+, I have smart groups that are part of my Advanced search that Splunk reads its data from. So the search is like this:

index=app sourcetype=JamfModularInput computer.Computer_Group.Computer_Group_Membership.Group!="Out of Contact 30+"|rare limit=20000 "computer.name" | stats sum(count)

and

index=app sourcetype=JamfModularInput computer.Computer_Group.Computer_Group_Membership.Group="Out of Contact 90+" | rare limit=20000 computer.name | stats sum(count)

bejohnson
New Contributor II

Here is one that I have been working on that is still growing. I'm using PowerBI for the reports using the published Jamf Pro PowerBI connector. 01bf319ab37446d2894804016d430d70

a642446a6aa84509832c628f3f070c2d

Is this available as a template?

msevcik
New Contributor

This search time regex worked for me for pulling the version of an application:

| rex "<Available_Update>Google Chrome.app</Available_Update><Application_Version>(?<Ex_Chrome_Version>[^<]*)"

Basically says look for this string about Google Chrome, then grab everything after the "Application_Version" until you see a less than sign (which denotes the beginning of the end tag for "Application_Version"). Hop this helps you all in extracting versions.

bcbackes
Contributor

@bejohnson That looks great! I haven't even looked at using Splunk in my environment, but, the dashboard you have looks like something that would put permanent ear-to-ear grins on my Management.

Does anyone have any links to detailed instructions on how to install, configure, and, setup Splunk/dashboards? I would greatly appreciate it. Thanks!

bcbackes
Contributor

Thank you @jamf_sam! I'm certainly going to look into it.

ThijsX
Valued Contributor

@ddcdennisb Ah check! can you show screenshots of the Jamf Pro side, as i can't select in an Advanced Search to export the Computer Group, i can but only under the tab "Export Only".

Or did you create an particular Advanced Search with computers member of that group and create an new modular input in Splunk?

DBrowning
Valued Contributor

@txhaflaire For my advanced search I used the "Export Only" checkbox for Computer Group. When Splunk pulls the data, the groups are in there.

c60203a5d24d4f72af8a9e8e03d7a515

lisacherie
Contributor II

One of our dashboards... with redactions

cc2904472c374c88900964b735c43537

mgshepherd
Contributor

These are some great dashboards. @bejohnson , I see you're tracking frequency of Kernel Panics. How often is JAMF collecting inventory from your machines? weekly?

bejohnson
New Contributor II

@mgshepherd A python script is used as an Extension Attribute result so the output is due to the averaging of results in the script.

jmahlman
Valued Contributor

@bejohnson What does your EA look like?

cybertunnel
New Contributor II

I also would be interested in the EA if you can share since we would like to track KPs as well.

bejohnson
New Contributor II

@jmahlman This was implemented by @jhbush before I was here. He made a comment in this post https://www.jamf.com/jamf-nation/discussions/23976/kernal-panic-reporting

evaldes
New Contributor III

@bejohnson mind sharing how you configured that dashboard with PowerBI?

jamf_sam
Contributor

@evaldes We just published a Power BI segment in our Jamf Pro Reporting Solution series on YouTube.

Here is a link to Part 1 for Power BI.
You can see an overview of all our reporting solution videos here.

evaldes
New Contributor III

@jamf_sam thanks! I was in the web series at 6am lol... it sparked my interest doing the Reporting, and yeah I have been building the dashboard from scratch lately, and I'm no expert but having fun with this...

jamf_sam
Contributor

Right on, thanks for joining @evaldes and we're excited to see what you come up with!

maik_sanftenber
Contributor II

We are currently looking into Splunk and seen how we might can use it.
We made a API check against /JSSResources/computers as in there learning videos.

I have seen @DBrowning did a lookup against group memberships. I wonder how/if this is working for the API lookup they do as well or is is more wise to create a new Source that uses a Search with the fields displaying we want?

Thanks

oliver
New Contributor II

There's a more verbose version of Jamf's Splunk Integration Guide available on Github. It goes into things like integrating data from multiple sources and more step by step on building searches than we wanted in the product documentation. And lots more screen-shots. 🙂

There are also some scripts there to pull things like mdm command history and application usage data that need some transformations that we haven't yet built into the standard plugin, and complete dashboards you can download as source code that you can just copy-paste into your Splunk. We'd love to see others share their dashboard code as well.

For those using PowerBI, this non-Jamf Blog is very helpful.

AndrewShooter
New Contributor

With Power Bi, has anyone found a way of filtering the results of last check in date so that it just highlights everything that hasn't checked in in greater than a certain period of time, such as hasn't checked in for more than 2 weeks?

perryd84
Contributor

Hi,

Just started getting a Power BI dashboard together and its going pretty well.

Just wondered if anyone can help with one dashboard we really want to view.

I have 2 smart groups, one to show devices in the office and one to show devices out of office (WFH).
I want this to tick along daily/monthly showing a nice line graph of the change in numbers each day. So along the bottom of the graph would be the date and then device count up the side.
I cant for the life of me find a date field so this is impossible without it?!?! Any ideas?

cybertunnel
New Contributor II

@AndrewShooter , you could set a "Active" column where it is True/False and then have where you have a slicer with the Active values and when someone interacts with it you can change the interaction from Filter to Highlight(I think that's the name) and it should highlight the items instead on that specific visual.

cybertunnel
New Contributor II

@perryd84 are you referring to the Check-In, or looking for the actual number of devices? If the latter, than you might want to run a scheduled task that updates either a CSV or another storage method where Power BI could pull the data from.

perryd84
Contributor

Thanks @cybertunnel I'm now pulling the info from the JAMF API to a csv which is stored in sharepoint which is attached to power BI. Working a treat! Thanks for the tip!!

Tangentism
Contributor II

Those who use Splunk for reporting, what is it that you gain that can't be accessed on the Jamf interface?

oliver
New Contributor II

Tangentism, please see this doc and Lisa/Kevin's JNUC 2020 Splunk presentation for some examples. There are some example dashboards in the same repo as the pdf doc. If you scroll up in this thread there are some super slick d-boards from DBrowning and LisaCherie. But you might go at this from a different angle... think about what issues your device management program is being asked to address and how data and visualizations might be used to provide meaningful insights or active monitoring. Then go from there.

BurroHen
New Contributor II

For those using Splunk, are you using the free version (with the 500MB limit) or a paid tier? Thanks!

maik_sanftenber
Contributor II

I wonder if @DBrowning might be able to help.
I would be interested to know how to get the percentage for example for OS versions like 10.14 into my Dashboard?
I had been able to get the numbers out of a query but would like to understand how I can add the percentage.

DBrowning
Valued Contributor

@maik.sanftenberg Here is the code that I'm using in one of my examples above.

<panel>
      <title>Clients on 10.15 (Catalina)</title>
      <single>
        <title>Total</title>
        <search>
          <done>
            <set token="tokCatalinaCount">$result.sum(count)$</set>
          </done>
          <query>index=cai_app sourcetype=JamfModularInput computer.Computer_Group.Computer_Group_Membership.Group="Macs on 10.15" | rare limit=20000 computer.name | stats sum(count)</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>60m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">178</option>
        <option name="rangeColors">["0x006d9c","0x006d9c","0x006d9c","0x006d9c","0x53a051"]</option>
        <option name="rangeValues">[0,750,1500,2250]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Clients on 10.15 Catalina</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
      <single>
        <title>Percentage</title>
        <search>
          <query>| makeresults | eval Total=$tokTotalCount$, Catalina=$tokCatalinaCount$ | eval percent=round((Catalina/Total)*100,2) | table percent</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>60m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="height">171</option>
        <option name="numberPrecision">0.00</option>
        <option name="rangeColors">["0x006d9c","0x006d9c","0x006d9c","0x006d9c","0x53a051"]</option>
        <option name="rangeValues">[0,25,50,75]</option>
        <option name="refresh.display">progressbar</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>