Splunk Jamf Integration

pazdak
New Contributor II
New Contributor II

Jamf published to Splunk base an integration that allows you to connect your Jamf data inside your Splunk enterprise You can find the details here.

We can share the visuals we make by copy pasting our strings. For instance to make the attached Map of your Computer Devices

host = "*" | iplocation computer.general.ip_address |geostats latfield=lat longfield=lon count

e504c6dfc4b9412ea76720e406160491

4 REPLIES 4

msevcik
New Contributor

Hello, it appears that the JAMF Pro Add-On is having a little trouble writing the API call results to Splunk. Here is what I'm seeing in the Add-On logs. Is there anything I can do to get this to work?

2020-05-01 14:37:37,170 ERROR pid=17957 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf_pro_addon_for_splunk/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf.py", line 92, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/input_module_jamf.py", line 245, in collect_events
    tree = ElementTree.fromstring(response.content)
  File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1311, in XML
    parser.feed(text)
  File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1659, in feed
    self._raiseerror(v)
  File "/opt/splunk/lib/python2.7/xml/etree/ElementTree.py", line 1523, in _raiseerror
    raise err
ParseError: mismatched tag: line 10, column 2

pazdak
New Contributor II
New Contributor II

What version are you running of our integration and Splunk? THere is probably just a mistake on the mistmatch of Python versions. It looks like the above is using version 2.7 instead of 3.7.

Let me know what version of Splunk you are running and I can get you the right sub version.

nmalhotr
New Contributor

Hello,
Even I am getting an error for splunk collecting events. But this error is but different from what OP posted. I seem to be getting a connection aborted error. In splunk search, I see this error "Error><error>API Error Request Exception</error></Error>"
I am able to telnet from my splunk instance to the JAMF host on 8443 so not sure what this connection error is about.
Any help is appreciated.

2020-06-23 14:43:03,855 INFO pid=14518 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-06-23 14:43:04,436 INFO pid=14518 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-06-23 14:43:05,485 INFO pid=14518 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2020-06-23 14:43:05,600 ERROR pid=14518 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last): File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf_pro_addon_for_splunk/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf.py", line 92, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/input_module_jamf.py", line 245, in collect_events response = requests.get(jss_url, auth=(username, password), headers={'Accept': 'application/xml'},verify=False) File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf_pro_addon_for_splunk/requests/api.py", line 70, in get return request('get', url, params=params, kwargs) File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf_pro_addon_for_splunk/requests/api.py", line 56, in request return session.request(method=method, url=url, kwargs) File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf_pro_addon_for_splunk/requests/sessions.py", line 488, in request resp = self.send(prep, send_kwargs) File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf_pro_addon_for_splunk/requests/sessions.py", line 609, in send r = adapter.send(request, kwargs) File "/opt/splunk/etc/apps/JAMF-Pro-addon-for-splunk/bin/jamf_pro_addon_for_splunk/requests/adapters.py", line 473, in send raise ConnectionError(err, request=request)
ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer'))

pazdak
New Contributor II
New Contributor II

This usually comes in if there is a problem with any of the connections. unfortunately there isn't a retry feature built in. So if any of the API calls the whole set will fail.

You can open up a ticket on the Github page and it may get addressed.

https://github.com/jamf/SplunkBase