Splunk Integration

When Splunk upload is enabled, Pulse Endpoint sends all collected metrics to your Splunk instance via HTTP Event Collector. This allows you to build dashboards, run queries, and correlate Mac telemetry with other data sources.

Dashboard Starter Pack

Get started quickly with our pre-built Splunk dashboard featuring fleet overview, CPU/memory trends, process analytics with impact badges, alert correlation, and more.

1Download the dashboard XML file below
2In Splunk, go to Settings → Dashboards → Create New Dashboard
3Click Source (top right) and paste the XML
4Update index=main to match your index if different
Download Dashboard XML

Dashboard uses index=main and sourcetype="macos:pulse" by default

What appears in Splunk

  • System metrics — CPU, memory, disk, network, GPU, and power data for each collection interval
  • Top processes — The top 5 CPU and memory consuming processes each interval
  • Pinned processes — When you pin a process in the menu bar, its CPU and memory usage is tracked in a dedicated pinned_processes field, allowing you to monitor specific apps across your fleet
  • Alert events — When CPU or memory pressure alerts trigger, a separate event is logged with event_type: "alert", the threshold that was exceeded, and the processes responsible
  • Host identification — Each event includes hostname, hardware model, and macOS version for fleet-wide queries

HEC Endpoint Setup

Pulse Endpoint sends metrics in JSON format using Splunk's HEC event endpoint. Your endpoint URL must point to the JSON collector:

https://splunk.example.com:8088/services/collector/event
https://splunk.example.com:8088/services/collector
https://splunk.example.com:8088/services/collector/raw
https://splunk.example.com:8088/services/collector/event/(trailing slash)

Do not use the raw endpoint (/services/collector/raw) — Pulse Endpoint sends structured JSON events, not raw text. Also ensure there is no trailing slash in the URL, as this will cause a 404 error.

uploadEnabled
Boolean

Optionally enable uploading metrics to Splunk via HTTP Event Collector. Requires hecEndpoint and hecToken to be configured.

Default: false
Plist example:
<key>uploadEnabled</key>
<true/>
hecEndpoint
String

Full URL to your Splunk HTTP Event Collector JSON endpoint. Use /services/collector or /services/collector/event. Do not use the raw endpoint or include a trailing slash.

Default: ""
Plist example:
<key>hecEndpoint</key>
<string>https://splunk.example.com:8088/services/collector/event</string>
hecToken
String

Authentication token for the Splunk HTTP Event Collector. Generated in Splunk under Settings > Data Inputs > HTTP Event Collector.

Default: ""
Plist example:
<key>hecToken</key>
<string>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</string>
splunkIndex
String

Target Splunk index for metric events. The HEC token must have permission to write to this index.

Default: main
Plist example:
<key>splunkIndex</key>
<string>macos_metrics</string>
sourcetype
String

Splunk sourcetype assigned to uploaded events. Useful for parsing and searching.

Default: macos:pulse
Plist example:
<key>sourcetype</key>
<string>pulse:metrics</string>
verifySSL
Boolean

Validate the SSL certificate of the Splunk server. Disable for self-signed certificates or environments where the HEC port uses an internal CA (e.g., Splunk Cloud trial instances, on-prem Splunk with default certificates).

Default: true
Plist example:
<key>verifySSL</key>
<false/>
uploadIntervalMinutes
Integer

How often to upload stored metrics to Splunk, in minutes.

Default: 5
Values: 1–60
Plist example:
<key>uploadIntervalMinutes</key>
<integer>1</integer>
CLI ReferenceDashboard