OSquery is an operating system instrumentation framework for OS X, Linux, and FreeBSD. It enables you to gather a variety of system and monitoring information. OSquery docs: http://osquery.readthedocs.io/en/stable/ Note: I use default directory locations for Splunk and OSquery Splunk App Installation: Install like a standard app in the Splunk 'apps' directory on your search head(s). Splunk Forwarder Configuration: [monitor:///var/log/osquery/osqueryd.results.log] sourcetype = osqueryd.results The searches are built off of the 'osqueryd.results' sourcetype. If you'd like to use a different sourcetype the dashboards will need to be updated. Plan to update this in the future.