Splunk Integration
When Splunk upload is enabled, Pulse Endpoint sends all collected metrics to your Splunk instance via HTTP Event Collector. This allows you to build dashboards, run queries, and correlate Mac telemetry with other data sources.
Dashboard Starter Pack
Pre-built Splunk dashboard with fleet overview, CPU/memory trends, process analytics, alert correlation, and more.
index=main to match your index if differentDashboard uses index=main and sourcetype="macos:pulse" by default
Event Types
Pulse Endpoint sends three types of events to Splunk, each at its own interval:
System telemetry collected every interval (default 30s). Contains CPU, memory, disk, network, GPU, power, process, and host data.
event_type: "watched_process"Per-process tracking for watched processes. Sent as separate events so you can monitor specific apps across your fleet.
event_type: "alert"Fired when CPU or memory pressure thresholds are exceeded for a sustained duration. Includes the threshold, current value, and top processes at time of alert.
Metrics Event Fields
Every metrics event includes timestamp and hostname at the top level, plus the following nested objects.
CPU
| Field | Type | Description |
|---|---|---|
| cpu.load_1m | Double | Load average — 1 minute |
| cpu.load_5m | Double | Load average — 5 minutes |
| cpu.load_15m | Double | Load average — 15 minutes |
| cpu.cpu_count | Int | Number of logical CPU cores |
| cpu.load_percent | Double | Overall CPU load as a percentage |
| cpu.cpu_user | Double | User-space CPU % |
| cpu.cpu_sys | Double | System (kernel) CPU % |
| cpu.cpu_idle | Double | Idle CPU % |
| cpu.thermal_throttle | Bool | Whether CPU is being thermally throttled |
| cpu.thermal_state | String | Thermal state name (nominal, fair, serious, critical) |
| cpu.thermal_level | Int | Thermal pressure level (0–3) |
Memory
| Field | Type | Description |
|---|---|---|
| memory.mem_total_mb | Double | Total physical memory (MB) |
| memory.mem_free_mb | Double | Available memory (MB) |
| memory.mem_active_mb | Double | Active memory (MB) |
| memory.mem_inactive_mb | Double | Inactive memory (MB) |
| memory.mem_wired_mb | Double | Wired (non-purgeable) memory (MB) |
| memory.mem_compressed_mb | Double | Compressed memory (MB) |
| memory.memory_pressure_level | Int | Pressure level: 1 = normal, 2 = warning, 4 = critical |
| memory.memory_pressure | String | Pressure level as a string (normal, warning, critical) |
| memory.pageins | Int | Page-in count (delta since last collection) |
| memory.pageouts | Int | Page-out count (delta) |
| memory.swapins | Int | Swap-in count (delta) |
| memory.swapouts | Int | Swap-out count (delta) |
| memory.swap_total_mb | Double | Total swap space (MB) |
| memory.swap_used_mb | Double | Used swap (MB) |
| memory.swap_free_mb | Double | Free swap (MB) |
Disk
| Field | Type | Description |
|---|---|---|
| disk.disk_total_gb | Double | Total disk capacity (GB) |
| disk.disk_used_gb | Double | Used disk space (GB) |
| disk.disk_free_gb | Double | Free disk space (GB) |
| disk.disk_percent_used | Int | Disk usage percentage |
| disk.disk_kb_read_sec | Double | Disk read throughput (KB/s) |
| disk.disk_kb_write_sec | Double | Disk write throughput (KB/s) |
| disk.disk_transfers_sec | Double | Disk I/O operations per second |
Network
| Field | Type | Description |
|---|---|---|
| network.interface | String | Active network interface name (e.g., en0) |
| network.net_packets_in | Int | Inbound packets (delta) |
| network.net_packets_out | Int | Outbound packets (delta) |
| network.net_bytes_in | Int | Inbound bytes (delta) |
| network.net_bytes_out | Int | Outbound bytes (delta) |
| network.net_errors_in | Int | Inbound errors (delta) |
| network.net_errors_out | Int | Outbound errors (delta) |
| network.internet_connected | Bool | Whether the host has internet connectivity |
GPU
| Field | Type | Description |
|---|---|---|
| gpu.gpu_model | String | GPU model name |
| gpu.gpu_core_count | Int | Number of GPU cores |
| gpu.gpu_utilization_percent | Int | Overall GPU device utilization % |
| gpu.gpu_renderer_percent | Int | GPU renderer utilization % |
| gpu.gpu_tiler_percent | Int | GPU tiler utilization % |
| gpu.gpu_memory_in_use_bytes | Int64 | GPU memory currently in use (bytes) |
| gpu.gpu_memory_allocated_bytes | Int64 | GPU memory allocated (bytes) |
| gpu.top_gpu_processes[] | Array | Top processes by GPU time — each with pid, name, gpu_time_ns |
Power
| Field | Type | Description |
|---|---|---|
| power.on_battery | Bool | Running on battery |
| power.on_ac | Bool | Connected to AC power |
| power.battery_percent | Int | Battery charge level (%) |
| power.battery_state | String | Battery state (charging, discharging, charged, etc.) |
| power.prevent_sleep_assertions | Int | Number of active sleep prevention assertions |
Top Processes
Each metrics event includes the top 5 processes by CPU, memory, network, and disk I/O. Process lists are nested under processes.
| Field | Type | Description |
|---|---|---|
| processes.process_count | Int | Total number of running processes |
| processes.top_cpu_processes[] | Array | Top 5 by CPU — each with pid, ppid, name, cpu_percent |
| processes.top_mem_processes[] | Array | Top 5 by memory — each with pid, ppid, name, memory_mb |
| processes.top_net_processes[] | Array | Top 5 by network — each with pid, name, bytes_in, bytes_out |
| processes.top_disk_processes[] | Array | Top 5 by disk I/O — each with pid, name, read_bytes_per_sec, write_bytes_per_sec |
System / Host Info
Host identification fields for fleet-wide queries, nested under system.
| Field | Type | Description |
|---|---|---|
| system.macos_version | String | macOS version (e.g., 15.3.1) |
| system.hardware_model | String | Hardware model identifier (e.g., Mac16,1) |
| system.cpu_brand | String | CPU name (e.g., Apple M4 Pro) |
| system.chip_description | String | Full chip description with core counts |
| system.performance_cores | Int | Number of performance cores |
| system.efficiency_cores | Int | Number of efficiency cores |
| system.gpu_cores | Int | Number of GPU cores |
| system.console_user | String | Currently logged-in user |
| system.uptime_seconds | Int | System uptime in seconds |
| system.uptime_hours | Double | System uptime in hours |
Watched Process Events
When you configure watched processes (via the menu bar or MDM), Pulse Endpoint sends a separate event for each watched process with event_type: "watched_process". This lets you track specific apps across your fleet.
Watched Process Fields
| Field | Type | Description |
|---|---|---|
| event_type | String | Always "watched_process" |
| watched.process_pattern | String | The process name pattern being watched |
| watched.process_count | Int | Number of matching running instances |
| watched.cpu_percent | Double | Combined CPU % of all matching processes |
| watched.memory_mb | Double | Combined memory (MB) of all matching processes |
| watched.network_bytes_in | Int64 | Combined inbound bytes (delta) |
| watched.network_bytes_out | Int64 | Combined outbound bytes (delta) |
| watched.disk_read_bytes_per_sec | Double | Combined disk read (bytes/s) |
| watched.disk_write_bytes_per_sec | Double | Combined disk write (bytes/s) |
Alert Events
When CPU or memory pressure thresholds are exceeded for a sustained duration, a separate alert event is logged with event_type: "alert".
Alert Fields
| Field | Type | Description |
|---|---|---|
| event_type | String | Always "alert" |
| alert.type | String | Alert type (cpu, memory_pressure) |
| alert.message | String | Human-readable alert message |
| alert.value | String | Current value that triggered the alert |
| alert.threshold | String | Configured threshold that was exceeded |
| alert.topCPUProcesses[] | Array | Top CPU processes at time of alert |
| alert.topMemoryProcesses[] | Array | Top memory processes at time of alert |
HEC Endpoint Setup
Pulse Endpoint sends metrics in JSON format using Splunk's HEC event endpoint. Your endpoint URL must point to the JSON collector:
Do not use the raw endpoint (/services/collector/raw) — Pulse Endpoint sends structured JSON events, not raw text. Also ensure there is no trailing slash in the URL, as this will cause a 404 error.
uploadEnabledOptionally enable uploading metrics to Splunk via HTTP Event Collector. Requires hecEndpoint and hecToken to be configured.
false<key>uploadEnabled</key>
<true/>hecEndpointFull URL to your Splunk HTTP Event Collector JSON endpoint. Use /services/collector or /services/collector/event. Do not use the raw endpoint or include a trailing slash.
""<key>hecEndpoint</key>
<string>https://splunk.example.com:8088/services/collector/event</string>hecTokenAuthentication token for the Splunk HTTP Event Collector. Generated in Splunk under Settings > Data Inputs > HTTP Event Collector.
""<key>hecToken</key>
<string>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</string>splunkIndexTarget Splunk index for metric events. The HEC token must have permission to write to this index.
main<key>splunkIndex</key>
<string>macos_metrics</string>sourcetypeSplunk sourcetype assigned to uploaded events. Useful for parsing and searching.
macos:pulse<key>sourcetype</key>
<string>pulse:metrics</string>verifySSLValidate the SSL certificate of the Splunk server. Disable for self-signed certificates or environments where the HEC port uses an internal CA (e.g., Splunk Cloud trial instances, on-prem Splunk with default certificates).
true<key>verifySSL</key>
<false/>uploadIntervalMinutesHow often to upload stored metrics to Splunk, in minutes.
5<key>uploadIntervalMinutes</key>
<integer>1</integer>