https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534729#M9616 <P>Splunk has an entire Professional Services practice for this so it's not something that is easily summarized in a forum posting.&nbsp; That's also why documentation is hard to come by.</P><P>You'll want the Splunk Enterprise Security app.&nbsp; It's a premium product (extra cost), but is what Splunk offers as a SIEM.&nbsp; Replacing ArcSight with core Splunk is likely to lead to disappointing results.</P><P>The first step in the transition is to install Splunk and start sending your data to it.&nbsp; You should be able to send the data to both ArcSight and Splunk simultaneously.</P><P>Next, you'll need to map your ArcSight rules to Splunk searches.&nbsp; Run the searches and compare the results to those reached by ArcSight.&nbsp; Adjust the searches until you get the desired results.</P><P>Use ArcSight and Splunk side-by-side for a while to confirm Splunk is acting as expected.&nbsp; Once you're confident in it, shut down ArcSight.</P> Mon, 04 Jan 2021 18:32:00 GMT richgalloway 2021-01-04T18:32:00Z https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534727#M9615 <P><SPAN>Looking for new resources to transition from ArcSight to Splunk please. The resources found on Micro Focus site are very old. Links &amp; docs are much appreciated. If you have done this before any Do's &amp; Don't are welcomed. Thank u</SPAN></P> Mon, 04 Jan 2021 17:39:33 GMT https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534727#M9615 SamHTexas 2021-01-04T17:39:33Z https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534729#M9616 <P>Splunk has an entire Professional Services practice for this so it's not something that is easily summarized in a forum posting.&nbsp; That's also why documentation is hard to come by.</P><P>You'll want the Splunk Enterprise Security app.&nbsp; It's a premium product (extra cost), but is what Splunk offers as a SIEM.&nbsp; Replacing ArcSight with core Splunk is likely to lead to disappointing results.</P><P>The first step in the transition is to install Splunk and start sending your data to it.&nbsp; You should be able to send the data to both ArcSight and Splunk simultaneously.</P><P>Next, you'll need to map your ArcSight rules to Splunk searches.&nbsp; Run the searches and compare the results to those reached by ArcSight.&nbsp; Adjust the searches until you get the desired results.</P><P>Use ArcSight and Splunk side-by-side for a while to confirm Splunk is acting as expected.&nbsp; Once you're confident in it, shut down ArcSight.</P> Mon, 04 Jan 2021 18:32:00 GMT https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534729#M9616 richgalloway 2021-01-04T18:32:00Z https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534745#M9617 <P>I appreciate your response &amp; Thank you for your time. I have a couple of questions&nbsp;</P><P>What role does the Splunk Ent. Security app has with such transition?</P><P>Would you elaborate on mapping Arcsight rules to Splunk searches a bit &amp; where such instructions are found.</P><P>Thanks again</P> Tue, 05 Jan 2021 02:08:05 GMT https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534745#M9617 SamHTexas 2021-01-05T02:08:05Z https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534812#M9618 <P>Splunk Enterprise Security is Splunk's SIEM product.&nbsp; It is the replacement for ArcSight.</P><P>I'm not aware of any instructions for mapping ArcSight rules to Splunk searches.&nbsp; It's probably a tedious manual process of looking at each ArcSight rule and then looking at each Splunk search to see which is a good match.&nbsp; If a match is not found then write an equivalent Splunk search.</P> Tue, 05 Jan 2021 15:15:46 GMT https://community.splunk.com/t5/Splunk-Dev/Arcsight-2-Splunk-Transition/m-p/534812#M9618 richgalloway 2021-01-05T15:15:46Z