https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107218#M183339 <P>Whether or not there is benefit in integrating, primarily has to do with how vested you are in the use of qradar but also in how you want to use your data. The possibility for use cases, beyond what qradar can reasonably handle, is huge in Splunk. Of course, I'm speaking of the core capabilities of Splunk and not just ES.</P> <P>Splunk is a platform and it does not require that your data be fully parsed when it is indexed, so unlike database driven SIEMs, data can be parsed at search-time, to accommodate different use cases. In addition, data not relevant in a SIEM can be utilized in Splunk.</P> Wed, 21 Aug 2013 15:13:28 GMT sbrant_splunk 2013-08-21T15:13:28Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107213#M183334 <P>Hello, <BR /> I am interested in examples of integration of Splunk as data source to QRadar.<BR /> May be somebody has any? What kind of data, in what format and what way have you sent to Qradar?<BR /> Is it a complicated process?</P> <P>Thanks for any advice!</P> Fri, 26 Jul 2013 07:12:31 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107213#M183334 andrey2007 2013-07-26T07:12:31Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107214#M183335 <P>any luck on this one?</P> Tue, 20 Aug 2013 18:46:17 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107214#M183335 jaoui 2013-08-20T18:46:17Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107215#M183336 <P>to my sorry, no(</P> Wed, 21 Aug 2013 06:53:01 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107215#M183336 andrey2007 2013-08-21T06:53:01Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107216#M183337 <P>This depends on what sort of integration you have in mind. If you simply would like to forward data from Splunk to QRadar, then you have a number of options. </P> <P>I'm not familiar with QRadar's method of data ingestion but I suspect it accepts syslog data, so that would be one (probably the easiest) option. There are a number of ways to send the syslog. It could be cloned and sent at the same time that Splunk indexes it, raw. You could also setup a real-time search and send (as syslog) the results of the search, using the <A href="http://apps.splunk.com/app/1009">Splunk Real-Time Output app</A>.</P> Wed, 21 Aug 2013 07:24:41 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107216#M183337 sbrant_splunk 2013-08-21T07:24:41Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107217#M183338 <P>Certainly now your answer is the most complete but i am interesting in use cases. As i know Qradar and splunk ES are quite equal products(SIEMs) and have the same reports. That is why it is interesting for me to know is any profit from such kind of integration.</P> Wed, 21 Aug 2013 07:38:22 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107217#M183338 andrey2007 2013-08-21T07:38:22Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107218#M183339 <P>Whether or not there is benefit in integrating, primarily has to do with how vested you are in the use of qradar but also in how you want to use your data. The possibility for use cases, beyond what qradar can reasonably handle, is huge in Splunk. Of course, I'm speaking of the core capabilities of Splunk and not just ES.</P> <P>Splunk is a platform and it does not require that your data be fully parsed when it is indexed, so unlike database driven SIEMs, data can be parsed at search-time, to accommodate different use cases. In addition, data not relevant in a SIEM can be utilized in Splunk.</P> Wed, 21 Aug 2013 15:13:28 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107218#M183339 sbrant_splunk 2013-08-21T15:13:28Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107219#M183340 <P>I downvoted this post because app is no longer there</P> Wed, 27 Jul 2016 14:33:34 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107219#M183340 kefoster 2016-07-27T14:33:34Z https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107220#M183341 <P>As stated, the Splunk real-time output app is no longer available. Here is the official guidance for forwarding data to another system: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd</A></P> Thu, 28 Jul 2016 15:13:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-and-QRadar-integration/m-p/107220#M183341 sbrant_splunk 2016-07-28T15:13:24Z