Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Arcsight 2 Splunk Transition

SamHTexas
Builder
‎01-04-2021 09:39 AM

Looking for new resources to transition from ArcSight to Splunk please. The resources found on Micro Focus site are very old. Links & docs are much appreciated. If you have done this before any Do's & Don't are welcomed. Thank u

Labels (1)
Labels
0 Karma
Reply

SamHTexas
Builder
‎01-04-2021 06:08 PM

I appreciate your response & Thank you for your time. I have a couple of questions 

What role does the Splunk Ent. Security app has with such transition?

Would you elaborate on mapping Arcsight rules to Splunk searches a bit & where such instructions are found.

Thanks again

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2021 07:15 AM

Splunk Enterprise Security is Splunk's SIEM product.  It is the replacement for ArcSight.

I'm not aware of any instructions for mapping ArcSight rules to Splunk searches.  It's probably a tedious manual process of looking at each ArcSight rule and then looking at each Splunk search to see which is a good match.  If a match is not found then write an equivalent Splunk search.

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2021 10:32 AM

Splunk has an entire Professional Services practice for this so it's not something that is easily summarized in a forum posting.  That's also why documentation is hard to come by.

You'll want the Splunk Enterprise Security app.  It's a premium product (extra cost), but is what Splunk offers as a SIEM.  Replacing ArcSight with core Splunk is likely to lead to disappointing results.

The first step in the transition is to install Splunk and start sending your data to it.  You should be able to send the data to both ArcSight and Splunk simultaneously.

Next, you'll need to map your ArcSight rules to Splunk searches.  Run the searches and compare the results to those reached by ArcSight.  Adjust the searches until you get the desired results.

Use ArcSight and Splunk side-by-side for a while to confirm Splunk is acting as expected.  Once you're confident in it, shut down ArcSight.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...