Splunk Enterprise Security

Has anyone used Splunk Enterprise Security over Hunk?

anandhim
Path Finder

I was wondering if running Splunk Enterprise Security over Hunk in a Hunk only or Hybrid architecture is supported/recommended. Has anyone tried doing this?

One of my clients is decided on using ES, but debating if they should go only the Hadoop route, only Splunk enterprise, or some kind of hybrid model with data streaming to both or aging out from Splunk Enterprise to Hunk.

Any experience/advice on this would be appreciated.

0 Karma
1 Solution

mdessus_splunk
Splunk Employee
Splunk Employee

Hello,

no this is not supported, and it will not work at all: Hadoop is too slow, lacks real time, and one of the strong capabilities of Splunk is the ability to collect more than logs (event registry changes, file info for IOC, network streams...). You will miss completly this with Splunk and Hadoop does not include by itself any way to collect data.

However, ES can export old data from Splunk Enterprise to Hadoop (using Hunk) allowing to still have access to old raw logs (ES will use the accelerated datamodel for performance). This is supported.

View solution in original post

mhassan
Path Finder

In the latest release of Hunk 6.4 there is a support for Data Model Acceleration and all the commands that goes with Data Models
http://docs.splunk.com/Documentation/Hunk/6.4.0/Hunk/Configuredatamodelacceleration

0 Karma

mparks11
Path Finder

Does this mean that ES will be supported or is supported on/with Hunk? Thanks.

0 Karma

tvu_splunk
Splunk Employee
Splunk Employee

Just to add more color, the ES premium solution is currently not supported on Hunk because it does not support data model acceleration. We definitely see hybrid use cases where you would want to use ES against real-time data in Enterprise and historical data in HDFS. DMA is on the roadmap for Hunk to support this.

mdessus_splunk
Splunk Employee
Splunk Employee

Hello,

no this is not supported, and it will not work at all: Hadoop is too slow, lacks real time, and one of the strong capabilities of Splunk is the ability to collect more than logs (event registry changes, file info for IOC, network streams...). You will miss completly this with Splunk and Hadoop does not include by itself any way to collect data.

However, ES can export old data from Splunk Enterprise to Hadoop (using Hunk) allowing to still have access to old raw logs (ES will use the accelerated datamodel for performance). This is supported.

anandhim
Path Finder

Thanks @mdessus for the quick response. The data in question here was only data from security devices like firewalls and proxies but I get your point that ES can be used on the raw data in Hadoop even for that. One your 2nd point, when old data is exported to hadoop and using Hunk to search over it, are you referring to index archiving method or the hadoop app to export data to it? Even in that case we cannot run both Hunk and ES on the same search head, right?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...