Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Has anyone used Splunk Enterprise Security over Hunk?

anandhim
Path Finder
‎11-18-2015 08:31 AM

I was wondering if running Splunk Enterprise Security over Hunk in a Hunk only or Hybrid architecture is supported/recommended. Has anyone tried doing this?

One of my clients is decided on using ES, but debating if they should go only the Hadoop route, only Splunk enterprise, or some kind of hybrid model with data streaming to both or aging out from Splunk Enterprise to Hunk.

Any experience/advice on this would be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdessus_splunk
Splunk Employee
Splunk Employee
‎11-18-2015 08:37 AM

Hello,

no this is not supported, and it will not work at all: Hadoop is too slow, lacks real time, and one of the strong capabilities of Splunk is the ability to collect more than logs (event registry changes, file info for IOC, network streams...). You will miss completly this with Splunk and Hadoop does not include by itself any way to collect data.

However, ES can export old data from Splunk Enterprise to Hadoop (using Hunk) allowing to still have access to old raw logs (ES will use the accelerated datamodel for performance). This is supported.

View solution in original post

Reply
Solved! Jump to solution

mhassan
Path Finder
‎05-12-2016 12:59 PM

In the latest release of Hunk 6.4 there is a support for Data Model Acceleration and all the commands that goes with Data Models
http://docs.splunk.com/Documentation/Hunk/6.4.0/Hunk/Configuredatamodelacceleration

0 Karma
Reply
Solved! Jump to solution

mparks11
Path Finder
‎09-12-2016 11:06 AM

Does this mean that ES will be supported or is supported on/with Hunk? Thanks.

0 Karma
Reply
Solved! Jump to solution

tvu_splunk
Splunk Employee
Splunk Employee
‎11-18-2015 09:01 AM

Just to add more color, the ES premium solution is currently not supported on Hunk because it does not support data model acceleration. We definitely see hybrid use cases where you would want to use ES against real-time data in Enterprise and historical data in HDFS. DMA is on the roadmap for Hunk to support this.

Reply
Solved! Jump to solution
Solution

mdessus_splunk
Splunk Employee
Splunk Employee
‎11-18-2015 08:37 AM

Hello,

no this is not supported, and it will not work at all: Hadoop is too slow, lacks real time, and one of the strong capabilities of Splunk is the ability to collect more than logs (event registry changes, file info for IOC, network streams...). You will miss completly this with Splunk and Hadoop does not include by itself any way to collect data.

However, ES can export old data from Splunk Enterprise to Hadoop (using Hunk) allowing to still have access to old raw logs (ES will use the accelerated datamodel for performance). This is supported.

Reply
Solved! Jump to solution

anandhim
Path Finder
‎11-18-2015 08:52 AM

Thanks @mdessus for the quick response. The data in question here was only data from security devices like firewalls and proxies but I get your point that ES can be used on the raw data in Hadoop even for that. One your 2nd point, when old data is exported to hadoop and using Hunk to search over it, are you referring to index archiving method or the hadoop app to export data to it? Even in that case we cannot run both Hunk and ES on the same search head, right?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...