Splunk Enterprise Security

Has anyone used Splunk Enterprise Security over Hunk?

Path Finder

I was wondering if running Splunk Enterprise Security over Hunk in a Hunk only or Hybrid architecture is supported/recommended. Has anyone tried doing this?

One of my clients is decided on using ES, but debating if they should go only the Hadoop route, only Splunk enterprise, or some kind of hybrid model with data streaming to both or aging out from Splunk Enterprise to Hunk.

Any experience/advice on this would be appreciated.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hello,

no this is not supported, and it will not work at all: Hadoop is too slow, lacks real time, and one of the strong capabilities of Splunk is the ability to collect more than logs (event registry changes, file info for IOC, network streams...). You will miss completly this with Splunk and Hadoop does not include by itself any way to collect data.

However, ES can export old data from Splunk Enterprise to Hadoop (using Hunk) allowing to still have access to old raw logs (ES will use the accelerated datamodel for performance). This is supported.

View solution in original post

Path Finder

In the latest release of Hunk 6.4 there is a support for Data Model Acceleration and all the commands that goes with Data Models
http://docs.splunk.com/Documentation/Hunk/6.4.0/Hunk/Configuredatamodelacceleration

0 Karma

Path Finder

Does this mean that ES will be supported or is supported on/with Hunk? Thanks.

0 Karma

Splunk Employee
Splunk Employee

Just to add more color, the ES premium solution is currently not supported on Hunk because it does not support data model acceleration. We definitely see hybrid use cases where you would want to use ES against real-time data in Enterprise and historical data in HDFS. DMA is on the roadmap for Hunk to support this.

Splunk Employee
Splunk Employee

Hello,

no this is not supported, and it will not work at all: Hadoop is too slow, lacks real time, and one of the strong capabilities of Splunk is the ability to collect more than logs (event registry changes, file info for IOC, network streams...). You will miss completly this with Splunk and Hadoop does not include by itself any way to collect data.

However, ES can export old data from Splunk Enterprise to Hadoop (using Hunk) allowing to still have access to old raw logs (ES will use the accelerated datamodel for performance). This is supported.

View solution in original post

Path Finder

Thanks @mdessus for the quick response. The data in question here was only data from security devices like firewalls and proxies but I get your point that ES can be used on the raw data in Hadoop even for that. One your 2nd point, when old data is exported to hadoop and using Hunk to search over it, are you referring to index archiving method or the hadoop app to export data to it? Even in that case we cannot run both Hunk and ES on the same search head, right?

0 Karma