Splunk Enterprise Security

Is it possible that logs get duplicated between Splunk Enterprise and Splunk Enterprise Security?

Matilda
Explorer

Hi!

I want to know if is possible to get duplicated ingestion of logs between Splunk Enterprise and Splunk enterprise security,  also the availability of the logs of Splunk enterprise in searches made on Splunk Enterprise security. and in general how this work on an indexer level.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Splunk Enterprise Security does not ingest data.  It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs).  So, no, ES is not duplicating ingestion of your logs.  It is possible, however, for a search to produce results that might look like duplicated ingestion.  Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.

Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise.  That's because ES is simply an app that plugs into Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Splunk Enterprise Security does not ingest data.  It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs).  So, no, ES is not duplicating ingestion of your logs.  It is possible, however, for a search to produce results that might look like duplicated ingestion.  Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.

Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise.  That's because ES is simply an app that plugs into Splunk.

---
If this reply helps you, Karma would be appreciated.

Matilda
Explorer

hi, first o fall thank you... but how does it measure the volume if do not ingest? to my knowledge, we have to pay for volume. I am so sorry I bother you again. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Enterprise Security does not measure anything. It's licensed based on your "main" license ingestion limit. There is no possiblity to have - for example - a Splunk Enterprise license for 50GB daily ingestion volume and Enterprise Security License for 15GB. If you have a license for Splunk Enterprise for 50GB, you must buy a ES license for 50GB as well.

If you exceed your daily ingestion, normal Splunk Enterprise mechanisms kick in.

richgalloway
SplunkTrust
SplunkTrust

I'm not sure I understand the question.  Data not ingested is not counted and does not apply to your license quota.

What do you mean by "how does it measure"?  What is "it"?

Please understand that Enterprise Security searches and visualizes data (along with other UI features).  It does not onboard/ingest data and does not measure license volume.  Those tasks are handled by Splunk Enterprise, the foundation for ES.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...