Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible that logs get duplicated between Splunk Enterprise and Splunk Enterprise Security?

Matilda
Explorer
‎01-12-2023 05:45 AM

Hi!

I want to know if is possible to get duplicated ingestion of logs between Splunk Enterprise and Splunk enterprise security,  also the availability of the logs of Splunk enterprise in searches made on Splunk Enterprise security. and in general how this work on an indexer level.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2023 06:34 AM

Splunk Enterprise Security does not ingest data.  It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs).  So, no, ES is not duplicating ingestion of your logs.  It is possible, however, for a search to produce results that might look like duplicated ingestion.  Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.

Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise.  That's because ES is simply an app that plugs into Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2023 06:34 AM

Splunk Enterprise Security does not ingest data.  It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs).  So, no, ES is not duplicating ingestion of your logs.  It is possible, however, for a search to produce results that might look like duplicated ingestion.  Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.

Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise.  That's because ES is simply an app that plugs into Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Matilda
Explorer
‎01-12-2023 06:50 AM

hi, first o fall thank you... but how does it measure the volume if do not ingest? to my knowledge, we have to pay for volume. I am so sorry I bother you again. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-12-2023 10:45 AM

Enterprise Security does not measure anything. It's licensed based on your "main" license ingestion limit. There is no possiblity to have - for example - a Splunk Enterprise license for 50GB daily ingestion volume and Enterprise Security License for 15GB. If you have a license for Splunk Enterprise for 50GB, you must buy a ES license for 50GB as well.

If you exceed your daily ingestion, normal Splunk Enterprise mechanisms kick in.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2023 08:23 AM

I'm not sure I understand the question.  Data not ingested is not counted and does not apply to your license quota.

What do you mean by "how does it measure"?  What is "it"?

Please understand that Enterprise Security searches and visualizes data (along with other UI features).  It does not onboard/ingest data and does not measure license volume.  Those tasks are handled by Splunk Enterprise, the foundation for ES.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...