Hi!
I want to know if is possible to get duplicated ingestion of logs between Splunk Enterprise and Splunk enterprise security, also the availability of the logs of Splunk enterprise in searches made on Splunk Enterprise security. and in general how this work on an indexer level.
Splunk Enterprise Security does not ingest data. It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs). So, no, ES is not duplicating ingestion of your logs. It is possible, however, for a search to produce results that might look like duplicated ingestion. Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.
Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise. That's because ES is simply an app that plugs into Splunk.
Splunk Enterprise Security does not ingest data. It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs). So, no, ES is not duplicating ingestion of your logs. It is possible, however, for a search to produce results that might look like duplicated ingestion. Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.
Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise. That's because ES is simply an app that plugs into Splunk.
hi, first o fall thank you... but how does it measure the volume if do not ingest? to my knowledge, we have to pay for volume. I am so sorry I bother you again.
Enterprise Security does not measure anything. It's licensed based on your "main" license ingestion limit. There is no possiblity to have - for example - a Splunk Enterprise license for 50GB daily ingestion volume and Enterprise Security License for 15GB. If you have a license for Splunk Enterprise for 50GB, you must buy a ES license for 50GB as well.
If you exceed your daily ingestion, normal Splunk Enterprise mechanisms kick in.
I'm not sure I understand the question. Data not ingested is not counted and does not apply to your license quota.
What do you mean by "how does it measure"? What is "it"?
Please understand that Enterprise Security searches and visualizes data (along with other UI features). It does not onboard/ingest data and does not measure license volume. Those tasks are handled by Splunk Enterprise, the foundation for ES.