Splunk Enterprise Security

Is it possible that logs get duplicated between Splunk Enterprise and Splunk Enterprise Security?

Matilda
Explorer

Hi!

I want to know if is possible to get duplicated ingestion of logs between Splunk Enterprise and Splunk enterprise security,  also the availability of the logs of Splunk enterprise in searches made on Splunk Enterprise security. and in general how this work on an indexer level.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Splunk Enterprise Security does not ingest data.  It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs).  So, no, ES is not duplicating ingestion of your logs.  It is possible, however, for a search to produce results that might look like duplicated ingestion.  Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.

Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise.  That's because ES is simply an app that plugs into Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Splunk Enterprise Security does not ingest data.  It merely works with data ingested by Splunk Enterprise using technology add-ons (TAs).  So, no, ES is not duplicating ingestion of your logs.  It is possible, however, for a search to produce results that might look like duplicated ingestion.  Also, this does not mean you are experiencing duplicate ingestion - it merely means it's not ES's fault.

Access to indexes by ES is controlled by RBAC exactly the way it is done in Splunk Enterprise.  That's because ES is simply an app that plugs into Splunk.

---
If this reply helps you, Karma would be appreciated.

Matilda
Explorer

hi, first o fall thank you... but how does it measure the volume if do not ingest? to my knowledge, we have to pay for volume. I am so sorry I bother you again. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Enterprise Security does not measure anything. It's licensed based on your "main" license ingestion limit. There is no possiblity to have - for example - a Splunk Enterprise license for 50GB daily ingestion volume and Enterprise Security License for 15GB. If you have a license for Splunk Enterprise for 50GB, you must buy a ES license for 50GB as well.

If you exceed your daily ingestion, normal Splunk Enterprise mechanisms kick in.

richgalloway
SplunkTrust
SplunkTrust

I'm not sure I understand the question.  Data not ingested is not counted and does not apply to your license quota.

What do you mean by "how does it measure"?  What is "it"?

Please understand that Enterprise Security searches and visualizes data (along with other UI features).  It does not onboard/ingest data and does not measure license volume.  Those tasks are handled by Splunk Enterprise, the foundation for ES.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...