Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk DB Connect Charges

avifyi
Engager
‎11-15-2024 12:31 AM

Hi,

I'm new to Splunk DB connector. Having Splunk on-prem version and trying to pull data from Snowflake audit logs and push to cribl.io (for log optimization purpose and reducing log size). 


As Cribl.io doesn't have connector for Snowflake (and not in near roadmap), wondering if I use Splunk DB connect to read data from Snowflake and send to Cribl.io followed by sending to destination i.e. Splunk (for log monitoring and alerting)

Question: Would this be "double hop" to Splunk, if yes, any Splunk charges be applicable while Splunk DB connect reading from Snowflake and sending to Cribl.io?

Thank you!

Avi

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎11-15-2024 06:11 AM
Hi
I think that it's doable.
Splunk count only indexed data on indexers not from HF. I suppose that you are running DBX on separate HF and then it goes only into Cribl and Cribl send it to indexers? If that is valid assumption then you pay only that amount of data what indexers are indexing.
r. Ismo

View solution in original post

Reply
Solved! Jump to solution

avifyi
Engager
‎11-18-2024 07:49 AM

Hi, yes I've tested this use case in env and things are working as expected. I was more concerned about hidden charges when we start blowing things. Thanks for making this straight for me. It's helpful. 

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-18-2024 08:40 PM

Hi @avifyi 

Good day to you. thanks for the interesting question. 


>>>cribl.io (for log optimization purpose and reducing log size)

1) May we know some details about how much data (approx) you are having the plan?

-------from Splunk DB Connector to cribl.io 

2) may we know, approximately how much optimization and log size reduction you planning to achieve using the cribl.io?
3) though its doable task, it may not be necessary at all at sometimes 😉 
4) from where the Splunk DB Connector is reading the logs? lets say you have a DB X. 
X DB ----- > Splunk DB Connector ----- > Cribl.io ------ > back to Splunk

instead of this, maybe plan about

X DB ------> cribl.io-------> to Splunk

 

Thanks and Best Regards

(PS - my karma stats - given 2000+ and received 500. thanks for reading )

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎11-15-2024 06:11 AM
Hi
I think that it's doable.
Splunk count only indexed data on indexers not from HF. I suppose that you are running DBX on separate HF and then it goes only into Cribl and Cribl send it to indexers? If that is valid assumption then you pay only that amount of data what indexers are indexing.
r. Ismo
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...