Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk DB Connect Charges

avifyi
Engager
‎11-15-2024 12:31 AM

Hi,

I'm new to Splunk DB connector. Having Splunk on-prem version and trying to pull data from Snowflake audit logs and push to cribl.io (for log optimization purpose and reducing log size). 


As Cribl.io doesn't have connector for Snowflake (and not in near roadmap), wondering if I use Splunk DB connect to read data from Snowflake and send to Cribl.io followed by sending to destination i.e. Splunk (for log monitoring and alerting)

Question: Would this be "double hop" to Splunk, if yes, any Splunk charges be applicable while Splunk DB connect reading from Snowflake and sending to Cribl.io?

Thank you!

Avi

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎11-15-2024 06:11 AM
Hi
I think that it's doable.
Splunk count only indexed data on indexers not from HF. I suppose that you are running DBX on separate HF and then it goes only into Cribl and Cribl send it to indexers? If that is valid assumption then you pay only that amount of data what indexers are indexing.
r. Ismo

View solution in original post

Reply
Solved! Jump to solution

avifyi
Engager
‎11-18-2024 07:49 AM

Hi, yes I've tested this use case in env and things are working as expected. I was more concerned about hidden charges when we start blowing things. Thanks for making this straight for me. It's helpful. 

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-18-2024 08:40 PM

Hi @avifyi 

Good day to you. thanks for the interesting question. 


>>>cribl.io (for log optimization purpose and reducing log size)

1) May we know some details about how much data (approx) you are having the plan?

-------from Splunk DB Connector to cribl.io 

2) may we know, approximately how much optimization and log size reduction you planning to achieve using the cribl.io?
3) though its doable task, it may not be necessary at all at sometimes 😉 
4) from where the Splunk DB Connector is reading the logs? lets say you have a DB X. 
X DB ----- > Splunk DB Connector ----- > Cribl.io ------ > back to Splunk

instead of this, maybe plan about

X DB ------> cribl.io-------> to Splunk

 

Thanks and Best Regards

(PS - my karma stats - given 2000+ and received 500. thanks for reading )

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎11-15-2024 06:11 AM
Hi
I think that it's doable.
Splunk count only indexed data on indexers not from HF. I suppose that you are running DBX on separate HF and then it goes only into Cribl and Cribl send it to indexers? If that is valid assumption then you pay only that amount of data what indexers are indexing.
r. Ismo
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...