Splunk Search

Is it violating license agreement to bring in data from external system?

xchang1226
Path Finder

We index a lot of data in Splunk, but we also have a lot of other tools, we would like to use Splunk as single pane of glass, so we would like to bring in data from other tools into Splunk. Example for other tools are internal CMDB, ticketing system, traditional databases, no sql databases like cassandra, elasticsearch, etc.

But under Splunk license agreement, section 3, License Restriction, item (j) says: separately use any of the applicable features and functionalities of the Splunk Materials with external applications or code not furnished by Splunk or any data not processed by the Software, except otherwise specifically permitted in the Documentation.

Does it mean we can't bring in data to Splunk from external system? If we do, then we need to get some kind of permission from Splunk first?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi xchang1226,
Splunk license is related to the indexed logs, so if you want to display search results in Splunk Dashboards, you have to index them.
If you don't want to largerly use your license, you could send to Splunk only aggregated data from the external systems you have, but something you have to index in Splunk.
The only exception I know (but maybe there someone else!) is DBConnect that you can use to run external SQL queries without ingest that data, but they are very slow!

Bye.
Giuseppe

0 Karma

xchang1226
Path Finder

Hi, Giuseppe, thanks for the comment. For some integrations, we do index the external data into Splunk, but for some others, we don't index the external data because there is no reason to, the data is already stored somewhere, we don't want to copy that data in Splunk. The way we are doing it is similar to what DBConnect does, through custom search commands.

0 Karma

gcusello
SplunkTrust
SplunkTrust

You could store in Splunk the already aggregated data to correlate them to other data.
One of our customers has a customer console using Nagios logs where there are many aggregation rules and threesholds; to avoid to ingest all the data and replicate all the aggregation rules, we ingest in Splunk only alerts and warnings from this console.

Bye.
Giuseppe

0 Karma

FrankVl
Ultra Champion

I don't think the question is related to license usage so much, just seeking clarification on that specific article restricting the use of Splunk Materials.

0 Karma

FrankVl
Ultra Champion

The whole point of Splunk is to get data in from other systems (and then get value out of that data). So no, I don't think that statement means that you cannot bring data into Splunk from external systems.

If I understand it correctly that article prohibits the use of parts of the splunk functionality outside a splunk environment. So for example: you don't use splunk at all, but some other SIEM solution instead, but you use some code from a Splunk add-on to integrate that other SIEM solution with a certain data source.

0 Karma

xchang1226
Path Finder

Thanks, that makes sense. One of the reasons that we love Splunk is how easy it is to integrate Splunk with other tools. Let's see if anyone from Splunk wants to comment on this.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...