Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it violating license agreement to bring in data from external system?

xchang1226
Path Finder
‎12-17-2018 01:30 AM

We index a lot of data in Splunk, but we also have a lot of other tools, we would like to use Splunk as single pane of glass, so we would like to bring in data from other tools into Splunk. Example for other tools are internal CMDB, ticketing system, traditional databases, no sql databases like cassandra, elasticsearch, etc.

But under Splunk license agreement, section 3, License Restriction, item (j) says: separately use any of the applicable features and functionalities of the Splunk Materials with external applications or code not furnished by Splunk or any data not processed by the Software, except otherwise specifically permitted in the Documentation.

Does it mean we can't bring in data to Splunk from external system? If we do, then we need to get some kind of permission from Splunk first?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-17-2018 02:35 AM

Hi xchang1226,
Splunk license is related to the indexed logs, so if you want to display search results in Splunk Dashboards, you have to index them.
If you don't want to largerly use your license, you could send to Splunk only aggregated data from the external systems you have, but something you have to index in Splunk.
The only exception I know (but maybe there someone else!) is DBConnect that you can use to run external SQL queries without ingest that data, but they are very slow!

Bye.
Giuseppe

0 Karma
Reply

xchang1226
Path Finder
‎12-17-2018 05:32 AM

Hi, Giuseppe, thanks for the comment. For some integrations, we do index the external data into Splunk, but for some others, we don't index the external data because there is no reason to, the data is already stored somewhere, we don't want to copy that data in Splunk. The way we are doing it is similar to what DBConnect does, through custom search commands.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-17-2018 05:39 AM

You could store in Splunk the already aggregated data to correlate them to other data.
One of our customers has a customer console using Nagios logs where there are many aggregation rules and threesholds; to avoid to ingest all the data and replicate all the aggregation rules, we ingest in Splunk only alerts and warnings from this console.

Bye.
Giuseppe

0 Karma
Reply

FrankVl
Ultra Champion
‎12-17-2018 02:56 AM

I don't think the question is related to license usage so much, just seeking clarification on that specific article restricting the use of Splunk Materials.

0 Karma
Reply

FrankVl
Ultra Champion
‎12-17-2018 02:34 AM

The whole point of Splunk is to get data in from other systems (and then get value out of that data). So no, I don't think that statement means that you cannot bring data into Splunk from external systems.

If I understand it correctly that article prohibits the use of parts of the splunk functionality outside a splunk environment. So for example: you don't use splunk at all, but some other SIEM solution instead, but you use some code from a Splunk add-on to integrate that other SIEM solution with a certain data source.

0 Karma
Reply

xchang1226
Path Finder
‎12-17-2018 05:29 AM

Thanks, that makes sense. One of the reasons that we love Splunk is how easy it is to integrate Splunk with other tools. Let's see if anyone from Splunk wants to comment on this.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...