ArcSight User Discussions

ArcSight and Splunk Integration: Powerful Together

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

ArcSight and Splunk Integration: Powerful Together

With ADP, ArcSight enriched events may be shared with any third party system to include Splunk.  

Historically, with raw event data going directly to Splunk, the challenge has always been the parsing of data once in Splunk; even events sent as CEF Syslog from a SmartConnector are often lumped into a single event and thus makes querying exponentially more difficult.  

But what if this wasn't an issue?  What if you could leverage CEF properly within Splunk, and since the Splunk Processing Language and the ArcSight interactive search share so many similarities, you could copy and paste queries between Logger/ACC & Splunk?  

What would aggregating and targeted filtering on DNS, firewall, or Windows events have on the impact of your Splunk license requirements?

With the methodology and apps provided here, you can quickly take your ArcSight Data Platform infrastructure and share ArcSight enriched events with Splunk.  The attached zip file is not password protected, and contains everything you need to deploy this process.  

While results may vary from event source-to-event source (e.g. proxy events aggregate at different levels than DNS), the impact of reducing Splunk licensing costs anywhere from 50-90% (depending on the source) becomes much more attractive for senior leadership.  

In addition, as Splunk is not an immutable data storage mechanism, the premise of using filtering and aggregated events to lower license ingestion costs becomes much more palatable.  

Splunk is an exceptionally powerful tool with many features to offer - the notion here is to improve Splunk's performance, both operationally and technically through the power of ArcSight ADP.

Isn't it time to "get ArcSight'ed again"?   

Top Contributors Last 30 Days