Re: Is it violating license agreement to bring in ...

xchang1226 · ‎12-17-2018

We index a lot of data in Splunk, but we also have a lot of other tools, we would like to use Splunk as single pane of glass, so we would like to bring in data from other tools into Splunk. Example for other tools are internal CMDB, ticketing system, traditional databases, no sql databases like cassandra, elasticsearch, etc.

But under Splunk license agreement, section 3, License Restriction, item (j) says: separately use any of the applicable features and functionalities of the Splunk Materials with external applications or code not furnished by Splunk or any data not processed by the Software, except otherwise specifically permitted in the Documentation.

Does it mean we can't bring in data to Splunk from external system? If we do, then we need to get some kind of permission from Splunk first?

gcusello · ‎12-17-2018

Hi xchang1226,
Splunk license is related to the indexed logs, so if you want to display search results in Splunk Dashboards, you have to index them.
If you don't want to largerly use your license, you could send to Splunk only aggregated data from the external systems you have, but something you have to index in Splunk.
The only exception I know (but maybe there someone else!) is DBConnect that you can use to run external SQL queries without ingest that data, but they are very slow!

Bye.
Giuseppe

xchang1226 · ‎12-17-2018

Hi, Giuseppe, thanks for the comment. For some integrations, we do index the external data into Splunk, but for some others, we don't index the external data because there is no reason to, the data is already stored somewhere, we don't want to copy that data in Splunk. The way we are doing it is similar to what DBConnect does, through custom search commands.

gcusello · ‎12-17-2018

You could store in Splunk the already aggregated data to correlate them to other data.
One of our customers has a customer console using Nagios logs where there are many aggregation rules and threesholds; to avoid to ingest all the data and replicate all the aggregation rules, we ingest in Splunk only alerts and warnings from this console.

Bye.
Giuseppe

FrankVl · ‎12-17-2018

I don't think the question is related to license usage so much, just seeking clarification on that specific article restricting the use of Splunk Materials.

FrankVl · ‎12-17-2018

The whole point of Splunk is to get data in from other systems (and then get value out of that data). So no, I don't think that statement means that you cannot bring data into Splunk from external systems.

If I understand it correctly that article prohibits the use of parts of the splunk functionality outside a splunk environment. So for example: you don't use splunk at all, but some other SIEM solution instead, but you use some code from a Splunk add-on to integrate that other SIEM solution with a certain data source.

xchang1226 · ‎12-17-2018

Thanks, that makes sense. One of the reasons that we love Splunk is how easy it is to integrate Splunk with other tools. Let's see if anyone from Splunk wants to comment on this.

Is it violating license agreement to bring in data from external system?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases