If you use Splunk to ingest all your data for security analytics, you likely recognize it as one of the greatest indexing tools ever created. With Splunk, your security teams get a real-time view of machine data from the network, data center, or IT environments. Many enterprises also use Splunk to retain log records for data repositories, giving them the ability to comply with record retention requirements.
In this post, we’ll provide you with a quick and handy way to demonstrate how adding Imperva Data Security Fabric can significantly reduce data repository log ingestion costs using Splunk. Your cost savings will vary, but taking a few moments to review costs from a data telemetry volume perspective will provide insight into potential savings.
The cost of Splunk for individual organizations is determined by the volume of data ingested into the platform (GB/day). Many organizations use Splunk to ingest all their data as part of an overall data security strategy to get all data in one location. In most instances, data repository log records represent a high proportion of an organization’s overall data ingestion costs.
Introducing Imperva Data Security Fabric (DSF) as a pre-processor of your organization’s raw activity logs enables you to normalize, compress, and filter this data before using Splunk to ingest it. The result is only 5-30% of the original raw activity logs data needs to be indexed by Splunk. Your organization retains the same ability to comply with record retention requirements while using Splunk to index just a small percentage of the original data. The table below presents conservative (low), probable (average), and optimistic (but achievable) savings for a typical organization.
1 Ingestion cost based on annual term license and index volume of $0.88 per GB ($0.88 * 2,600 GB/day * 365 days = $835,210).
In the worksheet above, Imperva DSF reduced Splunk ingestion by an average of 90% per day, from 2,600GB to 260GB. Annual Splunk costs reduced by 82%, from $1,235,210 to $222,000.
See how Imperva DSF can reduce your Splunk data ingestion costs
In 2021, one global payment solutions company said, “[Imperva DSF] allows us to continue to run the same searches, alerts, and dashboards while actually storing the data [in Imperva DSF]. We get all the power and usefulness of our SIEM without the cost.”
Take a few moments to re-create the spreadsheet above for your organization and enter your values to see the kind of cost savings you can expect by pre-processing original raw activity logs with Imperva DSF before ingesting the data using Splunk. After that, if you think we can help, contact an Imperva Solutions Representative or download this whitepaper.
Try Imperva for Free
Protect your business for 30 days on Imperva.