Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

ArcSight and Splunk Integration: Powerful Together

With ADP, ArcSight enriched events may be shared with any third party system to include Splunk.  

Historically, with raw event data going directly to Splunk, the challenge has always been the parsing of data once in Splunk; even events sent as CEF Syslog from a SmartConnector are often lumped into a single event and thus makes querying exponentially more difficult.  

But what if this wasn't an issue?  What if you could leverage CEF properly within Splunk, and since the Splunk Processing Language and the ArcSight interactive search share so many similarities, you could copy and paste queries between Logger/ACC & Splunk?  

What would aggregating and targeted filtering on DNS, firewall, or Windows events have on the impact of your Splunk license requirements?

With the methodology and apps provided here, you can quickly take your ArcSight Data Platform infrastructure and share ArcSight enriched events with Splunk.  The attached zip file is not password protected, and contains everything you need to deploy this process.  

While results may vary from event source-to-event source (e.g. proxy events aggregate at different levels than DNS), the impact of reducing Splunk licensing costs anywhere from 50-90% (depending on the source) becomes much more attractive for senior leadership.  

In addition, as Splunk is not an immutable data storage mechanism, the premise of using filtering and aggregated events to lower license ingestion costs becomes much more palatable.  

Splunk is an exceptionally powerful tool with many features to offer - the notion here is to improve Splunk's performance, both operationally and technically through the power of ArcSight ADP.

Isn't it time to "get ArcSight'ed again"?   

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.