Splunk is a powerful tool for analyzing security data and performing threat detection, providing invaluable insights for security teams. However, Splunk's capabilities come at a cost—especially when it comes to ingesting and retaining large volumes of log data. This is where Scanner steps in to help.

Ingesting high-volume log sources into Splunk can be prohibitively expensive. Logs such as AWS CloudTrail, Cloudflare HTTP and DNS, and Windows Event logs often generate massive amounts of data. Just one of these log sources can lead to costs reaching six or even seven figures annually when ingested directly into Splunk.

Moreover, retaining this data long-term within Splunk can be cumbersome and costly. Investigations on older data often require a painful process of archiving and then reloading data into a Splunk Enterprise server—adding complexity and delaying response times.

Scanner augments your existing Splunk deployment by addressing these two pain points: reducing the cost of high-volume log ingestion and simplifying long-term data investigations.

Instead of ingesting high-volume logs directly into Splunk, Scanner allows you to store these logs in S3. Simply point Scanner at your S3 buckets, and it will organize the raw logs and provide fast, efficient search capabilities. This approach can lead to cost reductions of 80-90%, with savings that can routinely exceed $500,000 per year.

Scanner also makes it easy to retain and query long-term data. Store your long-term logs in S3, and use Scanner to quickly search through them. Unlike Amazon Athena, which is often used to search S3-stored logs but can be slow—especially with raw log formats like JSON—Scanner optimizes your data for fast searches. Scanner automatically organize raw logs, building indexes to optimize search performance. This eliminates the need for labor-intensive big data engineering projects that teams otherwise need to undertake to optimize Athena.

To make this experience even smoother, Scanner offers the Scanner for Splunk app via Splunkbase. This app allows you to query your Scanner-organized data directly from the Splunk UI, making it available for both Splunk Enterprise and Splunk Cloud.

With the custom search commands scanner and scannertable, you can easily access your high-volume and long-term log data from the familiar Splunk interface. Use scanner to return log events, and scannertable to generate tables suitable for rendering dashboards—keeping your workflows intact while gaining the cost and speed advantages of Scanner.

By integrating Scanner with Splunk, you can significantly reduce costs for high-volume log sources and effortlessly query long-term data. It's not uncommon for organizations to save $500,000 or more while retaining full access to their logs directly through the Splunk UI or via Scanner. Let Scanner be the cost-effective, high-speed augmentation that takes your Splunk deployment to the next level.