Supercharge your Splunk
with Query Federated Search

Query is a Splunk App that easily adds data sources to Splunk without increasing ingestion or compute expenses. Your Splunk — but with a lot more data.
Watch the two-minute demo

Why Splunk + Query?

How Splunk with the Query App is more than the sum of it’s parts

All the Data, All in Splunk

Splunk is a powerful technology for ingesting and indexing data and writing detections against that data. But, for various reasons, not all of your security relevant data lives in Splunk, and the data that does requires continuous engineering cycles to maintain. As investigations expand beyond the scope of data visibility in Splunk, analysts must wade through tool consoles upstream. Latency issues arise, eventually turning into budget issues at scale.

Query is a bridge between Splunk and your data, wherever it is stored, making more data accessible and actionable within your Splunk instance. With Federated Search and in-flight data normalization, Query can add additional data to your Splunk reports and rule sets seamlessly. All without pipelining, pre-processing data, or duplicating data. This allows security teams to:

  • Rapidly onboard data sources — leave data at the source or store elsewhere, Query does not duplicate or store your data and data does not need to be ingested or stored in Splunk to be used in Splunk.
  • Search for relevant data beyond the scope of normal security tools: ERP, HRIS, and business applications.
  • Deepen existing ROI on Splunk resources, expanding the power of Splunk across a higher volume of data.
  • Deepen existing ROI on other tools and their data by providing easy data access to analysts and operators within the Splunk console.
Choice & Control of Splunk Storage Costs

Security-relevant data volumes continue to increase, with no sign of slowing down. Whether it is expanding costs of ingestion and storage in Splunk, or increasing compute costs in lakes, warehouses and XDRs, the cost of security is steadily increasing too, leading to tradeoffs between data availability, currency, detection efficacy, and the overall effectiveness of your security program.

Query allows data to be searched no matter where it is, without incurring expense for compute, storage or ingestion. Query deconflicts IT spend from achieving security outcomes. This includes:

  • Deploying bridges into, and across, all of your data stores: object, lakes, other SIEMs, warehouses, and directly from the source APIs.
  • Accessing archived, historical and real-time data – from event logs to CMDB entries to security findings.
  • Avoiding vendor lock-ins and accelerating SecOps-related migration and transformation projects by providing federated search access to all relevant data stores.
Accelerate Your Splunk and Your Security Team

When it comes to investigating an incident or threat, analysts, detection engineers, and other operators need access to data – fast. With Query, Splunk becomes the epicenter of your investigation & detection workflows, providing both first party connectors to security-relevant data providers and easy access to dynamic schemas such as those in other Splunk indices, as well as in Snowflake, Google BigQuery and Amazon S3.

With more and more relevant data in your Splunk instance, your detection engineers can interdict distinct threats and tradecraft more quickly, and all other operators can benefit from gaining access to all the relevant data they ever need. Operators can:

  • Use the familiar Splunk interface and search processing language (SPL) as well as all of their existing reports.
  • More frequently pivot into follow on searches without having to leave Splunk.
  • As new data sources are indicated as relevant to your search, add them on the fly in minutes and get access to the new data in time to support your investigation.
  • Reduce analyst fatigue by reducing data hunts and by allowing them to concentrate their entire workflow in Splunk

Getting Started with Splunk + Query

In minutes, start adding new data sources to Splunk with Query

1

Download the App and
Set Up Your Account

Download the app from Splunkbase and define your Organization. Your first Organization is usually your company, but it could also represent a team or other group.

query platform signup

2

Connect your
Integrations

Set up Integrations, which are connections to data sources. You will need your access credentials, which could be URL, API keys, auth tokens, etc. Check out the available Integrations in the next section.

query platform integrations

3

Perform your
first Query!

Start typing using natural language to instantly search across all of your connected integrations!

query federated search app for splunk

To top