This is part III of a series exploring the concepts and potential of Federated Security. See more.

Splunk has become the backbone of enterprise security operations, and for good reason. Its analytics, dashboards, and detection capabilities are among the most powerful in the industry. But there’s a fundamental architectural tradeoff that has become increasingly costly: you only get visibility into the data you ingest. We all know that Splunk has not made security operations lives easier with their license model. Some would argue it is driving away many of their most loyal customers.

In modern environments, where security-relevant data lives across clouds, SaaS platforms, data lakes, and distributed infrastructure, centralizing everything inside Splunk isn’t a realistic consideration. But lack of central visibility is weakening security programs. When data isn’t centralized, teams lose context, slow down investigations, miss key signals, and struggle to detect threats early. Security operators are looking for a better way.

That’s why we built the Query Splunk App, bringing Federated Search, Federated Analytics and Federated Detections directly into your existing Splunk workflows, without duplicating or ingesting the data. The result is a dramatically more efficient and flexible architecture that lets you reach your distributed data to see more, act faster, and spend less, without abandoning the tools your team already knows and trusts.

You read that correctly:  More Data in Splunk – Less Data Ingestion.

The Visibility Bottleneck

Many teams using Splunk face the same challenge: the need for better visibility across a growing sprawl of tools and data sources, without blowing up their budget.

Indexing more data means higher licensing costs. Holding back means more blind spots. To manage this tension, many organizations turn to tools like Cribl Stream to preprocess, filter, or downsample log data before it reaches Splunk. This can help reduce costs for high-volume sources, but it comes at a price. Teams end up spending significant time and budget on data pipeline engineering, shifting focus away from their core mission: defending the business. And while these pipelines may reduce ingestion costs, they don’t fundamentally solve the visibility problem. They’re brittle, require ongoing maintenance, and often delay or degrade access to critical context. For detection engineers, being limited to preselected or transformed data means alerts frequently miss the full picture, leading to more false positives, longer investigations, and slower response.  

Additionally, you’re ultimately paying a vendor just to move your data from one place, to another, only to move some portion of it again into another platform for detections and alerting. This creates architectural complexity that increases the team’s technical debt, and inhibits security investigations during critical incidents as the raw telemetry is often in a format security teams can’t easily search.

The obvious answer of “just move it all into Splunk” is no longer viable. The volume is too great, the costs are too high, and the effort too complex. Building pipelines into Splunk to reduce the ingestion is proving to be time consuming and costly. Even the idea of switching to a new SIEM or data platform brings its own risks: broken detection chains, retraining staff, and introducing operational gaps that increase business exposure.

Here’s the reality: most SOC teams like Splunk. What they don’t like is the cost. Period.

What if you could have your Splunk and afford it too?

A Smarter Way Forward: Splunk with Federated Security

With the Query Splunk App, you can:

  • Search data where it lives, using the Splunk Search Processing Language (SPL), without moving or ingesting it.
  • Join federated data with indexed data to build richer dashboards and detections.
  • Expand your visibility without expanding your pipeline or license footprint.

Query acts as a real-time API layer that extends Splunk’s reach to more than 40 (and counting) external systems, from cloud logs and SaaS tools to identity platforms and EDR. You define your search using SPL – Query handles query translation, query planning, and query execution to downstream systems, and returns every result normalized to the Open Cybersecurity Schema Framework (OCSF). You can still utilize native SPL constructs such as `stats`, `coalesce`, and otherwise to build deeper analysis or save the results to summary indexes.

And because every result is normalized to the OCSF data model, you get clean, contextual answers that drive faster decisions, no matter where the source system is or its raw format

The Query App for Splunk works for any Splunk deployment, be it on-premise Splunk Enterprise, Splunk Cloud, or the Victoria edition of Splunk Cloud, regardless of versions.

Better Detections, Less Effort

Built from the base of the Query Splunk App, out of the box Federated Detections are provided, based on content from Splunk’s own research lab. Federated Detections let your detection engineers work smarter:

  • Trigger a rule in Splunk and pull live context from Microsoft Entra ID, CrowdStrike Falcon, or AWS Security Lake (e.g., CloudTrail Management Events, Route 53 DNS Resolver Logs) without having to create complicated lookup tables or summary indices.
  • Enrich alerts with real-time asset, user, or threat intel, without building additional pipelines or defining brittle contextual enrichment post-hoc processing.
  • Build detection logic that’s portable, adaptable, and works across tools utilizing the OCSF data model.

Query gives you the flexibility to use high-value detections from tools outside of Splunk without duplicating their data. It’s how you modernize detection engineering without rewriting your entire stack.

Real-World Impact: What Splunk + Query Delivers

1. Cloud Audit Coverage Without the Cost

A financial services team needed visibility into IAM privilege changes across AWS accounts but couldn’t justify ingesting all of CloudTrail. Using Query, they searched S3-stored logs directly from Splunk. They achieved full visibility with zero ingestion, saving over $250K per year in storage and license costs.  And that was just a single data source.

2. Faster Ransomware Investigations

A detection fired in Splunk, missing critical endpoint context that left the SOC team guessing. With Query, the team automatically pulled real-time enrichment from CrowdStrike and EntraID, reducing investigation time by 60–80% and eliminating manual pivots across platforms.

3. License Optimization Without Losing Coverage

One enterprise used Query to expand Splunk’s visibility to AWS CloudTrail, Route 53, and historical CrowdStrike Falcon logs stored in S3, tripling their overall data access. At renewal, they cut Splunk spend by 25% while improving detection quality and visibility.

Built to Complement Splunk, Not Replace It

Splunk is the market leader – by far – for a reason. And they recognize the value of this model. Their own Federated Search and Federated Analytics initiatives reflect what we’ve long believed: the future is distributed.

Query takes that vision further. While Splunk focuses on specific environments like S3, Query supports a broader range of tools and use cases, including:

  • SaaS and productivity platforms
  • Identity and access systems
  • Threat intel and IT ops tools
  • Hybrid cloud and on-prem infrastructure

Query and Splunk are better together. We’re not replacing your SIEM, we’re making it smarter, faster, and more affordable.

40+ Integrations, Ready to Deploy

Query connects to dozens of platforms your team already uses, grouped by the core functions they support in a modern security stack. These integrations can be connected and producing results in hours, not weeks, reducing onboarding friction and accelerating time to value:

  • Cloud & Infrastructure: Amazon Athena, Amazon CloudWatch Logs (WAFv2 Logs), Amazon OpenSearch Service, Amazon Redshift, Amazon Redshift Serverless, Amazon Security Lake, Azure Log Analytics, ClickHouse Cloud, Databricks, Google BigQuery, Snowflake
  • Identity & Access: Auth0, Microsoft Entra ID, and Okta
  • EDR & Detection: Armis Centrix, Carbon Black Enterprise EDR, CrowdStrike, CrowdStrike LogScale, JAMF Pro, Microsoft Defender for  Endpoint, Microsoft Defender for Office, SentinelOne Singularity Platform
  • SIEM & Security Analytics: Microsoft Sentinel, Splunk, Google SecOps (Chronicle)
  • Data Management & Pipeline Tools: Cribl Search
  • Threat Intelligence & Enrichment: AlienVault OTX, VirusTotal, MISP, Microsoft Graph API – Security (All Alerts), CISA KEV, Tego, Shodan, WhoIS XML API, ip-api – Geolocation API
  • IT Ops & SaaS: ServiceNow, Google Gmail Messages, Google Workspace – Directory API, Google Workspace – Reports API, Microsoft Intune, Datadog

Every integration is normalized to OCSF and dynamic sources can be quickly mapped using our AI-powered schema builder.

Final Word: Elevate What You’ve Already Built

You’ve invested in Splunk. Your detections, dashboards, and workflows are proven and familiar. There’s no need to walk away from that foundation when you can build on it – faster, more affordably, and with broader reach.

With Query, you don’t need to start over. You simply unlock the full value of the data you already have.

No duplication. No added ingestion. No compromise.

Splunk with Query Federated Security gives you better detection, better coverage, and a better return on the tools you’ve already deployed.

And with Query Copilot, analysts can instantly interpret results across all sources—accelerating onboarding, triage, and investigation workflows with fewer errors and less context switching.

Curious what this looks like in your environment? Let’s show you. [Request a demo →]

Let’s put your distributed data to work without centralizing it, duplicating it, or letting it go unused when it matters most.