← Back to Blog

Reducing Splunk spend with LimaCharlie

Headshot of Ross Haleliuk, LimaCharlie Director of Product
Ross Haleliuk
Reducing Splunk spend with LimaCharlie

Endpoints as well as applications such as AWS, Google Cloud, Office 365, 1Password, Slack, and thousands of others produce vast amounts of data. The volume of security data is growing, and this growth will continue for the foreseeable future. This, in turn, leads to several challenges:

  • To detect threats and respond to incidents, it is not sufficient to simply collect all these logs. You need to have the ability to bring them all into one place for correlation and a holistic view of your security posture.

  • To meet the compliance requirements, organizations need to store security data for a set amount of time; a solid data storage strategy is also a prerequisite for retroactive threat hunting.

  • Data storage is expensive which forces organizations and security teams to sacrifice visibility and trade it for cost reduction.

To solve these problems, many companies have adopted Splunk as their SIEM (security information and event management) platform. There are many benefits of using Splunk - increased efficiencies, improved visibility, saved time, and increased resource utilization. It’s no wonder that the company was named a leader in the SIEM market for eight years in a row. 

Splunk makes it easy to collect all the data from across the organization. The downside of that ease is the price. As anyone who uses Splunk knows, if not controlled well, the bill can skyrocket. The company is notorious for high cost, so much so that it sometimes becomes a center of jokes in cybersecurity circles. 

A tweet about how expensive Splunk is.

Pricing challenges aside, Splunk solves the problems really well for some customers and is here to stay. The great news is that with LimaCharlie, pricing is no longer a concern. 

LimaCharlie enables users to reduce Splunk spend and increase visibility while giving security teams more control over their data. In this post, we will walk you through four steps to achieve it. 

Fundamental challenge

The best way to save on Splunk is to reduce the amount of data that needs to be sent to Splunk, to begin with. While this is obvious, it introduces a fundamental challenge: while not everything needs to go to Splunk, if you filter it out, you will end up losing potentially valuable data. 

When we talk to customers, we often hear them say something along the lines of: “Out of 100GB I am sending to Splunk, I probably need between 10% and 30% of that data to go there, but I don’t want to lose the rest”. 

This is why using LimaCharlie with Splunk can be a great solution. 

LimaCharlie for telemetry storage & cost optimization

Collect the data from any source

LimaCharlie extends the definition of a sensor beyond just the event collection from the endpoints. LimaCharlie sensor collects endpoint, network, and external log telemetry that is then displayed in a single interface and can have detections, automations, and response rules applied at wire speed. 

LimaCharlie has the ability to ingest logs or telemetry from any external source in real-time. Includes built-in parsing for popular formats (Carbon Black, Google PubSub, Office 365 logs, Google Cloud Audit logs, 1Password, and more), with the option to define your own for custom sources. 

Cost-effective full telemetry retention

LimaCharlie offers 1 year of full telemetry storage and search capability at no extra cost. This means that not only detections but all endpoint, network, and external logs telemetry will be stored in LimaCharlie, making our offering one of the most cost-effective ways to store your security data.

Using the web-based interface, users can interact with individual endpoints in real-time or search and explore a year’s worth of data and quickly see the extent of the compromise.

Send the data where it is needed

One of the easiest ways to save on Splunk is to reduce the amount of data that needs to be sent to Splunk, to begin with. While LimaCharlie’s 1 year of full telemetry storage is a helpful first step, the next step is to decide where else you want to send your data and what exactly you want to be sent. 

Users have the ability to send any of the following types of data (streams) to any external destination: 

  • events directly emitted from sensors

  • detections reported by the rule engine

  • deployments representing new sensors coming online

  • audit logs for management activity within LimaCharlie

  • artifacts collected from sensors or uploaded via API

  • events selected using the "output" action of D&R rules

LimaCharlie can be used to pipe data wherever you need it will monitoring the telemetry for threats.
This enables you to, for example, send detections and failed 1Password login attempts to Splunk, send LimaCharlie audit logs and select events to lower cost destinations such as Snowflake or Amazon S3 bucket, and leverage LimaCharlie’s one year of telemetry storage to retain everything else for search and compliance. 

Control the granularity of what is sent

LimaCharlie outputs allow you to adjust the granularity of the data you want to share. Choose to send different event types to different destinations; decide to send emails only about high severity detections, or otherwise create the rules that fit your workflow. 

You have the ability to control what data is sent by leveraging our advanced filters & configurations which include: 

  • send the data only from a specific sensor or a group of sensors

  • send (or exclude) specific event types

  • wrap JSON event with event type

  • flatten JSON to a single level

  • Gzip files

  • only forward the original logs (excluding the routing label), to remove any additional overhead

and many others.

Other advantages of using LimaCharlie for data storage

By using LimaCharlie for data storage & Splunk cost reduction, you are automatically gaining access to many other powerful capabilities that security infrastructure as a service approach enables, including: 

  • Endpoint Detection & Response (EDR)

  • Windows Event Log monitoring

  • Yara Scanning

  • Atomic Red Team, Velociraptor, SOC Prime, and other integrations

Once your telemetry is flowing into LimaCharlie, it is easy to try any other security products and experiment with different vendors without having to reconfigure your whole setup.  To send telemetry to a new security product, simply configure a new LimaCharlie Output. This allows you to have full visibility of where your security data is going, what exactly is going there, and granular control to decide what you want to send. Whether you want to output DNS traffic, detections from a single endpoint, or one specific event from a group of sensors - LimaCharlie’s advanced controls enable you to be as specific as you need to be. To stop the flow of data to any destination, simply remove the corresponding Output in LimaCharlie. 


By introducing LimaCharlie in the middle, between data sources (Sensors) and destinations (Outputs), security teams can reduce Splunk spend, increase visibility, and gain full control over their data. 

LimaCharlie’s pricing is fully transparent, and you can get started without having to attend a demo or talk to the salespeople. Having said that, our security engineers are always happy to help with your use case and to suggest optimal ways to solve your problem.