CASE 55 · HOLLOW · 2024
Splunk to OpenSearch, without losing the SOC team.
A fintech company had a $1.4M annual Splunk contract up for renewal at a 22% price increase. The security operations team depended on Splunk’s search ergonomics. We migrated to OpenSearch + OpenSearch Ingestion, preserving the SPL → DSL translation work for the queries that mattered.
Fintech
MIGRATION
2024
RESULTS
What changed, by the numbers.
ANNUAL LICENCE
−83%
QUERY MIGRATION
94%
SOC OPERATIONAL READINESS
DAY 1
INGESTION CAPACITY
+40%
HOW IT WENT
The SOC team had built years of muscle memory on Splunk’s search language. The migration risk wasn’t the data — it was breaking their workflow. We started with a full SPL query inventory: 380 saved searches, 24 dashboards, six alert rules they actually checked.
OpenSearch Ingestion absorbed the data sources (CloudTrail, VPC Flow Logs, application logs) with the right field mappings up front. We translated SPL to OpenSearch DSL query-by-query, reconciling outputs against Splunk’s answers until 94% matched. The 6% that didn’t were genuinely different queries (some were Splunk-specific eval expressions).
Cutover was staged: SOC kept Splunk read-only during the first month of OpenSearch operation, with both stacks ingesting in parallel. The Splunk contract didn’t renew. The team’s muscle memory adapted in about three weeks. Annual saving: ~$1.16M.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.