Skip to main content

Hi All

I have been working to create an approach for customers migration from existing SPLUNK SIEM (on prem) to Google Chronicle. Other use case for SPLUNK PHANTOM to CHRONICLE SOAR migration

In both cases difficult map the migration approach and surprisingly no detailed documentation on google docs. Trying to map Splunk log format (CIM) but need parsers as not supported.

use cases, alerts migrations, war rooms, dashboards etc. I am not going with the SIEM Augmentation approach. Can anyone help with best approach and practices to migrate. Another point is how to migrate the archives logs or present logs (in TBs) from Splunk to Google Chronicle. Pls suggest.

I really didn't find much documentation on migrating from Splunk to Chronicle SIEM, but the basic architecture would be to configure Splunk to forward the logs to outputs.conf, pointing to the Chonicle Forwarder. Splunk must have the CIM Add-on installed. An ingestion label identifies the parser that normalizes the raw log data to structured UDM format.

Data Source -> Splunk -> Chronicle Forwarder -> Chronicle.

[]'s

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.