Many organizations adopt Splunk because it is powerful and flexible. Over time those same organizations discover a painful reality. The ingestion bill keeps growing.
The natural reaction is to reduce logging. That approach almost always creates blind spots. Security teams lose the ability to investigate incidents because the data they need never reached the platform.
The better approach is to optimize what enters the system.
The Real Cause of Runaway Costs
Splunk licenses on ingest volume: gigabytes per day for on-premises deployments, workload credits for Splunk Cloud. The licensing model means every additional data source increases cost directly, and there's no natural pressure to remove sources once they're added. Teams add new log sources when they deploy new tools or respond to new requirements, but old sources rarely get turned off. The result is an environment where ingest volume grows steadily year over year with no corresponding growth in security value.
The most expensive sources in most environments are also the noisiest. Windows Security event logs with audit success events enabled capture every successful authentication, every service account activity, every scheduled task execution. The vast majority is expected, routine, and analytically useless. Web proxy logs with full request bodies log every URL, every query parameter, every header for every request on the network. Application debug logs emit events designed for developers troubleshooting code, not security teams detecting threats. Network flow data at full verbosity captures every connection between every device. These sources can individually consume hundreds of gigabytes per day.
Most organizations have no inventory of what they're ingesting or what each source costs per day. Building that inventory is the mandatory first step. Without it, optimization is guesswork. You can reduce cost by accident while eliminating sources that matter, or spend significant effort on sources that contribute little to the total. A source-level cost breakdown, even a rough one, changes optimization from a vague goal into a targeted project.
What You Can Safely Filter
Not all events carry equal security value, and treating them as if they do is what creates the cost problem in the first place.
High-value events are the ones that matter for detection and investigation: authentication events (especially failures and privileged account activity), privilege escalation, process execution on sensitive systems, network connections to and from critical assets, DNS queries, file access on systems that handle sensitive data, and configuration changes. These events are worth keeping regardless of volume. They're the raw material for detection logic and investigation.
Low-value events are the ones that consume volume without contributing analytical value: successful routine authentication from service accounts running on a fixed schedule, health check traffic between known infrastructure components (load balancers polling application servers, monitoring agents checking system state), debug-level application logs emitting informational messages about normal operation, and repetitive infrastructure polling that generates the same event hundreds of times per hour.
The mistake most organizations make is filtering by source type, deciding that all proxy logs or all Windows events are low value and dropping them. The right approach is event-level filtering: keeping the security-relevant events from verbose sources and dropping the noise. A Windows Security log contains both Event ID 4625 (failed logon, high value) and Event ID 4688 (process creation, context-dependent) and Event ID 4648 (logon with explicit credentials, often low value in certain contexts). Blanket filtering of Windows Security logs removes all of them. Targeted filtering keeps what matters.
One constraint that's non-negotiable: compliance requirements. If your organization is subject to a framework that mandates specific log retention (CMMC, FedRAMP, HIPAA, PCI DSS) those events are not candidates for filtering regardless of their volume. Filtering decisions need to be reviewed against retention requirements before implementation, not after.
Where Cribl Fits
Cribl Stream is a log pipeline platform that sits between your data sources and your SIEM. Forwarders and agents send raw events to Cribl rather than directly to Splunk. Cribl applies transformation rules to those events and routes the processed output to one or more destinations. The cost reduction comes from what happens between ingestion and delivery.
Field reduction removes fields from events before they reach Splunk. A Windows Security event log entry contains dozens of fields: process identifiers, thread IDs, subject logon IDs, target logon IDs, and a range of other fields that carry no analytical value for most detection use cases. Stripping those fields before the event reaches Splunk reduces the indexed event size without removing the information that matters. A 2KB event becomes a 400-byte event. That reduction compounds across millions of events per day.
Event filtering drops entire event classes that provide no security value. Cribl applies conditions based on source, event ID, field values, or any combination, routing matching events to a null destination instead of Splunk. Health check traffic matching a known source IP pattern, application info-level logs matching a specific logger name, Windows event IDs that have been determined to carry no detection value for your environment. These can be dropped entirely without reaching the indexer.
Aggregation collapses high-volume repetitive events into summary records. Instead of indexing 100 identical DNS queries for the same domain from the same host in a five-minute window, Cribl can emit a single summary event with a count field. The analytical value (the fact that this host queried this domain) is preserved. The volume cost of 100 individual events is reduced to one. This is particularly effective for network flow data and DNS logs in environments with high query volumes.
Routing sends different event types to different destinations based on their purpose. Security events that need to be searchable in real time go to Splunk. Operational metrics that the infrastructure team needs go to a cheaper observability platform. Compliance logs that must be retained for seven years but are rarely queried go to object storage at a fraction of the cost of Splunk indexing. A single data source can be split and routed to multiple destinations, with each destination receiving only the subset of data it actually needs.
The 30–70% ingest reduction figure is real, but it depends heavily on source mix. Environments dominated by verbose Windows event logs, web proxy data, and full-verbosity network flow see the largest gains because there's a large volume of filterable noise to eliminate. Environments where ingest is already dominated by high-value, low-volume sources like authentication logs and EDR telemetry will see smaller reductions, but they also have less of a cost problem to begin with.
Tiered Storage
Pipeline optimization controls what enters Splunk. Storage tiering controls how long it stays in expensive indexes once it's there.
Splunk SmartStore and Federated Search enable hot/warm/cold data tiers. Recent data (the last 30 to 90 days depending on your investigation workflow) stays in fast, locally-indexed storage where searches return quickly. Older data migrates automatically to cheaper object storage: S3, Azure Blob, or Google Cloud Storage. The data remains searchable through Splunk's federated search capability. The data doesn't disappear; it just lives in cheaper storage.
The practical impact is significant for environments that retain data for compliance reasons. If a framework requires three years of log retention and you're indexing that data in standard Splunk storage, the cost of retaining year two and year three data is the same as retaining data from yesterday. With SmartStore, years two and three move to object storage at a fraction of the cost while remaining accessible for audits and investigations.
The tradeoff is search speed. Cold tier searches against object storage are slower than hot tier searches against local indexes. For active incident response on recent events, this doesn't matter. The data you're pivoting through is in hot storage. For historical compliance queries or forensic investigations that reach back months, slower searches are generally acceptable. That tradeoff should be explicit in your storage policy so teams have accurate expectations about query performance on older data.
What Not to Do
The failure modes in Splunk cost optimization are predictable, and they're worth naming explicitly.
Don't reduce logging by turning off sources entirely. The temptation when facing a large bill is to disable the most expensive sources. The problem is that expensive sources are often expensive because they're verbose, and verbose sources frequently contain the events you need most during an incident. Turning off Windows Security logging to save money and then having a lateral movement incident where authentication trails are the key evidence is an outcome that's difficult to explain. Optimize the source, don't eliminate it.
Don't filter based on volume alone. A source that contributes 500MB per day to your ingest might be generating exactly 500MB of events you need. Volume is a signal that a source is a candidate for optimization review, not by itself a justification for filtering. Evaluate security value independently from volume.
Don't optimize without an inventory. Filtering decisions made without a source-level cost breakdown will produce unpredictable results. Build the inventory first. Know which sources are responsible for what percentage of total ingest before making any changes. This also gives you the ability to measure the impact of optimization accurately. Before and after comparisons require knowing the before.
Don't skip compliance review. Filtering decisions need to be reviewed against your compliance obligations before implementation. A filtering rule that drops events required by your framework creates a compliance gap that may not be discovered until an audit. Get the compliance requirements on paper, map them against proposed filter rules, and document the review before making changes.
The Goal: More Signal, Less Noise
The goal is not reducing visibility. The goal is increasing signal while reducing noise.
Organizations that approach Splunk cost optimization as a data engineering problem: building an inventory, evaluating event value at the field and event level, deploying a pipeline layer to filter and route, and implementing tiered storage for retention. Organizations consistently find that they can reduce ingest volume significantly while improving the quality of what reaches their analysts. Less noise means faster searches, more reliable detections, and lower operational overhead for the security team.