Splunk to Elastic SIEM Migration Checklist: A Step-by-Step Practitioner Guide

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The decision to migrate from Splunk to Elastic usually starts as a budget conversation. Splunk's per-GB-per-day licensing model punishes growing organizations at exactly the moment their security data volume is expanding fastest. Elastic's compute-based and tiered storage pricing changes that equation significantly. But the migration itself is not a licensing swap. It is a full infrastructure replacement that touches every component of your SIEM deployment: log ingestion pipelines, detection rules, dashboards, threat hunting workflows, and analyst habits built around SPL syntax. Organizations that treat the migration as a weekend cutover project discover the gap the hard way when detections stop firing. The teams that do it successfully treat it as a parallel-run engineering project with defined parity gates. This checklist covers every phase in the order they need to happen.
Phase 1: Pre-Migration Assessment and Inventory
Before touching any infrastructure, you need a complete inventory of what you are migrating. Skipping this phase is the single most common reason migrations run over timeline and budget. The inventory has five components.
Splunk app and add-on inventory. Run | rest /servicesNS/-/-/apps/local to list all installed apps. For each app, document whether it provides: data inputs (TA for a specific log source), field extractions (CIM-mapped fields), knowledge objects (saved searches, alerts, macros), or dashboards. Every Splunk Technology Add-on (TA) that provides CIM field mapping needs an Elastic equivalent integration or custom ingest pipeline.
Data source inventory. Document every data source feeding Splunk: Windows Event Logs, Syslog, endpoint agents, cloud provider logs, network appliances, identity platforms. For each source record the current Splunk input method (Universal Forwarder, Heavy Forwarder, HEC, scripted input), approximate daily GB volume, and the Splunk index it lands in. This map becomes your Elastic Agent or Logstash migration target list.
Detection rule inventory. Pull all correlation searches from Splunk ES: | rest /servicesNS/-/-/saved/searches | search alert.track=1. Document each rule by: SPL query complexity (simple stats vs. subsearches vs. lookup-dependent), alert action (notable event, risk score, external webhook), MITRE ATT&CK mapping if present, and firing frequency in the last 90 days. Rules that fire zero times in 90 days should be evaluated for deprecation rather than ported.
Dashboard inventory. Export the list of dashboards and document which are used by which teams. Kibana can recreate most Splunk dashboard visualizations but the panel-by-panel rebuild is manual work. Prioritize dashboards that SOC analysts touch daily and defer low-usage operational dashboards.
Splunk license tier and data retention. Document your current ingest volume by index and your Splunk license tier (Enterprise, Cloud, Infrastructure Monitoring). This is the baseline for the cost comparison model you will build in Phase 7.
Phase 2: EQL vs SPL Translation and Detection Rule Porting
SPL (Search Processing Language) and EQL (Event Query Language) are fundamentally different in architecture. SPL is a pipeline language where each step transforms results from the previous step. EQL is a sequence-and-pattern language optimized for detecting ordered events across time. The mental model shift matters for detection engineers.
Key syntax differences. SPL pipes filter and transform: index=windows EventCode=4624 | stats count by user | where count > 10. EQL sequences describe event chains: sequence by user [authentication where event.outcome == "success"] with maxspan=5m [process where process.name == "cmd.exe"]. Simple SPL searches with stats and where translate relatively cleanly. Subsearches ([search ...]) and lookup joins (| lookup threat_intel.csv ip AS src_ip) require architectural rethinking in EQL.
The Sigma conversion approach. For organizations with MITRE ATT&CK-aligned detection rules, Sigma is the most practical migration path. Sigma is a vendor-neutral detection rule format with converters (sigmac or the newer pySigma) that output both SPL and EQL. The SigmaHQ repository contains thousands of community rules already in Sigma format, many of which correspond directly to Splunk ES content library rules. The migration workflow: export Splunk ES correlation search SPL, find the equivalent Sigma rule in the SigmaHQ repo, convert to EQL with pySigma, and validate. For rules with no Sigma equivalent, manual EQL authoring is required.
Common pitfalls in SPL-to-EQL conversion. First: Splunk macro expansion. SPL macros (defined with backticks) expand at search time. EQL has no macro system. Every macro reference in a Splunk rule must be manually expanded before conversion. Second: subsearch as filter. SPL subsearches like [search index=threat_intel | fields ip | rename ip as src_ip] perform in-line lookups. EQL handles this with enrich policies loaded from Elasticsearch indices, which require separate configuration. Third: time-based stats across long windows. SPL stats over rolling 24-hour windows are straightforward. EQL sequence matching has configurable maxspan but long-window aggregations use ES aggregations in Kibana rules, not pure EQL.
For SIEM alert tuning after migration, expect a retuning cycle of 4-6 weeks as EQL thresholds are calibrated to your environment's baseline. Rules translated from SPL will almost always fire differently in EQL because field values and event structure differ between Splunk CIM-normalized data and ECS-normalized data.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Phase 3: Log Source Migration from Forwarders to Elastic Agent
The log ingestion layer is where migration complexity lives. Splunk's Universal Forwarder and Heavy Forwarder ecosystem has been deployed in most organizations over years, with custom inputs, field extractions, and routing rules embedded in configuration files across hundreds of endpoints.
Universal Forwarder to Elastic Agent. For Windows Event Log, Syslog, and simple file-based log collection, Elastic Agent with Fleet management is a direct replacement for the Universal Forwarder. Fleet provides centralized policy management that mirrors Splunk's deployment server for forwarder configuration. The migration path: deploy Elastic Agent to a pilot group of endpoints, configure the equivalent integration (Windows, System, or custom log collection), validate that events appear in Elasticsearch with correct ECS field mapping, then roll out to production via Fleet policies.
Heavy Forwarder to Logstash or Elastic Agent Fleet. Splunk Heavy Forwarders performing parsing, routing, and transformation need more careful replacement. For parsing-heavy workflows, Logstash with the appropriate input and filter plugins is the most direct architectural equivalent. For routing-heavy workflows (sending different log types to different indexes), Elastic Agent's output routing and Fleet policy structure handles this natively. Organizations with complex Heavy Forwarder configurations often run a transitional Logstash layer that handles parsing while Elastic Agents handle collection, then consolidate once ECS field mappings are validated.
Index mapping strategy. Splunk indexes map roughly to Elasticsearch data streams. The critical difference is field schema enforcement: Elasticsearch data streams enforce field type mappings, which means a field that arrives as a string in one event but an integer in another will cause mapping conflicts and indexing failures. Establish ECS mappings for every data source before ingestion begins. The Elastic integration packages handle ECS mapping automatically for supported log sources. Custom log sources require manual ECS field mapping work.
Timestamp normalization. ECS uses @timestamp in UTC with millisecond precision. Splunk normalizes timestamps during indexing and handles timezone conversion automatically. For data sources with inconsistent timestamp formats or local timezone values, Elastic ingest pipelines need explicit date processor configurations. Timestamp normalization failures are one of the most common causes of broken sequence-based detections in EQL, because events that appear to arrive out of order break sequence matching.
Phase 4: Detection Rule Migration and MITRE ATT&CK Alignment
Elastic Security ships with a prebuilt detection rule library of 900+ rules aligned to MITRE ATT&CK. Before porting Splunk ES correlation searches manually, audit which prebuilt Elastic rules cover the same techniques. For many organizations, the Elastic prebuilt rules cover 60-70% of their active Splunk ES correlation searches with no migration work required beyond enabling the rule and configuring thresholds.
Comparing Splunk ES content to Elastic prebuilt rules. Map each active Splunk ES correlation search to its MITRE ATT&CK technique. Then check whether Elastic's prebuilt rule library covers that technique. The Elastic detection-rules GitHub repository documents each rule's MITRE ATT&CK coverage. For covered techniques, validate that the Elastic prebuilt rule fires correctly against your log sources before deprecating the Splunk rule.
Porting custom SPL correlation searches. For organization-specific detections with no Splunk ES content library equivalent and no matching Elastic prebuilt rule, the porting process is: translate the SPL logic to EQL, validate against historical event data using Timeline in Kibana, set threshold and suppression parameters, and enable in detection engine. The Kibana detection rule editor provides real-time EQL syntax validation that catches common errors before a rule goes live.
Risk scoring migration. Splunk ES risk-based alerting (RBA) assigns risk scores to entities over time rather than generating individual alerts for each event. Elastic Security's risk scoring feature provides equivalent functionality via asset criticality scoring and risk engine configuration. The risk score logic does not translate directly between platforms. RBA rules need to be rebuilt using Elastic's risk engine framework rather than converted from SPL.
Maintaining alert parity during migration. Run Splunk and Elastic detections in parallel for at least 30 days and compare alert outputs daily. Alerts that fire in Splunk but not Elastic indicate a porting gap. Alerts that fire in Elastic but not Splunk may indicate either a detection improvement or a false positive introduced by ECS field normalization differences. Document every divergence and resolve before cutover.
Phase 5: Dashboard Migration and Cutover Planning
Kibana vs Splunk Dashboard comparison. Splunk dashboards use Simple XML or Dashboard Studio. Kibana provides Lens, Canvas, and Dashboard panels backed by ES|QL or KQL queries. The visualization types are largely equivalent but the query language and data model are different. A Splunk table panel driven by stats count by src_ip, dest_ip becomes a Kibana Lens table with a terms aggregation on source.ip and destination.ip (ECS field names). Every panel requires manual recreation; there is no automated dashboard conversion tool that produces usable results.
Prioritize dashboard migration by usage. SOC analyst operational dashboards that are opened daily come first. Executive and management dashboards come second. Historical reporting dashboards that are run monthly can be migrated last or rebuilt on demand.
Parallel run period. The parallel run is the most important operational safety net in the migration. During the parallel run: Splunk continues as the primary SIEM driving SOC alerts and investigations. Elastic ingests the same log sources and runs detections, but alerts are reviewed for accuracy rather than acted on as primary. The parallel run continues until Elastic alert parity reaches 95%+ of Splunk alert volume for the same events, dashboard coverage matches operational needs, and analyst workflows are validated in Kibana.
A 30-60 day parallel run is the minimum for a responsible cutover. Organizations with complex detection environments or compliance requirements for audit continuity should plan for 90 days.
Rollback plan. Maintain Splunk in a suspended state for 30 days post-cutover. Do not decommission Splunk infrastructure until the first full month of Elastic-only operations is validated. Keep Splunk indexes accessible for historical data queries during the transition period. The rollback trigger should be defined in advance: if Elastic alert volume drops below 80% of expected baseline for more than 48 consecutive hours, the rollback plan activates.
Phase 6: Cost Modeling and Common Failure Modes
Splunk vs Elastic cost modeling. Splunk Enterprise licensing is typically calculated on GB per day of indexed data. A 100 GB/day deployment at standard Enterprise pricing runs roughly $150,000-200,000 per year in licensing before infrastructure costs. Elastic Cloud pricing on the same ingest volume depends on deployment configuration: hot tier data for active querying, warm tier for recent historical data, and cold/frozen tier for long-term retention. A typical Elastic Cloud configuration for 100 GB/day with 90-day hot retention and 365-day warm retention runs significantly less than Splunk's equivalent tier, though exact pricing varies by cloud provider, region, and committed spend.
On-premises Elastic (self-managed) eliminates licensing cost but adds operational burden. Factor in infrastructure costs (compute and storage), engineering time for cluster management, and upgrade cycles. Many organizations find that Elastic Cloud's managed offering at 40-60% of Splunk's licensing cost is the right balance between savings and operational overhead.
Common failure modes to plan around. First: EQL any where performance. EQL's any where clause queries across all event types and can be extremely resource-intensive on large indices. Splunk SPL searches that use index=* broadly have analogous performance issues but Splunk's search optimization is more mature. Constrain EQL rules to specific data streams using where clauses on data_stream.dataset rather than querying all indices.
Second: field name mapping failures. Splunk CIM uses src_ip for source IP addresses. ECS uses source.ip. Detection rules that reference CIM field names will not fire against ECS-normalized data. This is the single most common cause of silent detection failures post-migration. Audit every ported rule for CIM-to-ECS field name substitutions.
Third: Sigma rule conversion edge cases. pySigma is the best available tool for Sigma-to-EQL conversion, but it does not handle all Splunk-specific Sigma backend features. Rules that use condition: 1 of them across multiple detection sets require manual EQL rewriting using any of syntax. Rules that reference Sigma field mappings specific to the Splunk backend may generate incorrect EQL field references when converted to the Elastic backend.
For a deeper look at how Splunk and Elastic compare on capabilities beyond migration mechanics, see Splunk vs Elastic for a side-by-side feature comparison.
The bottom line
A Splunk to Elastic migration done right takes longer than the budget conversation that started it, but the organizations that run a disciplined parallel-run process with defined parity gates come out with a faster, more cost-effective SIEM and a detection rule library that is better documented than the one they left behind. The shortcuts that shorten the timeline, skipping the parallel run, doing a hard cutover without rollback infrastructure, porting rules without field name validation, are the same shortcuts that result in the detection gaps that make the migration look like a failure. Budget 3-6 months for a complete migration at moderate ingest volumes, plan the parallel run as a first-class engineering workstream, and validate alert parity before decommissioning anything.
Frequently asked questions
Is Elastic SIEM free?
Elastic Security's detection and alerting features are available at no additional cost on top of the Elasticsearch infrastructure you are already running. The core SIEM functionality, including detection rules, timeline, and case management, is included in Elastic's Basic tier, which is free. However, some advanced features such as entity analytics, machine learning-based anomaly detection, and attack discovery require a paid Elastic subscription (Platinum or Enterprise). Elastic Cloud, the managed hosting offering, charges for compute and storage resources. Self-managed Elasticsearch clusters are free to run but carry infrastructure costs. The comparison to Splunk's licensing model is most meaningful when you include all-in costs: Elastic infrastructure or cloud spend versus Splunk licensing plus infrastructure.
How do you convert SPL to EQL?
The most practical approach for converting SPL to EQL at scale is through Sigma, the vendor-neutral detection rule format. For rules that exist in the SigmaHQ repository, use the pySigma tool with the Elastic backend to generate EQL output: `sigma convert -t eql -p ecs_windows rule.yml`. For custom SPL rules with no Sigma equivalent, the translation is manual. Key syntax differences to handle: SPL pipe chains become EQL `where` clauses and sequence blocks; SPL `stats count by` becomes EQL with ES aggregation rules rather than pure event sequence rules; SPL subsearches become EQL `enrich` policies referencing Elasticsearch lookup indices; SPL macro expansions must be manually resolved before conversion. After conversion, validate every rule against historical event data in Kibana Timeline before enabling it in the detection engine.
How long does a Splunk to Elastic migration take?
A realistic timeline for a complete Splunk to Elastic migration is 3-6 months for organizations ingesting 50-500 GB per day with a moderate detection rule library (50-200 active correlation searches). The timeline breaks down roughly as: 2-4 weeks for pre-migration inventory and planning; 4-8 weeks for log source migration and Elastic Agent deployment; 4-8 weeks for detection rule porting and validation; 30-90 days for the parallel run period with alert parity verification; and 2-4 weeks for dashboard recreation and analyst training. Organizations with larger detection rule libraries, more complex Heavy Forwarder configurations, or compliance requirements for continuous audit coverage should plan toward the longer end of those ranges. The parallel run period should not be compressed: it is the validation layer that determines whether the cutover is safe.
What is the biggest risk in migrating from Splunk to Elastic?
Silent detection failures caused by field name mapping differences between Splunk's Common Information Model (CIM) and Elastic Common Schema (ECS) are the highest-risk element of the migration. A ported detection rule that references `src_ip` (Splunk CIM) instead of `source.ip` (ECS) will not generate syntax errors in EQL; it will simply return zero results because the field name does not exist in ECS-normalized data. This means the rule appears functional but never fires. The mitigation is mandatory field name auditing of every ported rule combined with the parallel run: if a rule fires in Splunk but not in Elastic against the same event data, field name mapping is the first place to investigate. Maintaining a CIM-to-ECS field mapping reference document and using it as a checklist during rule porting significantly reduces this failure mode.
Should I use Logstash or Elastic Agent for the migration?
For most log sources, Elastic Agent managed through Fleet is the right choice. It provides centralized policy management, automatic ECS normalization for supported integrations, and a deployment model that is easier to operate long-term than a Logstash infrastructure. For log sources with complex parsing requirements (custom application logs with multi-line formats, legacy appliances with non-standard syslog formats, or high-volume network flow data requiring heavy transformation), Logstash remains the better tool because its filter plugin ecosystem is more mature for complex parsing scenarios. A common hybrid approach: Elastic Agent handles endpoint and cloud log collection where integration packages exist, while Logstash handles the long tail of custom and legacy log sources that require pipeline-based parsing. As Elastic Agent integration coverage expands, the Logstash footprint can be reduced over time.
How do you validate detection rule parity between Splunk and Elastic during a parallel run?
Detection rule parity validation requires a structured comparison process that goes beyond simply checking whether both platforms generated an alert. For each active Splunk ES correlation search, create a test event (using tools like Atomic Red Team or manual log injection) that should trigger the rule, and confirm both platforms fire within an acceptable time window. Export Splunk notable events for a rolling 30-day window using the notable index and compare against Elastic SIEM alerts over the same period, grouping by MITRE ATT&CK technique and source host to surface systematic gaps. Silent failures, where Elastic receives the same raw events but the rule does not fire, are almost always caused by ECS field name mismatches or by EQL sequence maxspan values that are too narrow compared to the original SPL time window. For risk-based alerting rules, compare entity risk scores between platforms rather than individual alert counts, since Splunk RBA and Elastic risk engine aggregate scores differently even when they detect the same underlying events. Document every divergence in a tracking spreadsheet with the root cause and remediation action before marking any technique as achieving parity.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
