Query Your Hydrolix Data in Splunk With SPL (2025)

Key Points:

  • With Hydrolix Search for Splunk, you can query your Hydrolix clusters in Splunk using Splunk Search Processing Language (SPL).
  • Alternatively, you can use Splunk DB Connect for Hydrolix to use Clickhouse-flavored SQL in Splunk to query your Hydrolix clusters.
  • Both connectors can help save you 6x or more on the total cost of ownership (TCO) of your log data.
  • Enhance your Splunk visibility with high-volume log data use cases like multi-CDN monitoring.

If you're a Splunk user, you already know that Splunk has world-class tooling, a powerful query language, and the ability to unify your security and observability data. But it comes with a catch, at least when it comes to high volumes of data: a hefty price tag.

Hydrolix’s custom Splunk connectors can help solve this problem. By using Hydrolix to ingest, store, and query your log data, you can reduce the total cost of ownership (TCO) of your log data by 6x or more, all while keeping the Splunk interface and using a streaming data lake designed for log data at petabyte scale.

Our latest connector, Hydrolix Search for Splunk, allows you to use Splunk Search Processing Language (SPL) to query your Hydrolix cluster directly from Splunk. Hydrolix Search for Splunk is available in Splunkbase (the Splunk marketplace).

With this release, Hydrolix now offers two Splunk connectors:

  • Hydrolix Search for Splunk is available in Splunkbase and allows you to use SPL to query your Hydrolix cluster. For simplicity, you can choose from a simple list of fields for SELECT statements with full support for WHERE clauses.
  • Splunk DB Connect is a lightweight, custom Hydrolix JDBC driver that uses SQL to query Hydrolix data from Splunk. You can set it up in just a few minutes. With Splunk DB Connect, you have access to full Clickhouse SQL functionality (Hydrolix uses ANSI-compliant SQL based on Clickhouse).

Both connectors provide the same core functionality: the ability to use Splunk's UI for visualizing, alerting on, and analyzing data stored in Hydrolix clusters. To determine which connector is best for your teams, jump to Which Connector Fits Your Use Case?

Benefits of Combining Hydrolix and Splunk

Splunk is a powerful tool that allows you to unify your observability and security analytics in one platform. Combined with a flexible query language (SPL) that uses pipes to refine your query results, it's the observability platform of choice for many teams.

However, Splunk can be very expensive for enterprises that ingest terabytes of log data every day. The average volume of log data has gone up 500% over the past three years. As a result, many enterprises have to choose between paying high costs, discarding data, or moving data into tiered, cold storage where it's difficult to access and analyze.

Some data sources such as CDNs and firewall logs generate a massive amount of data. CDN logs are necessary to ensure that assets like videos are delivered efficiently to users around the world. Meanwhile, firewall logs are just one of many log sources that must be monitored comprehensively for a strong security posture. Comprehensive monitoring of these kinds of high-volume log sources often isn't practical or cost-effective with Splunk.

For enterprises ingesting at least one terabyte of log data per day, it's best to use a specialized tool for high volumes of log data such as Hydrolix. But that doesn’t mean you have to give up Splunk.

With Hydrolix Search for Splunk, Hydrolix can ingest large volumes of data, store it cost-effectively, and then make it available to Splunk to use with SPL and Splunk analytics. The next image shows how Hydrolix's streaming data lake architecture can ingest, process, and store log data for Splunk users.

Query Your Hydrolix Data in Splunk With SPL (1)

With Hydrolix, you can:

  • Ingest and transform large volumes of log data for real-time analytics. Data is typically ready for seconds after it's ingested even for events generating ten million log lines per second.
  • Store data in S3-compatible object storage with compression rates of 90% or more. You get dramatic reductions in storage costs and long-term "hot" data retention (15 months by default).
  • Query very large data seconds with sub-second latency regardless of whether the data is a minute or a year old.

With Hydrolix's strengths, it's a great fit for big data use cases like multi-CDN monitoring and threat hunting security data, making it complementary to Splunk's tooling.

Analyze Your Hydrolix Data With Splunk

One common use case for Splunk is needle-in-a-haystack queries, which Hydrolix excels at. For example, with a quick search of CDN logs, you can easily see which IP addresses are most common. This can help uncover an issue such as a DoS (denial of service) attack or other malicious attack (like an attacker trying to breach your network).

Then you could drill into logs from that particular IP address combined with other fields such as status code, time range, and more. The next image shows how you can quickly see the top ten IPs from your query results. In this case, the needle-in-a-haystack might be tracking down log lines from a specific IP and time range in a trillion-row dataset.

Query Your Hydrolix Data in Splunk With SPL (2)

Many observability solutions have challenges with use cases like multi-CDN monitoring because they can generate terabytes of data from many different sources. With Hydrolix, you can ingest multiple data sources (such as CDNs) into a single table. As a result, you can easily compare sources later without complex join statements.

You can also slice your data in many different ways with SPL. For example, you could use SPL to determine the percentage for each HTTP status code from all your CDNs logs. The next image shows the results of an SPL piped query that returns the count and percentage of each status code.

Query Your Hydrolix Data in Splunk With SPL (3)

With Hydrolix Search for Splunk, you combine the best of both worlds: the analytics of Splunk with a streaming data lake designed for log data. Even better, you can dramatically reduce your TCO by combining Hydrolix with Splunk.

Reduce Your Observability Total Cost of Ownership (TCO) by 6x

Hydrolix can help you reduce the TCO of an observability stack that uses Splunk, typically by 6x or more. You can keep more data for longer and reduce your observability costs. See our pricing estimator to compare the cost of a Hydrolix license versus observability solutions like Splunk, Elastic, and Datadog.

Note that many solutions such as Splunk and Datadog don't offer long-term data retention. Yet Hydrolix is still much more cost-effective even while allowing you to retain data much longer.

At one terabyte of raw data per day and 15 months of "hot" data retention, the estimated cost of Hydrolix is ~ $.37/GB.

The estimated cost of Splunk is ~$2.28/GB at one terabyte of raw data per day with a much shorter "hot" data retention window, typically 30 days.

This is a 6x savings on TCO, and Hydrolix gives you 15 months of "hot" data retention versus one month in Splunk.

Reducing your TCO has multiple downstream benefits:

  • No more choosing between your data and your bottom line
  • Keep all your data—no discarding data or sampling needed
  • Retain data for longer (15 months by default) for security, compliance, and data science use cases
  • Reduced friction between teams that need observability and decision makers that need to manage budgets

Too many enterprises ask questions like are we paying too much for observability?

Instead, the question should be: how can we maximize the value of our observability data for more use cases?

By combining Hydrolix with Splunk, you can remove observability gaps while reducing costs. Spend more time asking questions that maximize value for your business instead of worrying about whether your observability tools will break your budget.

Which Connector Fits Your Use Case?

While both connectors have the same core functionality (querying your Hydrolix clusters from Splunk), there are some key differences. The following table explains the differences.

TLDR;

  • If your teams use SPL and can benefit from a few sensible limits for query results, choose Hydrolix Search for Splunk. (Recommended for SPL users.)
  • If your teams want full Clickhouse SQL functionality, don't need SPL, and don't want limits on queries, choose Splunk DB Connect. (Recommended for SQL and Clickhouse power users.)
Hydrolix Search for SplunkSplunk DB Connect
Query languageSplunk Search Processing Language (SPL)ANSI-compliant SQL with full Clickhouse functionality
SELECT statementsChoose from a simple list of fieldsFull support for complex SELECT statements
WHERE clausesFull support for WHERE clausesFull support for WHERE clauses
Built-in limitsTimepicker for time range filtering
Default limit 5000 results
None—lots of flexibility, but inexperienced users can execute compute-intensive queries
Query processingHydrolix returns filtered results and Splunk handles SPL piped commandsHydrolix handles query processing and returns final results
ConnectionUses Hydrolix APIUses Splunk DB Connect
Connect to multiple Hydrolix clustersYesYes
InstallationQuick install through SplunkbaseSet up driver and database connection (approximately 30 minutes)
DocumentationVia Splunk With Hydrolix SearchVia Splunk DB Connect

Next Steps

If you're already using both Splunk and Hydrolix, the next step is to choose your connector and get started.

  • Read the Hydrolix Search for Splunk docs.
  • Read the Splunk DB Connect docs.

If you're a Splunk user interested in seeing Hydrolix for yourself, contact Hydrolix about a trial or demo.

Ready to Start?

Query Your Hydrolix Data in Splunk With SPL (4)

Cut data retention costs by 75%

Give Hydrolix a try or get in touch with us to learn more

Schedule a technical demo

Query Your Hydrolix Data in Splunk With SPL (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 5630

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.