Migrate from Splunk to Google SecOps
This guide walks through adding Google SecOps alongside an existing Splunk pipeline, gradually shifting log sources, and eventually decommissioning Splunk — without disrupting your production workflows.
Prerequisites
A running Bindplane instance with at least one collector installed and reporting data
An existing pipeline in Bindplane sending logs to Splunk
A Google SecOps instance with your Chronicle customer ID and service account credentials
Step 1: Add SecOps as a second destination
Your starting point is an existing pipeline sending logs to Splunk:
Open the pipeline configuration you want to modify and click (+) Destination.
Select Google SecOps from the destination list.
Enter your Chronicle customer ID (found under Settings > Profile > Organization Details in SecOps) and upload your service account credentials file (Settings > Collection Agents > Ingestion Authentication File).
Save the destination. It will appear in the topology view but won't receive data yet.
Connect it to your pipeline: hover over the processor node on the source side of your pipeline, click +, then click the SecOps destination node. This routes telemetry to SecOps.
Important: Google SecOps expects raw, unparsed logs. If your sources support it, enable Include Log Record Original in the source's Advanced settings before routing to SecOps.
Add a Google SecOps Standardization processor directly before the SecOps destination. Configure the log type, namespace, and ingestion labels so SecOps knows which parser to apply. If you're unsure of the log type, use Pipeline Intelligence to identify it automatically from snapshot data.
Add any additional destination-level processors (filters, PII redaction, field drops) on the SecOps path. These run independently of your Splunk processors.
Click Start Rollout. Use progressive rollout to deploy to a subset of collectors first and verify data is arriving before rolling out to all collectors.
You are now running a dual-write setup — logs flow to both Splunk and SecOps simultaneously. Verify data is arriving in the Google SecOps search UI:
Step 2: Shift log sources to SecOps
Once you've validated SecOps is receiving data correctly, begin migrating log sources one at a time.
Migrate a log source
In your Splunk destination configuration, add a Filter by Condition processor.
Configure it to exclude logs where the
log_typeresource attribute matches the source you're migrating (e.g., Palo Alto firewall logs).
Those logs stop going to Splunk but continue flowing to SecOps.
Verify detections, dashboards, and alerts are working in SecOps for that source.
Repeat for each log source until all have been migrated, then disconnect the Splunk destination.
Start with lower-risk sources to build confidence before migrating business-critical data.
Pilot with a specific region or business unit
To validate SecOps with a subset of your team before a broader rollout:
Add a Routing Connector to your pipeline.
Route logs from your pilot region or business unit exclusively to SecOps.
Route all other logs to Splunk as before.
Once the pilot team has validated their workflows in SecOps, update the routing connector to move additional groups across.
When all groups have migrated, remove the Splunk destination.
Step 3: Process data for the SecOps path
Processing on the SecOps path focuses on data control and labeling, not parsing. Processors run independently of what's configured for Splunk.
Common processors to add on the SecOps path:
Filter by Condition — drop log types that don't need to be retained in SecOps
Remove Fields — strip sensitive fields before data leaves your environment
Redact — mask PII before ingestion
Google SecOps Standardization — set log type, namespace, and ingestion labels (required)
What's next
Once all log sources have been validated in SecOps and migrated off Splunk, disconnect the Splunk destination from your pipeline. Bindplane handles rollouts centrally, so no manual collector config edits are required at any stage.
Last updated
Was this helpful?