# Migrate from Splunk to Google SecOps This guide walks through adding Google SecOps alongside an existing Splunk pipeline, gradually shifting log sources, and eventually decommissioning Splunk — without disrupting your production workflows. ## Prerequisites * A running Bindplane instance with at least one collector installed and reporting data * An existing pipeline in Bindplane sending logs to Splunk * A Google SecOps instance with your Chronicle customer ID and service account credentials *** ## Step 1: Add SecOps as a second destination Your starting point is an existing pipeline sending logs to Splunk:

Bindplane docs - Migrate from Splunk to SecOps - existing Splunk pipeline

1. Open the pipeline configuration you want to modify and click **(+) Destination**. 2. Select **Google SecOps** from the destination list. 3. Enter your **Chronicle customer ID** (found under Settings > Profile > Organization Details in SecOps) and upload your **service account credentials file** (Settings > Collection Agents > Ingestion Authentication File). 4. Save the destination. It will appear in the topology view but won't receive data yet.

Bindplane docs - Migrate from Splunk to SecOps - SecOps destination added but not yet connected

5. Connect it to your pipeline: hover over the processor node on the source side of your pipeline, click **+**, then click the SecOps destination node. This routes telemetry to SecOps.

Bindplane docs - Migrate from Splunk to SecOps - dual-write pipeline with both destinations connected

**Important:** Google SecOps expects raw, unparsed logs. If your sources support it, enable **Include Log Record Original** in the source's Advanced settings before routing to SecOps.

Bindplane docs - Migrate from Splunk to SecOps - enable Include Log Record Original in source settings

6. Add a **Google SecOps Standardization** processor directly before the SecOps destination. Configure the log type, namespace, and ingestion labels so SecOps knows which parser to apply. If you're unsure of the log type, use **Pipeline Intelligence** to identify it automatically from snapshot data.

Bindplane docs - Migrate from Splunk to SecOps - Pipeline Intelligence recommending SecOps Standardization processor

Bindplane docs - Migrate from Splunk to SecOps - SecOps Standardization processor added

7. Add any additional destination-level processors (filters, PII redaction, field drops) on the SecOps path. These run independently of your Splunk processors. 8. Click **Start Rollout**. Use progressive rollout to deploy to a subset of collectors first and verify data is arriving before rolling out to all collectors. You are now running a **dual-write setup** — logs flow to both Splunk and SecOps simultaneously. Verify data is arriving in the Google SecOps search UI:

Bindplane docs - Migrate from Splunk to SecOps - Google SecOps search UI showing ingested data

*** ## Step 2: Shift log sources to SecOps Once you've validated SecOps is receiving data correctly, begin migrating log sources one at a time. ### Migrate a log source 1. In your Splunk destination configuration, add a **Filter by Condition** processor. 2. Configure it to **exclude** logs where the `log_type` resource attribute matches the source you're migrating (e.g., Palo Alto firewall logs).

Bindplane docs - Migrate from Splunk to SecOps - Filter by Condition processor excluding palo-alto logs

3. Those logs stop going to Splunk but continue flowing to SecOps. 4. Verify detections, dashboards, and alerts are working in SecOps for that source. 5. Repeat for each log source until all have been migrated, then disconnect the Splunk destination. Start with lower-risk sources to build confidence before migrating business-critical data. ### Pilot with a specific region or business unit To validate SecOps with a subset of your team before a broader rollout: 1. Add a **Routing Connector** to your pipeline.

Bindplane docs - Migrate from Splunk to SecOps - Routing Connector configuration with region-based routes

2. Route logs from your pilot region or business unit **exclusively to SecOps**. 3. Route all other logs to Splunk as before.

Bindplane docs - Migrate from Splunk to SecOps - pipeline with routing connector splitting traffic

4. Once the pilot team has validated their workflows in SecOps, update the routing connector to move additional groups across. 5. When all groups have migrated, remove the Splunk destination. *** ## Step 3: Process data for the SecOps path Processing on the SecOps path focuses on data control and labeling, not parsing. Processors run independently of what's configured for Splunk. Common processors to add on the SecOps path: * **Filter by Condition** — drop log types that don't need to be retained in SecOps * **Remove Fields** — strip sensitive fields before data leaves your environment * **Redact** — mask PII before ingestion * **Google SecOps Standardization** — set log type, namespace, and ingestion labels (required) *** ## What's next Once all log sources have been validated in SecOps and migrated off Splunk, disconnect the Splunk destination from your pipeline. Bindplane handles rollouts centrally, so no manual collector config edits are required at any stage. * [Get started with Google SecOps](https://cloud.google.com/security/products/security-operations) * [Get started with Bindplane](https://app.bindplane.com) * [Bindplane + SecOps integration guide](https://docs.bindplane.com/how-to-guides/siem-and-compliance/migrate-splunk-to-secops)