🤫 Free report PDF (no signup): Security Data Pipelines as the SOC control plane. >>>
Breaking Free from Vendor Lock-in: Cutting Splunk Ingestion Costs with a Security Data Pipeline
Balázs Scheidler - Axofllow
by 
Balázs Scheidler
January 14, 2026
and
No items found.
data pipeline
telemetry pipeline
observability pipeline

Breaking Free from Vendor Lock-in: Cutting Splunk Ingestion Costs with a Security Data Pipeline

I am bazsi771 on Reddit. I created syslog-ng, the r/syslog_ng community, managed multiple Slack and Discord channels, and, in the early days, held meetups to spread the word about the importance of clean data in cybersecurity. Today, I actively participate in discussions across various Reddit subreddits because that is where the real engineering pain points surface.

I found myself writing the same answers to different users repeatedly. Whether it is r/sysadmin or r/cybersecurity, the frustrations are identical: SIEM bills spiraling out of control, data retention costs failing, and engineers wasting hours re-parsing logs. I realized these threads aren't just isolated complaints; they represent the industry standard. I collected my responses here because the advice applies to almost everyone running a SIEM today.

Is Your SIEM Just Complianceware?

The same pattern shows up in SIEM threads: a lot of money goes in, and what comes out is mostly archiving. In r/sysadmin, a user asked if others felt their SIEM had become merely expensive log storage, noting that the system felt like a "pricey data warehouse." Thread: Anyone else feel like their SIEM is just expensive log storage?.

While the stated goal of deploying a SIEM is security, a lot of organizations stop when they "check the compliance box". When the SIEM is also where you try to fix, normalize, and govern the data, every upstream problem turns into SIEM-priced work and SIEM-priced storage, this is also apparent for example from Splunk’s State of Security reports.

The failure to move beyond storage isn't usually a lack of desire; it’s usually because of complexity. Onboarding data sources, shaping that data, and developing sophisticated detection workflows is difficult, and efforts eventually peter out. The root cause is the flawed assumption that every organization needs a bespoke security stack. When you build everything from scratch, you spend your budget on construction, not detection.

The Math Behind Long-Term Storage Costs

When teams try to solve compliance requirements through brute force, the costs spiral. An architect on Reddit proposed keeping logs online for 90 days and cold for 6 years (as some compliance requirements mandate such long-term storage), asking for validation on the architecture Thread: SIEM Architecture and log storage.

I advised them to run the numbers before committing. If you ingest 1 TB per day, 6 years is 2,190 days. That is already over 2 petabytes of data. Even if you use cheaper storage tiers like S3, that volume can cost roughly $600,000 per year.

That is just for storage: it doesn't account for the fact that you can't easily browse or query that cold data. If you treat your storage like a dumping ground where any device sends anything it wants, your daily ingestion will explode. The engineering fix for this is effective data governance: knowing exactly what you ingest and why. (We expanded on this storage strategy in the blog here).

Vendor Schema Lock-in (CIM/ECS) Is SIEM Technical Debt

Beyond storage, you must be strategic to avoid locking yourself into a vendor's ecosystem Thread: Cheaper alternatives to Splunk. A SIEM is a horizontally integrated solution that forces you to use data formats it prefers - e.g. Splunk uses CIM, Elastic uses ECS.

Once you onboard all your data sources and start using a SIEM-specific schema, you end up "pretty much locked in". Good luck replacing that SIEM five years down the road without rebuilding your entire detection logic.

My recommendation is to deploy a separate security data pipeline that handles collection, classification, and normalization before the data reaches the SIEM. By normalizing data upstream into a vendor-agnostic format like OCSF, you ensure that your data structure is independent of your analytics tool, allowing you to swap backends without rebuilding your entire ingestion layer. This architectural leverage "helps you to keep the SIEM vendor on their toes" regarding pricing.

How Most Pipelines Help Data Reduction: The Hidden Engineering Cost

To combat rising costs, many teams turn to reduction tools. A user asked the community if Cribl was "worth standing up" to manage ingestion costs, given their budget constraints. Thread: Anyone use Cribl, is it worth standing up?.

I warned them not to underestimate the time required to make it work. Tools like this can achieve 30-50% data reduction, but you still have to get an understanding of the underlying data source to achieve those numbers. You cannot simply flip a switch; you have to spend engineering hours deciding what is security-relevant and what is noise.

The knowledge about what data matters should be part of the product, not a manual configuration task left to the user. When a developer suggested building a custom pipeline solution to cut costs Thread: Why Are We Still Burning $$$ on SIEM Log Volume? I noted that, as the market is very crowded, new entrants must be clearly differentiated. Modern pipelines should come with good defaults out-of-the-box so you don't spend significant resources building yet another parser for Palo Alto firewall data from scratch. Related thread: Cribl? Alternatives?

Stop Wasting Resources on Manual Parsing

A persistent frustration in the industry is the need to constantly re-parse logs due to schema drift. A Reddit user described a friend in SOC operations spending hours manually fixing parsers, asking if this was a systemic failure Thread: Constantly re-parsing security logs for SIEM ingestion.

I confirmed that almost all organizations are doing a lot of manual work to keep up with their data sources. While onboarding a source once is fine, "redoing parsers for the same stuff over and over again" is a waste of resources that the industry has "got used to in the last 20+ years”.

This is a solvable engineering problem. Knowledge about security data formats should be incorporated into the ingestion tool itself. Engineers should be focused on threats, not maintaining regex for a vendor update.

Practical Takeaways

  • Own Your Schema: Avoid normalizing exclusively inside your SIEM using their proprietary format (like CIM or ECS). You won't get it out without rework. Normalize upstream.
  • Pipeline Leverage: Using a separate data pipeline prevents vendor lock-in and gives you leverage in pricing negotiations.
  • The 6-Year Math: 1TB/day for 6 years is ~2PB. Without strict governance on what you store, retention costs will destroy your budget.
  • Reduction Requires Knowledge: Buying a tool to reduce log volume isn't a magic wand. It requires deep knowledge of the tool and the data sources to ensure you don't drop forensic value.
  • End the Regex Grind: Manual re-parsing for schema drift is technical debt. Use tools that treat data knowledge as a product feature, not a professional service.

Is your pipeline working for you, or are you working for your pipeline?

Follow Our Progress!

We are excited to be realizing our vision above with a full Axoflow product suite.

Sign Me Up
This button is added to each code block on the live site, then its parent is removed from here.
Request a demo

Fighting data Loss?

Balázs Scheidler

Book a free 30-min consultation with syslog-ng creator Balázs Scheidler

Book a Call

Recent Posts

10x search improvement? Optimize Splunk fields with Axoflow
The Autonomous Data Layer: Control Your Data, Cost, and Cyber Risk
Why Use OpenTelemetry gRPC for Log Data Transport