1B+
Events per window
100+
Sourcetypes
200+
Indexes (ic_* pattern)
$0/mo
Added infra cost*
*AWS replaces Splunk licensing. Estimated savings: $78K–$478K/yr.
Zero disruption guarantee: Splunk stays live throughout. Teams migrate at their own pace. Splunk DB Connect lets legacy users query the lakehouse without changing their workflow.
Migration Strategy
Parallel ingest, coexistence plan, Splunk DB Connect bridge, risk register.
AWS Architecture
S3 + Iceberg + Athena + EKS. Account structure, IAM/AD, PKI chain to Investcloud CA.
Automation Stack
Ansible + Jenkins + GitLab + ACM Private CA. Everything is code. Zero manual steps.
AI Layer
Natural language queries, Jira/Zendesk → auto-dashboards, anomaly detection via Bedrock.
Timeline & ROI
24-week phased rollout. Full Splunk decommission optional at month 12.
How It Works
This animated diagram shows data flowing from your log sources through the lakehouse pipeline in real time. View full architecture →
Log sources → Vector (OCSF) → S3 / Iceberg → Athena → Grafana + AI - all running on AWS, all managed via GitLab + Ansible + Jenkins
Why Replace Splunk?
| Capability | Splunk (today) | Lakehouse (future) |
|---|---|---|
| Query language | SPL only | SQL + Natural Language + Grafana + API |
| Access control | Splunk roles | AD groups, per-team scoping, IAM federation |
| Retention cost | Expensive (Splunk storage) | S3 Glacier - near zero |
| New dashboard | Days–weeks | < 5 min (AI generator from Jira ticket) |
| Multi-team self-service | Limited | Full - Grafana orgs, API tokens, direct SQL |
| Licensing model | $100K–$500K+/yr | ~$22K/yr AWS services |
| Migration disruption | - | Zero - Splunk stays live throughout |