D-373_Cribl Lake Blog OG_1920x1080_canoe

From Archive to Insight: Ingest Splunk DDSS Data Directly into Cribl Lake

Last edited: June 3, 2025

If you’re a Splunk user relying on Dynamic Data Self Storage (DDSS) or Active Archive (DDAA), you’re likely familiar with this frustrating loop:

  • You archive petabytes of data to S3 via DDSS to save on hot and archive storage costs.

  • You need that data later — for an investigation, compliance request, or audit.

  • You wait. You’re forced through a time-consuming rehydration process via DDAA and DDAS or with a different Splunk Enterprise instance.

  • You pay. Not just in time, but in added storage and compute costs.

The Real Cost of SIEM Archiving

Splunk’s archiving process wasn’t built for flexible, long-term access:

  • Slow data access: Restoring large datasets from DDAA often takes 24+ hours and has a strict 10% DDAS entitlement cap.

  • High storage and rehydration costs: Replaying data into Splunk active storage consumes expensive capacity.

  • Limited accessibility: Archived data is locked into vendor-specific formats and can’t be easily used elsewhere.

What’s New: Splunk DDSS → Cribl Lake

We’re changing the game.

Cribl Lake now supports direct ingestion of Splunk DDSS data. That means your self-storage archive data can be written directly to a Cribl Lake dataset — unlocking a whole new world of accessibility, flexibility, and cost control. This allows for:

  • Unlimited searches: With Cribl Search, you can instantly query your Lake DDSS dataset — no access delays, no rehydration.

  • Simplified storage management: Cribl Lake becomes a seamless destination for Splunk self-storage, with no need to manage S3 yourself. Cribl handles it all for you.

  • Simplified Replay back to Splunk: If specific datasets need to be reprocessed by Splunk or another SIEM tool, forwarding that data to the appropriate destination is a simple process. And the best part? There’s no restriction on the time range or amount of data you can Replay.

Built for global teams, managed from one place. With Cribl Lake’s Splunk Cloud Self Storage support, global organizations with distributed Splunk deployments can now centralize their archive strategy, no matter where their data lives.

Teams can configure and manage DDSS ingestion across multiple regions from a single, unified interface. This ensures consistent policies, simplified operations, and seamless access to archived data across all environments — whether you’re archiving logs from North America, EMEA, or APAC.

One archive strategy. One search platform. Globally managed.

Why It Matters

No more 24-hour SLAs. No rehydration. Just fast, powerful search across archived Splunk data stored in Cribl Lake.

Slash Storage and Search Costs

By keeping data in Cribl Lake instead of hot storage:

  • You avoid the high per-GB cost of SIEMs

  • You’re charged only for compressed data

  • You control compute costs with Cribl Search on your terms

unnamed.png

Effortless Replay to Splunk or Anywhere

Need to bring data back into Splunk for analysis? No problem. Cribl makes it easy to Replay data from Cribl Lake into any destination, including your SIEM, observability tools, or data lakes.

How It Works

Setting it up is simple:

  • Add Splunk Cloud as a Source in Cribl Lake

  • Configure your self-storage location in Splunk

  • Run an S3 policy test in Splunk Cloud

  • Splunk archives journals directly to Cribl Lake

  • Start querying with Cribl Search — instantly

Compared to Traditional DDSS...

Get Started With Splunk DDSS Ingest to Cribl Lake

Stop letting your data sit idle. Create a Cribl Lake destination in Splunk DDSS today — and unlock fast, flexible access to the data you already own.

What’s on the horizon for Cribl Lake? Look forward to ingesting JSON formatted data via HTTP directly into Cribl Lake, as well as bring your own storage - coming real soon!

Learn More or talk to an expert

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s suite of products to collect, process, route, and analyze all IT and security data, delivering the flexibility, choice, and control required to adapt to their ever-changing needs.

We offer free training, certifications, and a free tier across our products. Our community Slack features Cribl engineers, partners, and customers who can answer your questions as you get started and continue to build and evolve. We also offer a variety of hands-on Sandboxes for those interested in how companies globally leverage our products for their data challenges.

More from the blog

get started

Choose how to get started

See

Cribl

See demos by use case, by yourself or with one of our team.

Try

Cribl

Get hands-on with a Sandbox or guided Cloud Trial.

Free

Cribl

Process up to 1TB/day, no license required.