Data pipeline vs SIEM: where each security tool actually sits
The market keeps blurring telemetry pipelines and SIEMs, and nobody owns a clean map of the two. This page draws one. Where a pipeline acts, where a SIEM acts, why pipelines are destination-agnostic, and why the right pipeline cuts a SIEM bill without swapping the SIEM. Conceptual reference, neutral and vendor-independent. Updated July 2026.
The security data lifecycle, and each tool’s radius of action
Read the flow left to right. Data is collected, passed through a pipeline that shapes and routes it, then lands in a SIEM where it is stored and analysed. The two coloured bands show each category’s radius of action: pipelines act at the pipeline stage, SIEMs own the destination through analysis. Where they overlap is a myth, not a stage.
Diagram is conceptual. Tool names are grouped by architectural role, not ranked. The store stage can be served by the SIEM’s own indexed storage or by a cheap object store the pipeline forks data to in parallel.
The five stages, one paragraph each
The gather stage. Agents, forwarders and native connectors pull raw telemetry off servers, firewalls, cloud accounts, identity providers and endpoints. Nothing is filtered or priced yet; this is just the firehose leaving its source.
The shape-and-route stage. A telemetry pipeline parses, trims, enriches and redirects events in flight. It decides what is worth sending to an expensive destination, what goes to cheap storage, and what gets dropped. It is plumbing, not a destination.
The destination stage. The SIEM ingests the data it is given and indexes it for detection. This is where ingest is metered, so every gigabyte that reaches it carries a cost. What arrives here is set by everything upstream.
The retain stage. Data is kept for search, compliance and investigation windows. A SIEM stores its own indexed data at its own rates; a pipeline can also fork a full copy to a cheap object store or data lake in parallel for long retention.
The act-on-it stage. Analysts run detections, correlate alerts, hunt and report. In practice this lives inside the SIEM (or an attached analytics layer), which is why the SIEM owns both the destination and the analysis end of the lifecycle.
Three facts the marketing tends to blur
Splunk plus Cribl is the pairing people quote most, but it is not exclusive. A pipeline routes to whatever destination you point it at: Splunk, Sentinel, QRadar, Chronicle, a data lake, or several at once. The pipeline does not care which SIEM sits downstream, which is exactly why it can front-run a SIEM migration.
Cribl does not have a SIEM. Neither does Tenzir, Edge Delta or Databahn as a category. They are pure upstream plumbing. They have no detection content, no analyst workflow and no case management. If you remove the SIEM, a pipeline has nowhere to send data and nobody to run detections.
A pipeline reduces what the SIEM meters. It does not take over the SIEM's job. You still need the SIEM for correlation, detection and investigation. The pipeline simply makes sure the SIEM only pays to ingest the data that earns its keep, and sends the rest elsewhere.
Why the distinction matters for cost
Most SIEM pricing is ingest-metered: the bill scales with how many gigabytes land in the SIEM each day. That single fact is why the pipeline stage matters. Because the pipeline sits before the meter, it controls the exact quantity the SIEM ever charges you for. Trim the stream upstream and the SIEM bill falls, with no change to detections downstream.
The strategic point follows directly from the map: you can cut your SIEM bill with a pipeline without switching SIEM. Because pipelines are destination-agnostic, adding one in front of Splunk, Sentinel, QRadar or Chronicle is an upstream change, not a rip-and-replace. You keep the same detections, the same analyst workflow and the same platform, and you simply stop paying ingest rates on data that has no detection value.
That also reframes what a “SIEM alternative” is. Sometimes the cheaper option is a different SIEM. Often the cheaper option is the same SIEM with less noise reaching it. Deciding between those two is a volume question, not a branding one, which is why it helps to separate the pipeline layer from the SIEM layer before comparing prices. See SIEM migration cost and Splunk alternatives for the two directions that question can take, and Cribl pricing or Tenzir pricing for what the pipeline layer itself costs.