The first question is not whether an open source stack can ingest logs. It is whether it can replace the Splunk behaviors your teams actually depend on - SPL searches, saved reports, alert timing, field extraction, sourcetype conventions, index retention, role-based access, and operational ownership. Splunk centralizes a lot behind one product boundary. Open source replacements usually split collection, storage, parsing, search, dashboards, and alerting into separate services. That can reduce license pressure and improve control, but it moves design work onto your team.
Expect gaps around SPL compatibility, app coverage, and administrative polish. Some searches translate cleanly, especially straightforward filters, aggregations, and time charts. Heavier SPL using transactions, lookups, macros, accelerated data models, custom commands, or nested eval logic often needs redesign. Expect to rebuild dashboards and alerts rather than import them perfectly. If you rely on Splunk's premium security or IT operations content, budget time to recreate detections, correlation rules, enrichment, incident workflows, and the tuning history behind them.
Migration usually starts by inventorying Splunk knowledge objects before touching data pipelines. Export saved searches, dashboards, alerts, field extractions, lookups, indexes, sourcetypes, users, roles, and retention settings through Splunk's UI, file system, or REST interfaces. Historical event export is possible through searches and archived buckets, but moving every old event is often slower and less useful than keeping Splunk read-only for a retention window. Repoint forwarders or collectors gradually, validate parsing and timestamps source by source, then run both systems until alert volume, query results, and retention behavior match.