Filebeat's httpjson
input can be used query Splunk's REST API and ingest the original data. This doesn't make use of any Splunk processing (CIM or apps). This doc covers 2 common use cases. The first is when you want to ingest from the current forward. For example if you want to compare how Splunk and Elastic differ in detections on the same data. The second use case is when you want to ingest historical data. For example if you want to pull in the last 6 months of data to compare how Splunk and Elastic differ. This method is good for comparing Elastic and Splunk, but shouldn't be considered a final ingest strategy for customers.
This will only work for Filebeat modules where the raw message stored in splunk is the same as what the input provides. Modules that won't work are netflow and Winlogbeat because each of those does heavy processing on the raw data.