Amazon CloudWatch is a native AWS monitoring tool for AWS programs. It provides data collection and resource monitoring capabilities.
$0
per canary run
Splunk Enterprise
Score 8.6 out of 10
N/A
Splunk is software for searching, monitoring, and analyzing machine-generated big data, via a web-style interface. It captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations.
N/A
Splunk Enterprise Security
Score 8.6 out of 10
N/A
Splunk Enterprise Security is an analytics-driven SIEM that helps to combat threats with actionable intelligence and advanced analytics at scale.
N/A
Pricing
Amazon CloudWatch
Splunk Enterprise
Splunk Enterprise Security
Editions & Modules
Canaries
$0.0012
per canary run
Logs - Analyze (Logs Insights queries)
$0.005
per GB of data scanned
Over 1,000,000 Metrics
$0.02
per month
Contributor Insights - Matched Log Events
$0.02
per month per one million log events that match the rule
Logs - Store (Archival)
$0.03
per GB
Next 750,000 Metrics
$0.05
per month
Next 240,000 Metrics
$0.10
per month
Alarm - Standard Resolution (60 Sec)
$0.10
per month per alarm metric
First 10,000 Metrics
$0.30
per month
Alarm - High Resolution (10 Sec)
$0.30
per month per alarm metric
Alarm - Composite
$0.50
per month per alarm
Logs - Collect (Data Ingestion)
$0.50
per GB
Contributor Insights
$0.50
per month per rule
Events - Custom
$1.00
per million events
Events - Cross-account
$1.00
per million events
CloudWatch RUM
$1
per 100k events
Dashboard
$3.00
per month per dashboard
CloudWatch Evidently - Events
$5
per 1 million events
CloudWatch Evidently - Analysis Units
$7.50
per 1 million analysis units
No answers on this topic
No answers on this topic
Offerings
Pricing Offerings
Amazon CloudWatch
Splunk Enterprise
Splunk Enterprise Security
Free Trial
Yes
Yes
No
Free/Freemium Version
Yes
Yes
No
Premium Consulting/Integration Services
Yes
No
No
Entry-level Setup Fee
No setup fee
No setup fee
No setup fee
Additional Details
With Amazon CloudWatch, there is no up-front commitment or minimum fee; you simply pay for what you use. You will be charged at the end of the month for your usage.
I feel that CloudWatch will always remain the backbone of log analytics, events, and alarms. However, we can use other products in conjunction with it for better log analytics and monitoring. In my organization, we also ingest logs from CloudWatch to Splunk and ELK. This way we …
Ultimately because we are in the AWS cloud we need a tool to report, alert, and hold our logs in AWS, and AWS cloudwatch has great integrations with all existing AWS products. There are some UX quirks and I wish the dashboarding tools could stack up against some of the …
Using Splunk Enterprise Security allows the combination of security data sources from any number of services or products, giving analysts a single view of the entire security footprint throughout the organization and correlating events across services that may otherwise be …
Splunk Enterprise Security is overall a better choice due to multiple factors. It can be easily deployed in any type of environment, whether you are looking for On-Premise or Cloud hosting. It scales amazingly well and it is very intuitive to use. It has a strong community, …
Above mentioned tools are environment-specific and provide insights into what is happening in the environment. We were looking for a product that is environment agnostic & able to work with many environments. Hence Splunk Enterprise security stands out for us. Also, we were …
Splunk Enterprise Security allows for data normalization that does not compare to other SIEMs such as QRadar or Trustwave. QRadar requires custom dsm parsers before the data can be onboarded. I appreciate that Splunk Enterprise Security can ingest any source of data and …
The fact that it is used by many large companies was a strong reason for selecting Splunk Enterprise Security. After several demos and POCs, the teams were convinced of the value it brings: it demands the right amount of customization to fit with the company data sources. Also …
Qradar is easy for first-timers. Easy to deploy and manage but if you need an advanced solution for ML, Anomaly Detection you need to use Splunk. Qradar is solid, too. But Splunk has advanced functionality for detection and automation.
For out business we find that AWS Cloudwatch is good at providing real-time metrics for monitoring and analysing the performance and usage of our platform by customers. It is possible to create custom metrics from log events, such people adding items to a basket, checking out or abandoning their orders.
It's well suited for what I do, which is network security operations. And that's for anything from troubleshooting incidents, troubleshooting performance, troubleshooting for the purpose of a compliance and auditing. It's not best suited for users who are new in terms of they're new to the product and they have expectations that probably Splunk cannot meet.
Well suited: Splunk ES is highly recommended in an environment with many data sources and experienced computer engineers. It has a steep learning curve, but once that hurdle is crossed, it is absolutely a beast. It is also very expensive, so a company putting a high amount of budget in Security is needed. Not well suited: Splunk ES is not recommended if a company has only a few sources and some non-technical IT users. The price won't justify the fewer data sources and scratching just the surface level. Moreover, non-technical IT users would be better off with something that has a query builder, unlike Splunk.
It provides lot many out of the box dashboard to observe the health and usage of your cloud deployments. Few examples are CPU usage, Disk read/write, Network in/out etc.
It is possible to stream CloudWatch log data to Amazon Elasticsearch to process them almost real time.
If you have setup your code pipeline and wants to see the status, CloudWatch really helps. It can trigger lambda function when certain cloudWatch event happens and lambda can store the data to S3 or Athena which Quicksight can represent.
Advanced Threat Detection and Correlation: ES stands out in its ability to detect sophisticated threats by correlating data from multiple sources. For instance, it can identify unusual patterns in user behavior, cross-referencing with network logs to flag potential insider threats.
Real-time Monitoring and Alerting: ES offers robust real-time monitoring capabilities. It excels in promptly alerting us to critical security events, such as suspicious network traffic spikes or unauthorized access attempts, allowing for immediate response.
Comprehensive Log Analysis: ES ingests and analyzes an extensive range of log data. It's particularly adept at parsing and making sense of complex log formats, making it a versatile tool for understanding system activities and security events.
Memory metrics on EC2 are not available on CloudWatch. Depending on workloads if we need visibility on memory metrics we use Solarwinds Orion with the agent installed. For scalable workloads, this involves customization of images being used.
Visualization out of the box. But this can easily be addressed with other solutions such as Grafana.
By design, this is only used for AWS workloads so depending on your environment cannot be used as an all in one solution for your monitoring.
ES on the cloud (SaaS) has too many limitations with platform administration.
Supported integrations are not always on par with enterprise support especially when dependent on 3rd-party proprietary APIs.
In later versions, unforeseen glitches seem to show up that have no resolution except version upgrade. This used to not be the case in prior versions which were very stable.
We are using Splunk extensively in our projects and we have recently upgraded to Splunk version 6.0 which is quite efficient and giving expected results. We keep track of updates and new features Splunk introduces periodically and try to introduce those features in our day to day activities for improvement in our reporting system and other tasks.
It's excellent at collecting logs. It's easy to set up. The viewing & querying part could be much better, though. The query syntax takes some time to get used to, & the examples are not helpful. Also, while being great, Log Insights requires manual picking of log streams to query across every time.
You can literally throw in a single word into Splunk and it will pull back all instances of that word across all of your logs for the time span you select (provided you have permission to see that data). We have several users who have taken a few of the free courses from Splunk that are able to pull data out of it everyday with little help at all.
Maintaining hundreds or even 1000+ SOC use cases is really difficult, considering that the Data sources may not always send the data. A module that detects data freshness issues and detect data format changes would be a great help. the main challenge today using Splunk Enterprise Security is making sure that the detection rules are still working properly given all the changes that occur in data source applications. Also, maintaining the data collects on tens of thousands of servers and more than 100k workstations is a real company IT challenge: the splunkbase forwarder may not support old OS anymore, while these are the most important to monitor. Moving to the Open Telemetry collector has become essential so that only 1 agent is required for both SIEM and application observability.
It takes a long time for items to load if you are just generally searching through logs. It is best to use the data models which load faster but can be strange in terms of what is coming from which logs where. Yes, you can look it up, but this also requires familiarity with where things are and how to look them up.
Support is effective, and we were able to get any problems that we couldn't get solved through community discussion forums solved for us by the AWS support team. For example, we were assisted in one instance where we were not sure about the best metrics to use in order to optimize an auto-scaling group on EC2. The support team was able to look at our metrics and give a useful recommendation on which metrics to use.
Splunk maintains a well resourced support system that has been consistent since we purchased the product. They help out in a timely manner and provide expert level information as needed. We typically open cases online and communicate when possible via e-mail and are able to resolve most issues with that method.
It's good when it's responsive, but I've had times where I had to wait quite a while for a response. But these are typically the exceptions rather than the rule. When you do get a response it is always well-informed and appropriate. I would say they've been trending better over time with this.
I experienced only on-line training, but the trainers were very professional and competent. Maybe it could be more useful if they also have an experience in projects because sometimes they didn't have a real project experience to communicate to the students. Anyway, it was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself, aven if I have more than 10 years of Splunk activity experience.
The online course was simple clear and described the main capabilities of the solution. There is also an initial module that can be done for free so anyone can familiarize themselves with the functionality of this solution. On the other hand, however, there could be more free online courses. Maybe even with a certificate, this would broaden the group of people who are familiar with the platform while increasing familiarity with the solution itself.
It was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself. The only problem was that, when I worked with the Splunk Professional Services, I found some difference between the training contents and the information from PS. In addition is required a long experience on Splunk Enterprise for the data ingestion part, in other words I'm able to work with ES because I'm worling on Splunk since 11 years, otherwise I'd some problem.
Grafana is definitely a lot better and flexible in comparison with Amazon CloudWatch for visualisation, as it offers much more options and is versatile. VictoriaMetrics and Prometheus are time-series databases which can do almost everything cloudwatch can do in a better and cheaper way. Integrating Grafana with them will make it more capable Elasticsearch for log retention and querying will surpass cloudwatch log monitoring in both performance and speed
I didn't get to fully evaluate Logstash as our corporation was already using Logstash, but both seemed like viable solutions to the problem that we were having. I wanted to evaluate Logstash some more, both did seem like they would work for the business needs that we had, we went with splunk as many teams were already using it.
Splunk enterprise is the only solution that we’ve been able to identify that provides risk based alerting, which allows our SOC to reduce analyst fatigue which would be a huge problem without it. Before RBA, there were thousands of alerts a day and it was impossible to review all of them
for my exterience, unit pricing and billing frequency are correct. As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.
- 8 out of 10 and took 2 for the data pipeline and administration part. Even if you'd like to improve yourself or your team, you have to pay a lot of money and it could be more than GIAC education + cert. - Normalization for Data models and CPU-based searches can be a problem sometimes.
I had a fantastic experience with Splunk Professional Services: they worked with us in our last SON project (a SOC migration for a very large customer) and helped to build a multi tenent environment even if ES isn't a multi tenant platform. Th Splunk PS was a very professional and competent people, he is italian and was able to speak with our italian customers.
I don't have any numbers to share but Splunk has positively served as a 24/7 monitoring tool that has saved hours of work by self-detecting, saving statistics and alerting problems in the system or from external interfaces as soon as they happen.
Splunk dashboards does a solid job in collecting, analyzing data and creating reports that contain an entire day's activity and then automatically sent out to the business.
Splunk is very easy to learn and very useful to any program or business application.
ES has highly impacted ROI because as the customer of the ES the work we do for creating use cases for clients in terms of security-related aspects by their logs has given more return than investment.
The correlation searches we run to get detailed results from the Data models are very less time-consuming than Splunk Enterprise itself we can get quick responses to the use cases and dashboards populated because of ES.
The CIM compliance feature is ES has made more jobs easy in the terms of finding more Authentication related data we can get data onboarded in the Email data model from O365 and search is email data model instead of searching for particular indexes.
