If you must analyze a ton of data then Splunk is your solution.
December 14, 2015
If you must analyze a ton of data then Splunk is your solution.
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with Splunk
Splunk is deployed across the entire enterprise to solve many different data analysis questions for multiple departments ranging from workstation performance issues to enterprise security. As such, Splunk is deployed upon physical and virtual Windows workstations and servers, as well as ingesting data from Linux-based servers and network-centric architecture.
- Parsing data without manual intervention is a true time saver. Not to say you can't tweak the parsing, but unlike my experiences with the ELK stack, Splunk's ingestion and parsing is so good you can focus on other priorities.
- Splunk offers many free technology add-ons that provides real value immediately. For example, the Distributed Management Console (DMC) helps pull all the Splunk Architecture management together in one set of dashboards. To me, this is a true differentiator compared to its competitors.
- Searching for data nuggets is fast. Even dense datasets returns results surprisingly fast.
- Splunk works well with external data sources too. DBConnect is a feature that allows Splunk to interact with an existing data warehouse. So there's no need to move legacy data into Splunk indices since you can just use a SQL-like (dbquery) command to pull the data in for analysis.
- Search head clustering is great for reducing configuration differences among standalone search heads. The biggest problem with search head clustering (at the moment) is administration of non-knowledge object functions, like user roles and capabilities. Tasks like these must be done using Linux text editors and forces a rolling restart of all the search heads in the cluster.
- Creating custom applications in a search head cluster has also taken a step backwards. One strength I didn't mention earlier, is the ability to segregate users from data sets they shouldn't see. One method to assist partitioning users is with custom applications (aka sandboxes). However, like user administration, creating the "sandbox" requires Linux skills as opposed to the previous GUI-driven method.
- Querying LDAP datasets is limited to users with admin capabilities. That's okay only if the entire user community in your shop are administrators. Thus a great source for analyzing active directory membership is hindered until Splunk gets this fixed.
- I'm not a data analyst so I can not provide concrete examples on how the business has benefited from implementing Splunk. However, the analysts I have worked with have provided a wealth of support in reducing workstation issues across the enterprise. This alone reduces the time it takes to determine where the exact problem lies between a workstation and the servers it tries to communicate with.
- ELK
While ELK may be free because of its open source genesis, it suffers greatly due to its immaturity. As I've already mentioned, ingesting data into Splunk is far easier than with ELK. Splunk also has a ton of free "bolt ons" that include pre-made dashboards to drive immediate value into your implementation. Splunk support and documentation is far better than with other applications I've supported in the past and especially so with ELK.