If you must analyze a ton of data then Splunk is your solution.
December 14, 2015

If you must analyze a ton of data then Splunk is your solution.

Anonymous | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk

Splunk is deployed across the entire enterprise to solve many different data analysis questions for multiple departments ranging from workstation performance issues to enterprise security. As such, Splunk is deployed upon physical and virtual Windows workstations and servers, as well as ingesting data from Linux-based servers and network-centric architecture.
  • Parsing data without manual intervention is a true time saver. Not to say you can't tweak the parsing, but unlike my experiences with the ELK stack, Splunk's ingestion and parsing is so good you can focus on other priorities.
  • Splunk offers many free technology add-ons that provides real value immediately. For example, the Distributed Management Console (DMC) helps pull all the Splunk Architecture management together in one set of dashboards. To me, this is a true differentiator compared to its competitors.
  • Searching for data nuggets is fast. Even dense datasets returns results surprisingly fast.
  • Splunk works well with external data sources too. DBConnect is a feature that allows Splunk to interact with an existing data warehouse. So there's no need to move legacy data into Splunk indices since you can just use a SQL-like (dbquery) command to pull the data in for analysis.
  • Search head clustering is great for reducing configuration differences among standalone search heads. The biggest problem with search head clustering (at the moment) is administration of non-knowledge object functions, like user roles and capabilities. Tasks like these must be done using Linux text editors and forces a rolling restart of all the search heads in the cluster.
  • Creating custom applications in a search head cluster has also taken a step backwards. One strength I didn't mention earlier, is the ability to segregate users from data sets they shouldn't see. One method to assist partitioning users is with custom applications (aka sandboxes). However, like user administration, creating the "sandbox" requires Linux skills as opposed to the previous GUI-driven method.
  • Querying LDAP datasets is limited to users with admin capabilities. That's okay only if the entire user community in your shop are administrators. Thus a great source for analyzing active directory membership is hindered until Splunk gets this fixed.
  • I'm not a data analyst so I can not provide concrete examples on how the business has benefited from implementing Splunk. However, the analysts I have worked with have provided a wealth of support in reducing workstation issues across the enterprise. This alone reduces the time it takes to determine where the exact problem lies between a workstation and the servers it tries to communicate with.
  • ELK
While ELK may be free because of its open source genesis, it suffers greatly due to its immaturity. As I've already mentioned, ingesting data into Splunk is far easier than with ELK. Splunk also has a ton of free "bolt ons" that include pre-made dashboards to drive immediate value into your implementation. Splunk support and documentation is far better than with other applications I've supported in the past and especially so with ELK.
How much data do you intend to index daily? Indexing and querying large volumes of data requires the right architecture, and determines the ultimate cost of the entire Splunk ecosystem as Splunk makes their money by charging against the amount of data indexing done on a daily basis.
What data problems are you trying to analyze? Have you identified who will analyze the data and are you going to train them how to analyze the data? Have a strong understanding of your problem, and your data, will drive who analyzes the data. Don't expect your Splunk administrator/architect to also be your only data analyst.

Splunk Enterprise Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Not Rated
Custom dashboards and workspaces
Host and network-based intrusion detection
Not Rated