As Splunk adoption has grown dramatically over the last several years (the company is adding over 500 clients every 90 days), there are open source solutions that are also available. The most prevalent alternative to Splunk is the ELK stack (Elasticsearch-Logstash-Kibana). What are some advantages and disadvantages to each?
The ELK stack is supported by Elastic, which was founded in 2012 by the people behind the Elasticsearch, Kibana, Logstash, and Beats open source projects. By combining Elasticsearch (indexed datastore/search), Logstash (data ingestion), and Kibana (visualization), Elastic has created an end-to-end stack that competes in the same space as Splunk. ELK counts large enterprises such as Netflix, FaceBook, the FDA, and many others as large users.
As is common in the commercial versus open-source analysis, Splunk carries licensing costs and ELK’s cost comes in the form of an enterprise spending more time and money on implementation, customization, and ongoing services. For anyone that has used Splunk, it is universally regarded as an incredibly powerful and user-friendly tool. Splunk also has a large community of passionate users that lends itself to knowledge sharing and education. The complaints of Splunk are around licensing costs, as licensing gets expensive as more and more data is ingested into the platform (pay-per-gigabyte-indexed pricing model). ELK, on the other hand, is free and open-source but requires more time and substantially more customization to allow much of the same functionality that comes pre-built with Splunk.
Despite the fact that log analytics tools have been around for a while, Splunk was built around an end-to-end understanding of what problems that users – mostly system admins, IT security analysts, and developers – face in doing their jobs. Splunk took these use cases into mind and rose to be the indisputable leader in commercial log analytics tools, in large part, through a community of useful plug-ins to enhance their platform. As use cases expand within an enterprise, which is entirely common, Splunk has a wide catalog of both company-developed and third-party apps at the ready. An ELK deployment, conversely, is going to require much more customization; so while an organization would not face the licensing costs of Splunk, the time and cost around developing a comparable ELK solution will be substantially greater.
Additionally, and along those same lines, with regards to specialized use cases for Security, IT services, and user behavior, Splunk has premium apps designed to handle these use cases. ELK has none of these advanced features pre-built, requiring more post-deployment development and customization.
Hardware costs may also grow larger with the ELK stack. Hardware appliances are available for Splunk from third-party vendors, including Taiwan’s SYSTEX Corp. and SBOX, which provides an appliance for Splunk’s ES (Enterprise Security) app. All of this means fewer moving parts to deploy, less configuration at setup, and lowered hardware costs, as well as lowered reliance on an organization’s IT Operations and Storage teams.
For a small organization with basic needs and a small IT support group, ELK is certainly a good investment. For larger enterprise environments, Splunk is a superior platform with a total cost of ownership (TCO) that, upon further examination, may be no greater than the ELK stack.
We look forward to delivering readers a future blog posting from a senior engineer who has deployed both Splunk and ELK in different environments, for an “in the trenches” and more detailed examination of the Splunk-versus-ELK discussion!
About SP6
SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.
