Splunk vs ELK

Posted by UpGuard

Splunk vs Elk

Log management solutions play a crucial role in an enterprise's layered security framework without them, firms have little visibility into the actions and events occuring inside their infrastructures that could either lead to data breaches or signify a security compromise in progress. Splunk and ELK (a.k.a BELK or Elastic Stack) are two of the leading enterprise solutions in this category; let's see how they stack up in this comparison.

Most, if not all, systems and devices in today's IT environments generate extensive logfiles that record the minutiae of day-to-day operations: what resources were accessed and by who, activities performed, errors/exceptions encountered by the host, and more. As you can imagine, the volume of logfiles in any given organization's infrastructure can quickly become unwieldy. Log management and analysis solutions enable organizations to glean collective, actionable intelligence from this sea of data. 

Get the Digital Resilience eBook

Splunk

Known as the "Google for logfiles," Splunk is also marketed as a Security Information and Event Management (SIEM) solution, on top of being a log management and analysis platform. SIEM is essentially log management as applied to security: by unifying logfile data gathered from a myriad of systems and devices across an IT environment, operators and infosec professionals can perform higher-order security analyses and assessments regarding the collective state of their systems from a single interface. An abundance of SIEM products exist on the market, but Splunk reigns supreme in this category due to its aforementioned Google-esque search capabilities. The platform uses a proprietary search language called Search Processing Language (SPL) for traversing and executing contextual queries large data sets.

The Splunk UIThe Splunk UI. Source: splunk.com.

Splunk also features over 1000 apps and add-ons for extending the platform's capabilities to accomodate various data sources.

ELK/Elastic Stack

Short for Elasticsearch, Logstash, and Kibana, ELK is a consolidated data analytics platform from open source software developer Elastic. The company is most widely known for Elasticsearch, its scalable search platform based on Apache Lucene. As with many open source offerings targeting the enterprise, paid-for commerical support and consulting are its bread and butter. ELK's software stack consists Elasticsearch (distributed RESTful search/analytics engine), Logstash (data processing pipeline), and Kibana (data visualization). More recently, Beats made its way into the stack, offering agent-based single purpose data shipping. This conglomerate is now marketed by Elastic as the open source Elastic Stack.

The ELK UIThe ELK interface. Source: elastic.co.

In addition to the ELK/Elastic stack, each of these technologies is available as a discreet offering from Elastic.  

Side-by-Side Scoring: Splunk vs. ELK/Elastic Stack

1. Capability Set

Splunk and ELK/Elastic Stack are powerful, comprehensive log management and analysis platforms that excel in fulfilling the requirements the most demanding enterprise use cases. Both are highly customizable and offers a range of features you'd expect from a competent solution in this category: advanced reporting, robust search capabilities, alerting/notifications, data visualizations, and more. 

Splunk score_570.png
ELK/Elastic Stack score_570.png

2. Ease of Use

Both solutions are relatively easy to deploy and use, especially considering each respective platform's breadth of features and capabilities. That said, Splunk's dashboards offer more accessible features and its configuration options are a bit more refined and intuitive than ELK/Elastic Stack's. Additionally, its user management features are also more challenging to use than Splunk's. 

Splunk score_4.png
ELK/Elastic Stack score_4.png

3. Community Support

Both are market leaders in their respective categories with a large community of users and supporters. Open source has its advantages, however, and ELK/Elastic Stack boasts a highly active and responsive developer/user community, as well as an abundance of resources available online. Check out Elastic's library of community-contributed clients for various programming languages.   

Splunk score_4.png
ELK/Elastic Stack score_570.png

4. Release Rate

Both solutions have seen regular releases over the years: Splunk's enterprise offering is currently at version 6.5, while ELK/Elastic Stack releases—as a composite platform—are stratified per component. Currently, Elastic Stack (as well as its core components: Kibana, Elasticsearch, Beats, and Logstash) is at version 5.0. Full release histories for Elastic and Splunk are available on the vendors' websites.

Splunk score_570.png
ELK/Elastic Stack score_570.png

5. Pricing and Support

Splunk is a proprietary enterprise offering with a high end price tag while ELK/Elastic Stack is a free, open source platform. Despite this, ELK/Elastic Stack's cost total cost of ownership can be quite substantial as well for expansive infrastructures: hardware costs, price of storage, and professional services can quickly add up. Both Splunk and ELK/Elastic Stack now offer cloud-based, hosted versions for more price-conscious organizations. In terms of support, both ELK/Elastic Stack and Splunk's support offerings are exceptional   .

Splunk score_4.png
ELK/Elastic Stack

score_4.png

6. API and Extensibility

Splunk offers a well-documented RESTful API with over 200 endpoints for accessing every feature in the product as well as SDKs for popular languages. ELK/Elastic Stack's Elasticsearch was designed from the ground-up as a distributed search and analytics engine using standard RESTful APIs and JSON. It also offers pre-built clients for building custom apps in languages such as Java, Python, .NET, and more.

Splunk score_570.png
ELK/Elastic Stack score_570.png

7. 3rd Party Integrations

Splunk features over 1000 add-ons and apps in its Splunkbase app portal organized into 6 categories: DevOps, IT operations, security/fraud/compliance, business analytics, IoT/industrial data, and utilities. Not to be outdone, ELK/Elastic Stack also offers a plethora of plugins and integrations, both from the community and supplied by third-party vendors.

Splunk score_570.png
ELK/Elastic Stack score_4.png

8. Companies that Use It

Splunk boasts over 12,000 customers and 80 of the Fortune 100 under its belt: Adobe, BlackRock, Coca-Cola, ING, Tesco, AAA, Staples, among others. Elastic's customer list is equally impressive, consisting of Ebay, Verizon, Netflix, Cisco, Salesforce, FICO, Facebook Thomson Reuters, to name a few.

Splunk score_570.png
ELK/Elastic Stack score_570.png

9. Learning Curve

ELK/Elastic Search's learning curve is surprisingly flat for what it does; Splunk has a moderate learning curve, especially when it comes to building expertise for carrying out more specialized analyses.

Splunk score_3.png
ELK/Elastic Stack score_4.png

10. CSTAR

Splunk has a 694 CSTAR score—high marks for good website perimeter security and a strong resilience posture. That said, shortcomings like lack of SPF, HTTP strict transport security, and DNSSEC make it less-than-optimal. Elastic scores higher in this department with its 836 CSTAR score, despite possessing flaws of its own like server information leakage and lack of DNSSEC/HTTP strict transport security.   

Splunk

Screen Shot 2016-11-01 at 8.03.07 AM.png

ELK/Elastic Stack

Screen Shot 2016-11-01 at 8.03.32 AM.png

 

Scoreboard and Summary

  Splunk ELK/Elastic Stack
Capability Set score_570.png score_570.png
Ease of Use score_570.png score_570.png
Community Support score_570.png score_570.png
Release Rate score_570.png score_570.png
Pricing and Support score_570.png score_570.png
API and Extensibility score_570.png score_570.png
3rd Party Integrations score_570.png score_570.png
Companies that Use It score_570.png score_570.png
Learning Curve score_570.png score_570.png
CSTAR

Screen Shot 2016-11-01 at 8.03.07 AM.png

Screen Shot 2016-11-01 at 8.03.32 AM.png

Total  4.4 out of 5  4.6 out of 5

In short, both Splunk and ELK/Elastic Stack are competent, enterprise-grade log management and analysis platforms trusted by the world's leading organizations. Total cost of ownership can be significant for both solutions; in response to demand from more budget-minded firms, Splunk and Elastic have recently started to offer hosted versions of their products. 

Log analytics and SIEM only account for one piece of the continuous security puzzle. For achieving enterprise resilience, UpGuard's gives organizations the ability to validate that all IT assets in their environments are configured optimally and free from vulnerabilities. Our platform integrates with Splunk out-of-the-box to correlate detected configuration item changes with events, resulting in more accurate insights and timely response/remediation. Try UpGuard today, it's free for the first 10 nodes.

Free eBooks on DevOps and Security

More Articles

Datadog vs. New Relic

Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.

 

 

Cisco vs. FireEye for Continuous Security

Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security?

Read Article >

AlienVault vs. Tenable for Continuous Security

As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.

Read Article 

 

Topics: vulnerabilities, continuous security

UpGuard customers