Log analysis and security incident and event management (SIEM) tools have become staples of enterprise cyber resilience programs. For vigilant organizations, having infrastructure visibility into the transactions occurring behind the scenes is instrumental to maintaining a strong security posture. Splunk and SumoLogic are two leading platforms that serve this critical purpose—let’s revisit them again to see how their current offerings stack up.
Cybersecurity these days is a multi-faceted beast, with most firms utilizing a layered security framework to continuously protect their environments against attacks. And while no prescriptive set of measures exist for effectively stopping all threats, the proper set of continuous security solutions combined with traditional measures can certainly help eliminate common attack vectors—or the lowest hanging fruit for cyber attackers. For example, solutions like firewalls and IDPS platforms detect and block malicious actors on the perimeter and endpoint level but are minimally effective against insider threats and advanced persistent threats (APTs). SIEMs analyze the data around the attack—stored in log files and other data stores—to identify threats other security mechanisms will potentially miss.
The more senior and enterprise-focused of the two, Splunk has well over a decade of experience collecting and analyzing high volumes of machine-generated data for business intelligence and security/compliance use cases.
Splunk Enterprise is available as an on-premise or SaaS-based solution (Splunk Cloud), with much of the event data and analyses presented visually in the form of graphs, charts, reports, and other visualizations.
Sumo Logic is a cloud-based log management and analytics platform that enables enterprises to make sense of their log data for security, IT operations, compliance, and a myriad of other use cases.
Like Splunk, Sumo Logic takes an organization's machine-generated data feeds and transforms them into actionable insights in the form of easy-to-understand charts, tables, and other visual elements.
Side-by-Side Scoring: Splunk vs. Sumo Logic
1. Capability Set
Both platforms are feature-rich with a focus on the enterprise; that said, Splunk—with a decade on Sumo Logic—possesses a more comprehensive, expansive feature set. Both platforms offer an abundance of content in the form of applications, however.
2. Ease of use
Both offer intuitive web interfaces that make getting up to speed with the respective platform a trivial affair. Splunk in particular was developed with non-technical users in mind—as such, these design objectives are manifest in the platform ease-of-use. That said, more advanced features and customization are less intuitive than some of the more commonly used features
The two platforms present information visually in the form of customizable panels and dashboards, but Splunk offers both an XML and drag-and-drop based customization option for its visualization platform. In terms of installation, Sumo Logic's SaaS-based platform can be easier to get up-and-running when compared to Splunk's on-premise solution. However, Splunk does offer a SaaS version of its platform called Splunk Cloud, geared mostly towards Amazon AWS users.
3. Community Support
Splunk enjoys some clear first-mover advantages when compared with Sumo Logic, including a larger community base and corpus of public support resources. Its vendor-provided community forum is presented in a lively question/answer format and platform documentation for all versions of its platform are available on its website. As a relatively young offering, Sumo Logic has less to offer would-be users in this category.
4. Release Rate
Splunk is currently at version 6.4, offering in its latest release a library of interactive visualizations, reduced on-premise storage TCO, new management features, and more. As a SaaS-based solution, Sumo Logic is continually updated, but its release history is somewhat opaque when compared with Splunk.
5. Pricing and Support
Distinctions between the two offerings are a bit clearer in this category, as Splunk is clearly the more enterprise-oriented of the two. This is certainly reflected in its pricing: at $4,500 for a 1 gigabyte-per-day perpetual license, plus annual support fees, Splunk Enterprise is not exactly a drop in the bucket, to say the least. In contrast, Sumo Logic can be had for $115/month, with 1GB/day of data volume to boot for 3-20 users. This makes the platform a more viable option for smaller organizations on a budget.
Splunk dominates Sumo Logic in the documentation and support department, however. The latter's online support options leave much to be desired; in contrast, the veteran platform's web support resources are well-thought-out and easy to traverse/search against.
6. API and Extensibility
Both platforms feature rich, RESTful APIs for customizing data presentations and building specialized applications. However, Splunk's API is more comprehensive and provides a method for every feature of the platform.
7. 3rd Party Integrations
Splunk wins hands-down in this category, as this is where the platform arguably shines the brightest. The platform has over 600 plugins for supporting a plethora of IT operations, security, and compliance use cases, among others. Sumo Logic also features plugins for popular 3rd party software platforms like Jenkins and New Relic, but again—its selection pales in comparison to Splunk's plugin library.
8. Companies that Use It
Both platforms are widely used by many of the world's largest enterprises. Splunk purportedly has over 11,000 customers ranging from the likes of Adobe and Autodesk to Tesco to Vodafone. Sumo Logic's customer list is no less impressive and includes The BBC, Scholastic, Akamai, and Kaiser Permanente, among others.
9. Learning Curve
As mentioned previously, both platforms offer intuitive web-based UIs that streamline getting up-to-speed with the products. That said, Splunk can be difficult to build deep expertise in for more robust analysis purposes. For example, the platform's Search Processing Language (SPL) is both powerful and complex and takes some time to master.
Scoreboard and Summary
In short, both platforms are competent log analysis and SIEM solutions for rounding out your layered, continuous security efforts. Splunk is geared towards large enterprises with a need for a vast integration/plugin library. These options, however, come at a premium. In contrast, Sumo Logic is a cost-effective solution for organizations in need of a SaaS-based platform that's extensible and easy to get acquainted with.