We performed a comparison between Elastic Security and Splunk based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Splunk comes out on top in this comparison. It is easier to use and has better support than Elastic Security. Splunk users also report a significant ROI. Elastic Security does come out on top in the pricing and ease of deployment categories, however.
"The querying and the log-retention capabilities are pretty powerful. Those provide some of the biggest value-add for us."
"Devo provides a multi-tenant, cloud-native architecture. This is critical for managed service provider environments or multinational organizations who may have subsidiaries globally. It gives organizations a way to consolidate their data in a single accessible location, yet keep the data separate. This allows for global views and/or isolated views restricted by access controls by company or business unit."
"The most valuable feature is definitely the ability that Devo has to ingest data. From the previous SIEM that I came from and helped my company administer, it really was the type of system where data was parsed on ingest. This meant that if you didn't build the parser efficiently or correctly, sometimes that would bring the system to its knees. You'd have a backlog of processing the logs as it was ingesting them."
"One of the biggest features of the UI is that you see the actual code of what you're doing in the graphical user interface, in a little window on the side. Whatever you're doing, you see the code, what's happening. And you can really quickly switch between using the GUI and using the code. That's really useful."
"The most powerful feature is the way the data is stored and extracted. The data is always stored in its original format and you can normalize the data after it has been stored."
"The strength of Devo is not only in that it is pretty intuitive, but it gives you the flexibility and creativity to merge feeds. The prime examples would be using the synthesis or union tables that give you phenomenal capabilities... The ability to use a synthesis or union table to combine all those feeds and make heads or tails of what's going on, and link it to go down a thread, is functionality that I hadn't seen before."
"The user interface is really modern. As an end-user, there are a lot of possibilities to tailor the platform to your needs, and that can be done without needing much support from Devo. It's really flexible and modular. The UI is very clean."
"It's very, very versatile."
"The indexes allow you to get your results quickly. The filtering and log passing is the advantage of Logstash."
"Elastic has a lot of beats, such as Winlogbeat and Filebeat. Beats are the agents that have to be installed on the terminals to send the data. When we install beats or Elastic agents on every terminal, they don't overload the terminals. In other SIEM solutions such as Splunk or QRadar, when beats or agents are installed on endpoints, they are very heavy for the terminals. They consume a lot of power of the terminals, whereas Elastic agents hardly consume any power and don't overload the terminals."
"ELK is open-source, and it will give you the framework you need to build everything from scratch."
"The solution is quite stable. The performance has been good."
"It's not very complicated to install Elastic."
"It is very quick to react. I can set it to check anomalies or suspicious behavior every 30 seconds. It is very fast."
"The most valuable features of the solution are the prevention methods and the incident alerts."
"I like the indexing of the logs."
"Easy to deploy and simple to use."
"The additional vendors we've brought on board, particularly the elastic, have been quite beneficial."
"The SIEM is the most valuable feature of the product."
"The ability to ingest different log types from many different products in our environment is most valuable."
"It has quite extensive support in terms of integration. If you want to do anything, there are tools for that."
"It's better than IBM, in my opinion, because it's an independent entity."
"We have found all the features useful. However, the dashboarding and logging have been very helpful. Additionally, the log analysis does a great job."
"What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis."
"There is room for improvement in the ability to parse different log types. I would go as far as to say the product is deficient in its ability to parse multiple, different log types, including logs from major vendors that are supported by competitors. Additionally, the time that it takes to turn around a supported parser for customers and common log source types, which are generally accepted standards in the industry, is not acceptable. This has impacted customer onboarding and customer relationships for us on multiple fronts."
"I would like to have the ability to create more complex dashboards."
"Some basic reporting mechanisms have room for improvement. Customers can do analysis by building Activeboards, Devo’s name for interactive dashboards. This capability is quite nice, but it is not a reporting engine. Devo does provide mechanisms to allow third-party tools to query data via their API, which is great. However, a lot of folks like or want a reporting engine, per se, and Devo simply doesn't have that. This may or may not be by design."
"There are some issues from an availability and functionality standpoint, meaning the tool is somewhat slow. There were some slow response periods over the past six to nine months, though it has yet to impact us terribly as we are a relatively small shop. We've noticed it, however, so Devo could improve the responsiveness."
"Some of the documentation could be improved a little bit. A lot of times it doesn't go as deep into some of the critical issues you might run into. They've been really good to shore us up with support, but some of the documentation could be a little bit better."
"An admin who is trying to audit user activity usually cannot go beyond a day in the UI. I would like to have access to pages and pages of that data, going back as far as the storage we have, so I could look at every command or search or deletion or anything that a user has run. As an admin, that would really help. Going back just a day in the UI is not going to help, and that means I have to find a different way to do that."
"One major area for improvement for Devo... is to provide more capabilities around pre-built monitoring. They're working on integrations with different types of systems, but that integration needs to go beyond just onboarding to the platform. It needs to include applications, out-of-the-box, that immediately help people to start monitoring their systems. Such applications would include dashboards and alerts, and then people could customize them for their own needs so that they aren't starting from a blank slate."
"From our experience, the Devo agent needs some work. They built it on top of OS Query's open-source framework. It seems like it wasn't tuned properly to handle a large volume of Windows event logs. In our experience, there would definitely be some room for improvement. A lot of SIEMs on the market have their own agent infrastructure. I think Devo's working towards that, but I think that it needs some improvement as far as keeping up with high-volume environments."
"The problem with ELK is it's difficult to administer. When you have a problem, it can be very, very difficult to rebuild indexes."
"The Integration module could be improved. It is a pain to build integration with any product. We have to do parking and so on. It's not like other commercial solutions that use profile integration. I would also see more detection features on the SIEM side."
"There isn't really a very good user experience. You need a lot of training."
"The price of this product could be improved, especially the additional costs. I would also like to see better-quality graphics."
"It is difficult to anticipate and understand the space utilization, so more clarity there would be great."
"Its documentation should be a bit better. I have to spend at least a couple of hours to find the solution for a simple thing. When we buy Elastic, training is not included for free with Elastic. We have to pay extra for the training. They should include training in the price."
"We're using the open-source edition, for now, I think maybe they can allow their OLED plugin to be open source, as at the moment it is commercialised."
"Better integration with third-party APMs would be really good."
"An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times."
"The solution could improve by giving more email details."
"If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide."
"It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics."
"It needs integration with a configuration management solution."
"In the next releases, I would like to see more pricing flexibility."
"Its user interface for everything other than the charts can be improved. Some parts of it can be simplified a bit, such as when importing documents that have the network traffic. When you're going through the information about the network traffic, you have to have the expertise, but even if a program is supposed to be for IT support, it is good to make it user-friendly because it gets easier to train people. When something goes wrong, the more difficult a program is in terms of UI, the harder it is to fix the issue."
"Queries are not always as easy or straightforward as they might be, so it can be difficult to figure out what you need to look for."
See how Devo allows you to free yourself from data management, and make machine data and insights accessible.
Elastic Security is ranked 8th in Log Management with 18 reviews while Splunk is ranked 1st in Log Management with 61 reviews. Elastic Security is rated 7.4, while Splunk is rated 8.2. The top reviewer of Elastic Security writes "It is quite comprehensive and you're able to do a lot of tasks". On the other hand, the top reviewer of Splunk writes "Very versatile for many use cases". Elastic Security is most compared with Wazuh, Graylog, Datadog, Microsoft Sentinel and Fortinet FortiSIEM, whereas Splunk is most compared with Microsoft Sentinel, Wazuh, Azure Monitor, Dynatrace and AppDynamics. See our Elastic Security vs. Splunk report.
See our list of best Log Management vendors and best Security Information and Event Management (SIEM) vendors.
We monitor all Log Management reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Generally Elastic is very strong in datasearch, and Splunk has a strong security solution. However Elastic has partnered with SIEM provider empow and together this integration provides a very strong platform both in datasearch and next generation SIEM.
Here's a thorough article on ELK vs. Splunk and here's a description from Elastic on what's included in the different versions.
Splunk: hard to use, expensive with predatory pricing, few OOTB rules, SOAR is a premium, good luck training analyst on their platform in under six months. SPLUNK SEARCH.
ELK Stack: easy to use, open-source, no predatory pricing, more robust use cases OOTB, loved and used by millions all over the globe, open ecosystem that can integrate with almost any major IT stack out of the box. LUCENE.
We use ELK or other freeware stacks in isolated small scenarios.
Think of a small or medium company with a „midsized“ webshop. You can easily do your Log management with an ELK-Stack, let's say size 5 up to 10 GB, no Problem. Please keep in mind to order Hardware. The best thing on ELK is that you can start immediately you don't have to wait for licensing and it's easy to build the first small things.
Another Example:
Your Marketing Dep. wants to do some singular evaluations and very specialized marketing stuff. It is temporary and they don't have the budget for licensing. The results are not for permanent use. Just use ELK.
In my opinion, ELK is only cost-effective if you don't need to buy their professional service. You must leave the cases small.
If you are looking for bigger scenarios or you want to build-up a SIEM, SOC or even doing elevated things like SOAR it is a very different kind of thing.
There can be account issues that a developer usually won't mind at the first glance but a Controller will.
You have to look at the Total Cost of Ownership, Scalability, Time to Market, Secureness of future development, maintenance e.g.
If you want to build up a complex scenario with the secureness of scalability you should go with SPLUNK. If tomorrow there is a better tool with lower costs and less need for input of manpower I will refer to this.