#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

Pros and cons of Splunk vs. Solarwinds

ron_brown
Explorer

Hi folks, I'm looking for some thoughts on Splunk vs. Solarwinds. We currently have all of our servers pointing to Solarwinds, mainly just for monitoring health of systems. We also have a very small deployment of Splunk (currently at 10GB per day, bumping up to 60GB per day in the next month or so). I am aware that Solarwinds also has a SIEM, but haven't looked at it. One of my server team counterparts is trying to encourage more use of Solarwinds to keep things on a single pane of glass, including things like file integrity monitoring, SIEM, system monitoring, and application/server correlation and keeping track of where servers are located in the data centers and what not, basically a server inventory and tracking. Are these all things that we can get out of Splunk? Is it advisable to use Splunk for that kind of thing? Would the Solarwinds Splunk app make it possible to do everything from a single pane of glass in Splunk, and just have Solarwinds continue collecting the data? Any advice on this would be appreciated. Thanks.

Tags (1)

DalJeanis
SplunkTrust
SplunkTrust

Mostly upvoting question because of the awesome and thoughtful answer by @rich7177, which when given to a wide-open question like this, deserves to be acknowledged.

0 Karma

Richfez
SplunkTrust
SplunkTrust

So there's a lot here.

We use Splunk Enterprise Security (similar sized license to where you are going) and have every tool SolarWinds makes, all tuned up and running smoothly. I lied - we have and use every tool that SW makes except one: we don't have SW's LEM because when we were testing that particular product we found it wasn't very good at the time.

For staffing, We have a Certified Splunk Admin II and SplunkTrust member on staff and also have a SolarWinds Thwack MVP as well. The two of us get along very well. I think I am more busy with Splunk than he is with SW, but we don't do the same things in each product so it's not really an apples to apples comparison. Still, I think SW has the edge here, though then again so many places have a terrible SW setup full of nasty red icons and alerts they ignore. Maybe it's because they're not tending ANY of their gardens?

Anyway. Let's take a step back and answer a question that will have a lot to do with the answer to this whole post: Why do I and my SW guy get along together so well? Mostly because each product does a few certain things very well.

Splunk is very strong in ingesting and making sense of random logs. Of searching for all sorts of things in that data. Of correlating all those things together - completely different, relatively arbitrary stuff like DNS requests compared with Cisco AMP information and lateral network movement based off local endpoint FW data. Making discoverable interfaces. Ingesting gobs of data. Machine learning algorithms. You know, stuff. Especially stuff where you don't even know what it is you need to ask until you start asking. That sort of ad hoc searching is nearly impossible in SW.

Solarwinds is great at keeping track of the status of our servers and systems. Snagging performance metrics for our SQL servers and VMware guests. Keeping track of our IP addresses and the configuration of our switches. Lots more stuff here too, but this is the Splunk Answers, not SolarWinds Answers. 🙂

The point is, the areas each product excels at don't really overlap much. The overlap is on those things each product can sort of kind of do OK but not exceptionally. (NOTE, this area is narrowing, more on that later).

If you concentrate on the things each product does really well, you'll find there's nearly no conflict. LEM doesn't hold a candle to Splunk for the security type correlation searches. Splunk, on the other hand, doesn't do a lot of other things SW does nearly as well.
So that's left us using SW for the things SW does well - the list is above - and using Splunk for the things Splunk does well.

Where does this leave us?

First, their comment of "a single pane of glass" can go both ways, you have just as valid of an argument that Splunk should be the single pane of glass - Splunk can ingest or read most of the data from SW easily enough. We have also found that a single pane of glass isn't necessarily the goal, or at least not a good one. Keeping the panes of glass to as few as you can IS, but that's not necessarily only one.

Look at it this way - no matter what vehicle you buy it's not going to excel at everything. Maybe you buy a pickup truck which hauls things well but which has deficiencies when it comes to hauling groups of people around, or in going fast. Maybe you buy a Ferrari but obviously you STILL can't haul 7 kids around in it well, though now you have "fast" solved. Or maybe you buy an old minivan, eschewing "fast" for "can take a whole soccer team for pizza after practice" with moderate hauling capacity. The point is there are tradeoffs in your vehicle, just like there are tradeoffs in SW vs. Splunk.

Second, your actual needs are different from mine, and those are different from nearly anyone else's needs. In the end only people in your environment can decide which fits your needs best, or if both are required to meet your business needs.

In the end, you're going to need to make some comparisons between the two. The problem with doing this is that Splunk Enterprise Security has no real "trial" mode - it takes actual work to get it working properly, and until a certain level of "working properly" is crossed it's going to be half useless as a SIEM. Trying to spin up your own Splunk ES to "test" with ... that's perhaps not really recommended. Maybe you can get with your Splunk rep and see if he has a customer you can take a deep look at ES with? If nothing else he can certainly spin up a demo for you, I think they have that available.

I'd sit down with your management and some interested parties and outline your absolute needs. From that, determine via actual use or at least demos (e.g. NOT the promise of your salespeople) which does what and how well. And try very, very hard to look past fluff and pretty and see functionality. Obviously, pretty is good, but in various areas either SW or Splunk may make you sit back and say "WOW". But just be careful that it's WOW because of the deeper picture and that usability isn't thrown away to make it pretty.

Additional Notes:

Metrics in SW are way cool. Metrics in Splunk are way behind SW's yet, but in a year or so this might be something to revisit again. Again, SW is building off something they were strong in, whereas Splunk was sort of building from scratch. It makes sense SW has the advantage for now.

We also share information, too - Splunk ingests alerts and node information (for inventory) from SW, and there are a handful of our NOC screens that use a Splunk dashboard behind them mixed right in there with the mostly SW screens because there's just some information SW can't do well, like pulling in Cisco AMP information from the cloud and making sense of that information in the larger context of security, firewalls, anti-virus, threat indicators and so on.

One of the things that SW doesn't do well that isn't apparent from a quick look is that in SW you either seem to be seeing it at a 40,000 foot level "Big Red X" or you are DEEP in the weeds looking at every single VMware host statistic or staring at Page Life Expectancy. There's little in between those two. In Splunk it's far easier to get that sort of mid-level, some-but-not-too-much-detail views.

Also for what its worth, we constantly struggle to keep SW performing well and there's no clear path (According to SW) to making this better. Conversely, adding performance to Splunk is usually very simple hardware additions.

Anyway, I hope this helps though I understand it's not really an answer. 😞

Happy Splunking,
Rich

ron_brown
Explorer

Thanks Rich, that's actually very helpful. I'll check to see if I can get some demo's set up of the two and see what each one can do to fulfill our needs, both from an operational as well as security perspective. I think they could probably both, as you said, do all of the things we need, but do they do them well enough to make it worthwhile pulling everything into a single point vs. having each one do what it's really good at. THanks for your comments.

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...