Trying to convince my boss to switch to Splunk but the biggest issue is ESM's ease of use. Everything is pretty much plug n play on ESM where Splunk takes a lot of work to get the same results. Here are a couple of examples:

1. ESM he can go in and easily create a watchlist with all the server IP's and add that to an alert to tell it not to alert if these IP's are in the src or dest.

1. Splunk i have to create a lookup then create a lookup definition then create the macro and if i want to add an IP to the file i have to go into the CLI and add the new IP

2. ESM has an alert page that you can look at all the alerts that have popped and check a box when you have decided that you have done enough investigate on that alert which allows other analyst to know that alert has already been investigated

2. I have not seen anything like this in Splunk without spending more money.

3. ESM really has no easy way to query on the fly so Splunk does win this one

4. He wants a solution that a new analyst can sit down with minimal training and use. I dont like the idea of button pushers but we don't have months or years to train a new analyst. (or the money)

If i could resolve issue 1 and 2 so anyone could do that stuff without having to be a programmer and do it all in the GUI i think i could convince him.

Licensing cost is not an issue, both are already licensed.

Any ideas?