Log Management Forum

Ad84c32d 0949 42fe 8748 9a7444b3a48b avatar
Content Specialist
IT Central Station
Mar 13 2018
One of the most popular comparisons on IT Central Station is IBM QRadar vs Splunk. People like you are trying to decide which one is best for their company. Can you help them out? Which of these two solutions would you recommend for Log Management? Why? Thanks for helping your peers make the best decision! --Rhea
Anonymous avatar x30
Darius RadfordAs all consultants say...it depends. The elements I would factor in are: 1) How they are staffed? 2) What groups outside of security will use this tool? 3) Is this for SIEM or log management? 4) Size of environment For" how are they staffed" question I think if you have developers and scripting expertise in house then this makes for a strong case for Splunk. If not then Q-Radar may be a better fit. The next question..."what groups outside the security group with use this tool?". Splunk does a lot of items that are really nice to haves, but don't necessarily fall into the security space. So if folks outside of security team will use the tool and subsequently help fund the endeavor this makes a strong case for Splunk. If this is a pure play security need, then out of the box, I feel this is a strong case for Q-Radar Is this for SIEM or log management? By default Splunk is not a SIEM, once you buy the SIEM/Security license then it becomes a SIEM. That being said, it does log management and analytics very well. Out of the box Q-Radar is a very effective SIEM with tons of pre-set rules. So obviously if this is a pure play log management move, then Splunk becomes a strong choice here. Size of environment. Because the Splunk licensing model is based on the number of events being produced in your environment, then this is a factor that must be considered. Q-Radar on the other hand is one of most straight-forward SIEM installations, and shortest time to value out there. As such, they have often been associated with small to mid sized organizations. There are other factors out there to consider...this is in no means an all encompassing list, however, I feel if you ask yourself these questions, at a minimum , then your answers becomes a lot clearer.
Anonymous avatar x30
Loren BuhleIt depends on the intended purpose of the tool and the type of people implementing it. Q-Radar tends to focus its out-of-the-box reports on compliance reporting, as well as tracking behavior-based tracking that is arduous for the DIY script writer. Having used both, they are both great platforms that take quite a bit of training to fully understand and wring the most value. Once you are at a steady state of log analysis, Q-Radar tends to be more useful on exploring "what we don't know" while Splunk tends to focus on confirming what I suspected, but didn't have the evidence. If you love scripting and going after known deviations, there are alot of Splunk consultants and expertise for hire. This makes Splunk slightly better for small organizations. If known deviations are "table stakes" and you focus is on exploring risks currently unknown to you...then Q-Radar is the better option, in my opinion. Q-Radar's learning curve used to be slightly steeper than Splunk...but I've heard there is more automation and better training on the Q-Radar in the past few years.
Anonymous avatar x30
Tim WittenburgThe answer of course is, it depends. They are both great tools. In my experience, Splunk would be viewed favorably by teams that prefer scripting and building their own capabilities. Splunk does also has an add-on ES module that is pre-configured to address many common security/compliance reporting needs. I have less experience with Q-Radar relative to Splunk however I did recommend Q-Radar to a company who wanted something they could deploy rapidly to satisfy a HIPAA reporting requirement. My observation is that Q-Radar may have more compliance-related reporting out of the box relative to Splunk.
Anonymous avatar x80
User at a tech services company with 1,001-5,000 employees
Nov 01 2017
From a few reviews I saw that Elastic Stack, which is an open source stack solution is gaining popularity.  Splunk has been in the market for quite some time but is commercial product.  Is it possible to replace Splunk with Elastic Stack?  If so, what are all the benefits we may be losing in this decision?  Does Elastic Stack also have a retention policy?  Is Kibana a form of equivalent to what Splunk provides?  Is it advisable to set Elastic Stack for an enterprise application?  What may be the challenges if we want to setup Elastic Stack for application which runs on two nodes and with a load balancer?
A5223938 eed9 42af 9f16 9a9bd1568f21 avatar
Content and Community Manager
IT Central Station
Recently, our user activity has shown that Splunk is the most commonly searched solution on our site.  3,643 of our community members follow Splunk, and it's listed in five of our product categories: Log Management, Data Visualization, IT Operations Analytics, and Security Information and Event Management (SIEM). What are some of the best features and use-cases of Splunk, and why are people explicitly searching for it to learn more?
Bdd785d9 4156 4288 b5a3 6ffdeb848ca9 avatar
Randall HindsI agree with Aaron & Tom on their points. Along their use cases, I have been able to show more than Log data in Splunk views. We tested several plug-ins during a small pilot, and we were able to bring O/S (Win/Unix/Linux) & APM data metrics into the same views as Logged data. I've seen others use it to visualize a wider range of data types, too. That said, Tom's point resonates with me. Their are better tools for visualization (ZoomData & Kibana come to mind), but as an aggregator Splunk has the most plug-in types out there. IF (big if) you have the $$ to support ingesting everything, you could theoretically pull data that lives in 40 or 400 source tools and thousands of hosts/systems into a single set of enterprise views. I am not fortunate enough to have that kind of budget though... After proving the concept in pilot, we had to dismantle our 'unified views' due to lack of funding.
Jean luc labbe li?1414333227
Jean-Luc LabbéGood log management solution you can use if you know what you ae looking for. Not a SIEM solution though even though customer should be aiming for solutions that go beyond what a SIEM does, that is, a Security Intelligence platform.
Anonymous avatar x30
Julio JimenezThe flexibility that it offers, One of the most powerful features of Splunk is its ability to extract fields from events when you search, creating structure out of unstructured data. It takes a small amount of “learning time” to start creating or getting searches that are meaningful to you. You can start “splunking” for free, which allows you to see the benefit. There is a ton of resources on the web, uses cases, and step by step instructions.

Sign Up with Email