What is our primary use case?
Primarily - My team leverages this product where we are unable to find a path to a preferred Log Analysis solutions, which is much more costly.
Another use case exist where fast (24-48 hrs) turn-around is required for ad hoc alerting or log analysis is required for our service delivery. We can have logs sent to a Syslog collector which is indexed without the usual agent deploy work required to ingest data.
How has it helped my organization?
The IBM monitoring software products (Tivoli) are not easy to instrument and require many separate pieces of the total framework to be operationally functional and useable. That said, adding LA on top of a well deployed & working Tivoli Framework opens up a flood of native logged data points for unstructured search & query.
My team had a special need to implement custom alerting on 10s of thousands of MQ channels in a short amount of time, and the traditional approach (also w a Tivoli product) would have been very costly (labor) and time consuming (requiring individual app review). As an alternative, we had a new event stream create to track all MQ channels to generate logs and then used LA to visualize the behavior trends for review, reporting and eventually alerting. The effort took longer than I hoped ~6 months, but the traditional approach would have taken 2+ yrs to review and implement app by app.
What is most valuable?
Log Analytics (LA) allows a user to see patterns of behavior and isolate issues quickly, without the need to manually access individual systems and parse logs manually. Similar to other Log Analysis engines, Tivoli's LA tool also allows for custom dash-boarding for audience specific visualization and alerting for early detection of identified issues.
What needs improvement?
The visual presentation layer of LA is less than cutting edge, but we are lucky to have early access to a Kibana add-on that will give us some more attractive and flexible views.
The indexing engine (proprietary build of LogStash) is well... very LogStash'ish... It requires more work to normalize the log feeds than competing products.
For how long have I used the solution?
Three to five years.
Which solution did I use previously and why did I switch?
Yes, we used and still use Splunk. SCALA is more affordable, and for the purpose an adequate solution. IF I could afford it, I would be a full Splunk shop.