By Tony Lee
In the first part of our series (http://securitysynapse.blogspot.com/2019/02/splunk-and-elk-impartial-comparison-part-i.html), we discussed the
similarities between Splunk and the ELK stack.
Part II will discuss some of the differences in terms of limitations. Not all of these are deal breakers and they
cannot necessarily be scored as one for one in terms of importance. But it is good for folks to know the
differences before implementing one platform vs. the other. We welcome the reader to chime in with their
own limitations (or corrections) as well.
We will start off with the Splunk limitations and then follow up with
the ELK limitations. Remember, these are
not necessarily weighted equally in terms of importance (as that is determined
by the end user), so we are not declaring a winner.
Splunk Limitations
-
ELK
can easily create dynamically named indexes and keys, Splunk cannot
-
ELK
can search on a wildcarded key… For example: search host.*=foo
-
ELK
provides DevTools à
Console: a useful method for running commands against the ELK instance
from the Kibana GUI
-
Splunk
does not provide relevance weighting such as ELK’s _score field
ELK limitations
-
ELK
does not allow piping of search commands to create more complex commands
ß This is one of the most
difficult differences to overcome when transitioning from Splunk to ELK
-
Splunk
is considered “Schema on read”, which means you can throw pretty much anything
at it and it may autoparse or can be parsed later. ELK requires more upfront parsing to make use
of the data.
-
There
is no central manager for beat agents, Splunk includes a deployment server for
free which manages Universal Forwarders
-
discuss.elastic.co
closes threads after 60 days of inactivity… Splunk Answers never closes a
thread and thus users can contribute at any time – this helps prevent duplicate
entries and stale worthless data
-
Installation
of Splunk can be completed in minutes, ELK takes much more time and is more
dependent upon versions of each component since there is no unified installer
-
Kibana
can only sort on numeric fields and not alphabetical fields
-
It
appears that Splunk has more mathematical/statistical functions out of the box
-
ELK
has a separate beat for collecting different sources/components of a
system. Splunk has a single Universal Forwarder that can collect
different data sources by using a flexible configuration file.
-
ELK
time range selector is missing a range for: Quick à All time
-
ELK
may introduce significant “breaking changes” on new version releases which can
cause some customers to become stuck on a certain version of the
platform. Splunk seems to be very careful not to do this and it is rare and often not as limiting if it does occur.
Conclusion
This should
serve as an initial list of limitations for both platforms. Again, we will not declare a winner because
some of those limitations may not matter to the end user, however it is good to
get the list out in the open for discussion.
Both platforms are always looking for ways to innovate and improve the
customer experience. These lists are
often a good start for that purpose and competition is definitely a good thing. If you have a correction, please keep it constructive and it will get posted in the comments section below. Thanks for reading. 😉