We help IT Professionals succeed at work.
Get Started
Comparing Splunk, ELK & Metron Hadoop
We are considering Splunk, ELK or Apache Metro Hadoop for SIEM.
Q1:
I've encountered nightmares with a top-end SIEM in the past when
querying/retrieving data : takes days & even crash : which of the
above has excellent super-speed log management & querying?
Q2:
I was told by an ex-colleague that Arcsight/Splunk requires CEF
(Common Event Format or syslog format) to be piped to them
as they can't accept any other format. A vendor using QRadar
told me QRadar requires syslog/CEF format inputs too.
I've SNMP traps / MIBS events (eg: from Cisco & proprietary
devices) that my ex-colleague told me can't be accepted by
Splunk/Arcsight, so would like to know if any of the 3 above
tools are more readily able to accept other SNMP/other
event formats
Q3:
Heard that ELK lacks policies which in the long run will be
costlier if we get consultants to customize : do the other
2 products have this concern.
Also, Splunk Enterprise goes by amount of logs & we're
concerned that too much logs (can be 500MB/month)
will make the cost high: weighing between customization
/set-up PS efforts & licensing costs based on amount of
logs (which I guess we can archive off older logs to reduce
the license cost), which of the 3 are more cost-effective?
Q1:
I've encountered nightmares with a top-end SIEM in the past when
querying/retrieving data : takes days & even crash : which of the
above has excellent super-speed log management & querying?
Q2:
I was told by an ex-colleague that Arcsight/Splunk requires CEF
(Common Event Format or syslog format) to be piped to them
as they can't accept any other format. A vendor using QRadar
told me QRadar requires syslog/CEF format inputs too.
I've SNMP traps / MIBS events (eg: from Cisco & proprietary
devices) that my ex-colleague told me can't be accepted by
Splunk/Arcsight, so would like to know if any of the 3 above
tools are more readily able to accept other SNMP/other
event formats
Q3:
Heard that ELK lacks policies which in the long run will be
costlier if we get consultants to customize : do the other
2 products have this concern.
Also, Splunk Enterprise goes by amount of logs & we're
concerned that too much logs (can be 500MB/month)
will make the cost high: weighing between customization
/set-up PS efforts & licensing costs based on amount of
logs (which I guess we can archive off older logs to reduce
the license cost), which of the 3 are more cost-effective?
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE