Director, Cyber Technologies
Elastic and Splunk — competitors, right? Sure. But did you know these tools canÌýactually complementÌýeach other? Open-source Elastic can substantially reduce your ever-growing Splunk costs, increase performance, and boost dataÌýretentionÌýcapabilities.
CostÌý– To understand how Elastic provides cost-savings, it is important to understand some pricing basics. Splunk’s cost is based on the amount of data ingested. This can become cost–prohibitive if your organization brings in lots of data. However, Elastic has a mix of free and paid-for services. For example, some basic Elastic security services are free, but additions likeÌýdocument levelÌýaccess control is a paid add-on. However, you don’t pay for data you ingest,Ìýallowing for huge cost savings as data increases.ÌýThis is especially important for large organizations.Ìý
PerformanceÌý– When data is ingested, Elastic separates and parses it into fields, turning it into structuredÌý()Ìýdata, which isÌýquickerÌýto read than unstructured. Data like this is easy to find with what is known as a query onÌýwrite. Splunk, on the other hand, brings data in as unstructured and uses schema on read, applying the schema as the data is queried. Users pay a performance tax with Splunk because every time you run aÌýquery,ÌýtheÌýschema must be appliedÌýagain before it can be read.Ìý
DataÌýRetentionÌý– When it comes toÌýquerying largeÌýdatasets, Elastic makes itÌýfeasibleÌýto mineÌýmonths or years of dataÌýbecauseÌýof schema on read.ÌýAtÌýľ¹ÏAV, weÌýoptimizeÌýSplunk byÌýprovidingÌýSplunk only with critical events you know you want to explore with Splunk. ElasticÌýcan handle the rest of the events,Ìýsuch as datasets you don’t know are important… until they are. This reduces the amount of data indexing and lessens data in Splunk to quicken searches while reducing cost.ÌýÌý
The flowchart below demonstrates the process of using Elastic as a cost-savings tool alongside Splunk:
01
Use Elasticsearch to ingest large security datasets, such as authentication logs, audit events, NetFlow records and DNS traffic.
02
Use Elasticsearch to remove the ‘noise’ by deduplicating and filtering to only significant events.
03
Index the condensed/highly relevant dataset into Splunk.
04
Save money and increase performance of your Splunk investment.
AtÌýľ¹ÏAV, we haveÌýcybersecurityÌýandÌýdata managementÌýsolutions like this at our fingertips, and we can put them in your hands, helping your organization stay secure, on budget, and on task.ÌýReach out to our experts today to learn more about ľ¹ÏAV’ approach and capabilities.
