Splunk vs. SolarWinds: SIEM, DM Head-to-Head

eWEEK PRODUCT COMPARISON: Splunk and SolarWinds deliver two of the best SIEM–and data management–solutions in the business, but each product offers distinct benefits to potential buyers.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

SIEM.head to head

Download our free SIEM Vendor Report based on nearly 300 real user experiences with the top SIEM products in the marketplace.


It’s becoming a trend that companies that started out producing SIEM solutions are now branching out to provide full data management platforms. This is indeed the case with both Splunk and SolarWinds.

SIEM, the modern tools of which have been in existence for about a dozen years, is an approach to security management that combines the SIM (security information management) and SEM (security event management) functions into one security management system. SIM collects, analyzes and reports on log data; SEM analyzes log and event data in real time to provide threat monitoring, event correlation and incident response. Due to its 24/7, real-time nature, SIEM is now a required technology for large enterprises.

Both SIM and SEM functions provide on-demand analysis of security alerts generated by applications and network hardware. Security providers that can combine these two functions are in the inside lane for new business.

Key features for enterprise SIEM include ingestion of data from multiple sources, interpretation of data, incorporation of threat intelligence feeds, alert correlation, analytics, profiling, automation and summation of potential threats.

SolarWinds vs. Splunk: Two of the Best in Both SIEM, DM

SolarWinds and Splunk, both of which have been in the market Top 10 for the better part of a decade, are two of the finest security information and event management (SIEM) solutions now available. They also have blossomed out to become top-notch data management platforms. However, each vendor offers distinct benefits to potential buyers. Both offer strong core SIEM products, but they differ in use of intelligence and integration with third-party and other security tools.

Both companies make a point of playing nicely with most other supporting products, knowing that most—if not all—IT shops already have a number of different SIEM and data management products at work on a daily basis.  

What follows are some key features and analysis of each solution. Here is a face-to-face compilation of pros and cons for two of the best in the SIEM and DM tools business: SolarWinds and Splunk.

SolarWinds

Austin, Texas

What SolarWinds brings to the IT table:  SolarWinds now considers itself a full-fledged data management platform, not only a SIEM provider. Since its founding in 1999, it has been able to provide purpose-built products that are designed to make jobs easier for IT professionals, MSPs and DevOps pros. The company offers value-driven products and tools that solve a broad range of IT management challenges—whether those challenges are related to networks, servers, applications, storage, virtualization, cloud or development operations.

Whether an IT manager is an army of one managing a small environment, a managed service provider responsible for multiple customers, part of an IT team managing an enterprise, or you’ve migrated to the cloud—if you care about IT performance—SolarWinds claims to have powerful, easy-to-use and affordable products to help you manage it.

SolarWinds claims to have more than 300,000 customers worldwide. The company enables free test usage of any product for up to 30 days.

Key products:

  • Network Monitoring Software
  • Network Configuration Management
  • NetFlow Analyzer
  • Log Management Software
  • Server Monitoring Software
  • Virtual Machine Monitor
  • Storage Management Software
  • Database Management Software

Reasons to consider SolarWinds:

  • Users report that this vendor is great to work with and has great support. The best part, they say, is the Thwack community behind the product, in which developers are able to easily engage with other users and product managers.
  • SolarWinds eliminates the complexity found in traditional enterprise software and services and makes it easy to find, buy, deploy and maintain solutions--regardless of an organization’s size.
  • Users interact daily with SolarWinds’ large, global user community to guide product development and strategy and foster an environment where users with even the most complex IT challenges quickly connect with experts who love to help.
  • SolarWinds constantly evolves its products. It ensures that the software is on point to meet the most important problems that IT pros, MSPs, and DevOps engineers face, and it continues to deliver increasing value over the lifetime of ownership.
  • SolarWinds was built by IT administrators and senior systems engineers who know what it takes to manage dynamic IT environments. They combine this expertise with a deep connection to the IT community to create IT management products that are effective, accessible and easy to use.

What Professionals Say About SolarWinds:

From a 2019 peer review on IT Central Station:

How has it helped my organization? “If we need to plan the network, or measure our network utilization, SolarWinds enables us to do so.”

What is most valuable? “One of the best features is the reports feature. We can get an editor's report for the last five minutes, fifteen minutes, hour, month, or more. And, the correlation data that we can get from the different resources of data from routing, routers, swtitches and samples is really a benefit.”

What needs improvement? “It would be nice to manage all network devices from just one single platform, instead of going to different platforms.”

For how long have you used the solution? “Three to five years.”

What do you think about the stability of the solution? “The solution is very stable.”

What do you think about the scalability of the solution? “It is very scalable. For years we have not had a problem with scalability.”

From a 2019 Gartner Peer Reviews report: “Let me tell you that SolarWinds Log and Event Manager have proven to us to be a valuable tools for our proactive and reactive response on troubleshooting or security audits. LEM is really easy to use and implement. and if you have other products from Solarwinds, the integration is also really easy to do. I like the fact that you can correlate a lot of events and logs from the different network devices and within a single pane of glass, you can search and analyze without complex user interfaces. We now can troubleshoot rapidly and do the audit reports more efficient. I can tell you that it is easy to use and learn. "

From a 2019 G2 Crowd peer review: “The ease of use in submitting to the helpdesk has improved communication of issues and requests to/from our customer. Entering an issue or request via the portal is simple and streamlined. From the back office perspective, adding additional detail (category, status, etc.) is very simple and a time saver for the helpdesk. We are quickly able to assess where we are for the day using the dashboard functionality, which includes a quick glance into how customers feel about the service they have been provided.

“We are excited to move into the next phase of SolarWinds’ Samanage which includes Asset Management, building out / adding additional elements to the Service Catalogue, and implementing Problem and Change Management. As a result, we look forward to the time savings and transparency we will provide to our customers.”

How SolarWinds is Deployed:

  • SolarWinds offers multiple deployment options: software on-premises, in IaaS and as a hybrid model.

How SolarWinds Pricing Works:

  • SolarWinds Security Event Manager is licensed by the number of nodes sending log and event information. Call the company for more detail.

Who uses it: midrange to large enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK aggregate score: 4.9/5.0

DOWNLOAD FREE SOLARWINDS TRIAL

--------------------------------------

Splunk 

What Splunk Brings to the IT Table: Not only does Splunk have one of the more colorful names in all of the IT business, its SIEM system is highly rated and popular. Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases and those seeking a scalable solution with a full range of options from basic log management through advanced analytics and response should consider Splunk.

Its Security Operations Suite comprises Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases. The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities.

Splunk’s security portfolio has been ranked as a leading technology for six consecutive years by Gartner Research—not a trivial accomplishment. The platform helps customers optimize their security nerve centers and address a wide range of security monitoring and threat-detection use cases. Customers use Splunk Enterprise Security and Splunk User Behavior Analytics together as an Analytics-Driven SIEM to build their Security Operations Centers to detect, investigate and respond to threats. Splunk Phantom, a leading security orchestration, automation and response (SOAR) solution, helps customers investigate and accelerate their response to incidents.

Organizations seeking SIEM solutions that can share architecture and vendor management across SIEM and other IT use cases, as well as seeking a scalable solution with a full range of options from basic log management through advanced analytics and response, should consider Splunk.

Key Reasons to Consider Splunk:

  • Splunk’s Security Operations Suite is centrally run and has an intuitive user interface. The platform is composed of Splunk Enterprise and three solutions: Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA) and Splunk Phantom. Splunk Enterprise provides event and data collection, search, and visualizations for various uses in IT operations and some security use cases.
  • The premium ES solution delivers most of the security-monitoring-specific capabilities, including security-specific queries, visualizations and dashboards, and some case management, workflow and incident response capabilities. UBA adds machine learning (ML)-driven, advanced analytics. Phantom provides SOAR capabilities. Additional apps for security use cases are available through Splunkbase.
  • Splunk’s most important enhancements over the past 12 months are support for guided investigation via the Investigation Workbench UI in Splunk ES, rapid content updates for ES and UBA, and speed improvements.
  • Splunk’s offerings provide organizations with multiple entry points into security monitoring with a path that can start with basic event collection and simple use cases with Splunk Enterprise through to richer SIEM functionality with ES, more advanced analytics with UBA and SOAR capabilities with Phantom.
  • The vendor has a strong ecosystem of technology integrations available in the Splunk application marketplace, although users of other technologies that compete with Splunk (for example, in the user analytics space) should validate the depth of integration.
  • PII protection features are strong; obfuscation and PII masking are supported down to the field level and can be applied based on user identities, locations and other characteristics.

How Splunk Is Deployed:

  • Splunk offers multiple deployment options: software on-premises, in IaaS and as a hybrid model. Splunk Cloud is a Splunk-hosted and -operated SaaS solution using AWS infrastructure. Splunk Enterprise and Splunk Cloud components consist of Universal Forwarders, Indexers and Search Heads supporting n-tier architectures.

How Splunk’s Pricing Works:

  • Splunk is licensed based on the amount of data ingested into the platform, with pricing discounts for DNS and NetFlow data. ES is also licensed by gigabytes per day, whereas UBA is licensed by the number of user accounts in an organization, and all these are available either as perpetual or term licenses, with various options for enterprisewide pricing and true-ups. Phantom is priced by the number of events on which users take action.

To Take Under Advisement:

  • In another example of “You generally get what you pay for,” Splunk is generally more expensive than its competitors. Customers and prospective buyers tend to express concerns about pricing models and total cost. The addition of Phantom and the introduction of the “nerve center” concept (separate SIEM, UBA and SOAR products) result in three pricing models with different measurement approaches.
  • Splunk UBA is an on-premises or customer cloud-only solution at this point, which can create friction with Splunk Cloud customers wishing to remain in a SaaS model.
  • Splunk has no native agent support for FIM or EDR, although there are integrations with numerous third-party solutions.
  • Splunk support for OT/IoT is largely dependent on the capabilities of third-party apps, rather than on Splunk support for OT protocols.

Who uses it: midrange to large enterprises
How it is deployed: options for subscription cloud service, virtual appliance, physical servers
eWEEK aggregate score: 4.9/5.0

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...