[olug] Splunk Alternative

Christopher Cashell topher-olug at zyp.org
Fri Mar 27 09:48:13 CDT 2015

On Tue, Mar 24, 2015 at 11:06 PM, Aric Aasgaard <aric at omahax.com> wrote:

> What is the best alternative to Splunk?  I like Splunk, but its licensing
> model is worse than the terrible deals offered by Kevin O'Leary on the
> Shark
> Tank.  Do any of you have good experience with fluentd?

What use cases are you trying to fill?  There are a few main functions that
I've typically seen Splunk used for:

   - Log Search
   - Log/Event Alerting and Notification
   - Log Reporting and Summarization
   - Log Archiving
   - Non-Log Reporting (Splunk as a general report engine)

There are few alternatives that match every function as well as Splunk, but
if you only need certain parts, there may be better options.  For example,
I think personally long term log archiving is better handled outside of

Most people don't tend to use all of the listed functions.  If you don't
need all of them, it may be easier to find alternatives.

Another option for reducing the cost of Splunk is to do some heavy
prefiltering (I like Syslog-NG for this, but rsyslog and others can work,
too) to reduce as much of the log volume as possible before it hits
Splunk.  Unless your devices are tuned incredibly well (which almost no one
does), there is probably a significant volume of logs that don't have a
strong or urgent operational or security impact.  Archiving everything to
compressed files and only sending logs from your most important devices,
after filtering high-volume low-importance logs.


More information about the OLUG mailing list