Sc4s is the way to go!!

Use ELK. It’s basically the same but open source and unlimited for free. Also splunk sucks. Have to use it at work and it really isn’t great. (My personal opinion)

As a splunk architect- I really enjoy it.

For home use, its ok. But, without the enterprise features, it limits a lot of the capabilities.

You CAN use cribl.io with it, to replace a lot of the missing features… and to reduce the amount of data being stored. It has an extremely generous 1T/day free plan.

You can also use the universal forwarders, as they do not have a license attached.

Data is only licensed when it is written by an indexer.

There, are also ways of using the enterprise plan… by selectively not storing certain files under /etc… and restarting the container every few days.

so if you’re happy why change?

perhaps take a screenshot next Time?..

Splunk architect for about 7 years here. 500MB logs a day is a lot for a home lab log ingest. Your biggest issue will probably be the lack of a login prompt if you expose it to the internet. I also think you lose the ability to do a deployment server role to centrally push log collection configs to universal forwarders.

We had to move to Elastic because the higher ups saw a slight savings of money. I’m paying the price in engineering time because of it. Splunk SPL (search language) and sheer amount of premade integrations for add-ons (parsing logs into extracted fields for example) and premade apps (Splunk knowledge objects like dashboards, reports, alerts) far and exceed the Elastic stack.

Though if you’re looking for turnkey solutions without learning how to search, the power of Splunk will be mostly missed. Same for Elastic I suppose. I find Splunk’s approach to be more intuitive. Elastic is like Google and AWS (if you’re familiar with their design decisions): powerful but completely asinine and unintuitive until you get past the learning curve