Deployed Splunk on Portainer and setup all my docker containers to stream logs to Splunk.

Seems to be free as long as Splunk doesn’t ingest over 500MB a day.

Opinions?

  • the4thaggieB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Splunk architect for about 7 years here. 500MB logs a day is a lot for a home lab log ingest. Your biggest issue will probably be the lack of a login prompt if you expose it to the internet. I also think you lose the ability to do a deployment server role to centrally push log collection configs to universal forwarders.

    We had to move to Elastic because the higher ups saw a slight savings of money. I’m paying the price in engineering time because of it. Splunk SPL (search language) and sheer amount of premade integrations for add-ons (parsing logs into extracted fields for example) and premade apps (Splunk knowledge objects like dashboards, reports, alerts) far and exceed the Elastic stack.

    Though if you’re looking for turnkey solutions without learning how to search, the power of Splunk will be mostly missed. Same for Elastic I suppose. I find Splunk’s approach to be more intuitive. Elastic is like Google and AWS (if you’re familiar with their design decisions): powerful but completely asinine and unintuitive until you get past the learning curve