So you’ve decided that searching log files with your code editor and grep stinks, and you need a log management tool to corral the data and make it useful. There are open-source and closed-source options, and an array of complex pricing options out there. No doubt Splunk might be on your shortlist. Let’s take a look at their offering and how it compares with Lumberjack, our lean, affordable centralized log management tool that we’re excited to offer.

Splunk vs. Lumberjack: Which has Predictive Alerting?

Splunk’s alerting system has what they call “scheduled” and “real-time” alerts—alerts which only trigger when “search results meet specific conditions.” These basic alerts fire when previously known and specified criteria are met, such as when your server refuses 10 or more connections within 5 minutes, or having intermittent issues with disk errors.

But these types of alerts are reactive; they won’t help you prevent downtime if your server has already begun to spiral downwards in health. Don’t get us wrong: Scheduled and real-time alerts have their place in log management. Without them, you might as well throw your log files into your editor or grep it up like you were doing before.

But this means that Splunk’s alerts are only useful when you—and your frustrated customers—have already encountered a particular root cause before.

In other words, how do you set up your alerting from Splunk? You wait for bad things to happen, create new alerts, and hope that you catch it earlier the next time.

Lumberjack has a better solution so you don’t have to experience a downtime scenario first to have helpful alerting later. We use artificial intelligence to determine patterns in your log files, look for the leading indicators of outages, and create proactive alerts to predict downtime issues your server is going to experience before they happen. These proactive alerts advise you of problems with your servers’ health before you even know they existed.

Lumberjack’s predictive alerts aren’t just searching for anomalies—that’s what immediate alerts are for—predictive alerts are for preemptively warning your team that your servers are behaving poorly before you, your support team, your managers, or your customers start seeing the resultant errors.

Here’s another problem with Splunk’s alerts. Splunk polls all your log file data in increments, creating delays of up to 5 minutes before an alert is triggered. Lumberjack on the other hand tracks the data as it comes in, triggering an alert that’s actually immediate. Downtime can’t be proactively prevented if your centralized log management tool has delays built into its architecture.

Splunk vs. Lumberjack: Which has the the Smarter Server Agent?

Using Lumberjack’s smart agent is like when you upgraded from a feature phone to a smartphone in 2008. Our smart agent does all the things normal agents do in centralized log management: collecting log files, sending them to the cloud, making them searchable, etc.

Unlike Splunk’s however, Lumberjack’s requires no config, is auto-updating, and only requires a single bash command line to install on Linux or a single msi package on Windows (no restart required).

Our favorite feature of Lumberjack’s smart agent is its discovery abilities. Our smart agent detects running programs, log files, and their formats already on your system, and then helps you configure them automatically. It’s kind of like Lumberjack says, “Hey, we noticed you have a MySQL slow log on your system. Would you like us to help you configure it? Take some downtime from downtime. Go enjoy a quick game of while we do that for you.”

Another feature is that Lumberjack can be configured from a web-based UI instead of hard-to-read, hard-to-access XML files like *ahem* Splunk requires. This is important because the end-user of your log management suite may not just be your seasoned developers. Instead, developers who aren’t experienced in server config, your cybersecurity team, and even your more tech savvy marketers may use your log management tool to mine for data and gain useful business insights. Do you want to be the one to teach your marketing team how to edit XML files? We don’t think that’s a useful way to spend a site reliability engineer’s time.

Splunk’s onboarding process is lengthy and expensive. But the internal complexity doesn’t end with the install. The amount of levers and the plethora of config files make it difficult for any CTO or engineer to get started with the suite.

It takes a lot of time to configure and customize it to your company’s needs, even if you’re a small company with only a few GB of log files to monitor. And if you operate a high-scale environment, setting up a cluster is a must. And, you know what they say:

One does not simply set up a Splunk cluster.

So let’s say you have a blank Splunk setup. A few years ago, one Splunk advocate wrote:

“Getting data into Splunk is much more of your typical open source experience, with a confusing maze of pointers, wikis, product tech notes and documentation. …Plan on spending more than a few moments getting started.”

And that was an advocate who wrote that. Recent Splunk users/survivors we’ve talked to say they spent more time tinkering in the config than they did solving uptime issues for their servers.

Our single command-line install gets you up and running in minutes so you can focus on what matters: solving and preventing issues before they happen.

Splunk vs. Lumberjack: Which Costs More?

Ex-Splunk users say that the product’s pricing model is just as confusing as its documentation. Let’s talk about cloud pricing. There’s two types: an annual license, which costs $1,620 for 5GB per month (that’s a cool $8,100 per year); and then there’s the monthly license, which costs $162/GB per month. That’s $9,720, or an extra $1,620 for the privilege of paying monthly instead of being locked into a contract.

Lumberjack’s pricing model encourages you to pay for only what you use. In fact, you can specify different retention schemes for different types of logs you need to monitor, such as making your MySQL logs searchable for 3 days, but your Apache logs searchable for 30 days. If you ever find you’re not getting the value you want out of Lumberjack, it doesn’t take a call with our support team to reduce your bill—everything can be done right from our web console.

While we’re talking search, you’re probably aware that most log management products can’t search 90 days or more—the further back you go, the slower the search queries become, Splunk’s included. Lumberjack takes a different approach to search. We can go as far back as you have the data. Our queries won’t get bogged down by excess data. Our proprietary storage mechanism and plentiful experience in horizontally scaling enterprise systems makes Lumberjack blazing fast.

Back to pricing. Here’s the real catch with Splunk: You can’t sign up for ingesting more than 20 GB per day in its monthly cloud pricing. Instead, you’re relegated to their enterprise pricing, which costs between $50 and $150 per GB per month. But guess what? You can’t even pay monthly with those quoted prices on enterprise. Yep, that’s $1,800 to $60,000 per year in contract pricing. And that kind of sets you up for future pricing problems from the outset. Because who knows exactly how much log file data they’ll need to ingest a year from now? A month from now even?

How about Lumberjack? Simple, pay-as-you-go, price per GB ingested, stored in memory, and archived. We have no contracts, no cancellation fees, and no hassles. Plus, your monthly cost is easy to calculate using the cost estimator right on our website.

With Splunk, assuming your usage doesn’t change—since you know exactly what your log traffic will be like 11 months from now—there’s also a perpetual license option. But their perpetual license at $2,700 per GB sounds a little bit like insanity if you ask us.

Lumberjack is Blue Matador’s centralized log management tool with predictive alerts and an industry-leading smart agent that makes getting started a snap and preventing downtime a breeze. Why not request a beta invite or subscribe to our newsletter while you’re here?

Blue Matador Staff

Author Bio

Blue Matador is the AI-powered DevOps monitoring platform that solves the "Franken-monitor" effect, enabling organizations to have all their monitoring tools in one place.