Splunk is one of the most popular data analytics/monitoring tool. For years, organizations hosted everything, and then bought licenses for software and support, but now every enterprise wants to purchase hosted software as a service (which is honestly how it should be in most cases). Splunk Cloud is hosted counterpart to Splunk's enterprise license, and while they are mostly the same, there are many differences that set them apart.
In this post, I would like to talk about the pros and cons of using Splunk Cloud instead of hosting Splunk Enterprise yourself, and talk about things you may not know about the limitations of Splunk Cloud.
This only applies to smaller, hosted deployments of Splunk Cloud, and not the self-managed Splunk Cloud deployments.
Things that you don't have to worry about
Moving to the cloud has a lot of advantages (and that's why SaaS is conquering the world). Splunk Cloud has many advantages compared to its enterprise version.
No worrying about Infrastructure
Probably the biggest advantage of getting Splunk Cloud over Enterprise is the fact that you don't have to manage the complex infrastructure. For a typical big Splunk installation, you have manage indexers, search heads, license masters, and more. On top of that, you have to cluster them properly and integrate them, adding additional administrative overhead. With Splunk Cloud, most of these things are taken care of, so you can focus on getting the most out of the system.
No worrying about pricing
While Splunk is expensive in general, with Splunk Cloud you do not have to worry about extreme costs related to resource and storage usage. In a bigger installation, you may have to have multiple servers which can lead to significant hardware costs. Sure, you can move it all to AWS and host it there, but you will still have to pay for computer, memory, storage, network transfer, and other charges on top of Splunk licensing costs.
With Splunk Cloud just pay for the gb/day capacity you want, and pricing becomes significantly more predictable and easy-to-manage.
Almost all the same functionality of Splunk Enterprise
Splunk Cloud is essentially a slightly modified enterprise instance. There are some constraints that you have to deal with, but in terms of functionality, it is effectively the same.
Splunk Cloud is fast, like really fast. It is optimized to essentially deliver insights at a lightning fast speed. I am pretty sure you can achieve the same (or faster) performance with enough internal effort, but this performance is right out of the box without you having to do the work
One of Splunk's biggest advantages is its rich and diverse app ecosystem. Splunk Cloud supports most of these apps, and comes with a few handy apps preinstalled, including lookup editor and the cloud monitoring console.
Things that they don't tell you/things that suck
Going to the cloud comes with its disadvantages too, and are the major ones that come with moving to Splunk Cloud
No CLI access
Splunk was initially built to administrate a lot using the CLI. Splunk Web can perform most of the same functions, but with a SaaS offering, you have no CLI access to the server components. If you want to edit an app by editing the configuration app directly or use
btool to troubleshoot issues, that's not possible.
Simple tasks = Contacting support
Simple tasks like installing apps and add-ons on Splunk Cloud can result in having to open support tickets, and waiting multiple days until a maintenance window to install the app. Want to enable the REST API? Contact support. Want to remove certain files that can only be accessed via CLI? Contact support. This can get tiring when you are just trying to get things done.
You still have some things you have to host
While a majority of the app is hosted on the Cloud, you will still have to host the deployment server yourself, and may have to host local collectors for syslog/netflow which then forward logs to your indexer. You may have to configure inputs on a heavy forwarder hosted on your infrastructure so that you can ship certain data to cloud. Overall, don't assume that moving to cloud means not having to do work on your infrastructure.
Initial deployment can be painful
You may be limited on what you can do initially on Splunk Cloud, and you may have to work around the limitations of Splunk Cloud as you do the initial setup. You'll realize that some one-time initial tasks like enabling the API can take longer than expected because you have to contact support for it (and figuring out Splunk support is a process of its own).
Cloud architecture has a learning curve
The cloud architecture is slightly different from a normal enterprise architecture, and you may have to rethink how you deploy and use Splunk in your environment. Additionally, most resources on Splunk's website are geared towards the enterprise version, and it is sometimes a process of trial and error to figure out the equivalent cloud procedures.
Overall, Splunk Cloud is an excellent alternative to the on-prem version of the software. It is fast, managed, scalable, and provides most of the same functionality. If this is your first time deploying Splunk or if you're looking for quick ROI, the cloud version is absolutely the way to go. And as Splunk continues building out their cloud product, it'll likely become the better option even with big deployments.
Deploying a new software is never easy, but Splunk Cloud makes it easier. And now, you know all things you can expect as you can on the journey of onboarding Splunk Cloud.