eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Micro Focus ArcsSight and Splunk operate in the Security Information and Event Management (SIEM) space. Both offer broad monitoring and analytics of security incidents, potential threats, and analysis of logs.
Buyers looking for a general SIEM platform are likely to find both solutions on their list of strong candidates. Overall, though, there are plenty of differences that will likely appeal to buyers with different goals in mind. Here’s a look at both platforms, and how they compare.
ArcSight vs. Splunk: Key Feature Comparison
The Splunk platform encompasses search, monitoring, and analyzing of a vast amount of IT data to identify data patterns, provide metrics, diagnose problems and aid in business and IT decision making.
To give an idea of the scope of Splunk, SIEM can be considered just one small part of its feature arsenal. Beyond security, Splunk takes in Application Performance Monitoring (APM), compliance, automation, orchestration, forensics, as well as plenty of features related to IT service management (ITSM) and IT operations management (ITOM).
Splunk’s wide range of products and features are aggregated within the Splunk Observability Suite. The platform can be used to analyze, ingest, and store data for later use, as well as detect issues impacting customers. Overall, it offers a breadth of management. Those wishing to manage SIEM, ITOM and ITSM in an integrated fashion will find Splunk to be a fine tool to do the job. It offers a wealth of real-time visualization and analysis features, as well as management and monitoring.
ArcSight ESM (Enterprise Security Manager) is a SIEM platform that can track and analyze security issues and manage security policy. It detects and resolves cybersecurity threats quickly. Features include event collection, real-time event management, log management, automatic response, and compliance management.
ArcSight brings native SOAR technology to the security operations team. It uses SmartConnectors to convert device event data from the network for correlation. It does a good job of monitoring events, running reports, generating resources, and investigating issues. More recently, ArcSight has been making improvements to its storage and cloud capabilities. It offers a lot more log storage options for the vast log repositories it collects. It has launched a SIEM as a service option too, which runs in the cloud. And it has augmented its security capabilities with access to more threat research resources and threat intelligence feeds.
Splunk represents itself as a complete platform to handle everything related to SIEM, security and ITOM. It ventures far beyond SIEM. ArcSight is more tightly focused on SIEM. The existing stack of security and management tools, therefore, should be considered before deciding between Splunk and Micro Focus.
Those companies with outdated tools that are in need of a complete overhaul should probably gravitate to Splunk due to its much wider feature set. Why buy five different management tools when you can buy one from Splunk and have them all integrated? However, those already well supplied with existing APM, ITOM, ITSM and other tools and that only need SIEM and some analytics, should favor ArcSight and upgrade other toolsets in parallel.
For overall functionality, Splunk wins. But for those that don’t need everything that Splunk provides, ArcSight is a definite alternative.
Also see: The Successful CISO: How to Build Stakeholder Trust
ArcSight vs. Splunk: Support and Implementation Comparison
ArcSight support is rated well overall, but this depends on the level of support in the contract. Some say ArcSight, due its product depth, requires a dedicated person to operate and can be quite complex. Vendor help is often required to get the system up and running. There is so much that can be done in ArcSight that some users get lost. Querying is great once you know it. But if queries are not specific enough, a lot of time can be lost ingesting and analyzing irrelevant data.
Splunk is viewed as a little easier to implement. Initial deployment can be accomplished via the cloud. Due to the size and complexity of Splunk, it requires a higher level of skilled internal resources as well as vendor support to deploy and operate. Users report that the sophistication of Splunk is mirrored in ease of use. Those very familiar with the platform will find it easy. Everyone else has a steep learning curve. There is no clear winner in this category.
ArcSight vs. Splunk: Comparing Cloud and On-Premises
Splunk was born and raised in the cloud. It does not offer on-premises appliances but provides software for on-site deployment if desired. But most use it in the cloud. ArcSight has options for the cloud, or on-premises (appliance or software).
In this category, Splunk wins in the cloud and ArcSight wins for on-premises. Splunk can be installed directly through the cloud onto a public, private, or hybrid cloud setting. That said, ArcSight recently updated its platform to add features to its cloud offerings, which comes closer to catching up with Splunk.
ArcSight vs. Splunk: Integration Comparison
A big strength of Splunk and a key differentiator is its ability to integrate data streams from a huge number of sources. Some users ingest several PB per day. It supports a wide range of data formats like .xml, .csv and .json files. Those with needs that require such data stream integration from multiple data formats should opt for Splunk, as it offers over 1,000 applications as add-ons available in its app store. It also heads a coalition of 30 partners on security collaboration.
ArcSight can deal with hundreds of data sources and tens of thousands of events per second. It integrates with machine learning and AI tools. As it is an open platform, it can integrate deeply with SOC environments. SmartConnectors convert device event data from the network for correlation. Splunk wins here, but not by much.
Also see: Secure Access Service Edge: Big Benefits, Big Challenges
ArcSight vs. Splunk: Analytics and Search Comparison
Splunk is all about monitoring and analyzing data generated from various machines. It is great for analyzing the huge number of log files generated by enterprise systems. It eliminates the need for IT to spend hours trawling through all the logs looking for that performance needle in the IT haystack. It makes use of the search processing language to find terms present in log files. For example, Splunk offers a wealth of real-time visualization and analysis features. If real-time management and monitoring are vital, then this one is a no contest. But it does come at a price.
ArcSight enriches data in real time to improve analytics accuracy. Users comment that search and analytics performance are very good. Queries are easy and graphs are created automatically. It can handle hundreds of thousands of servers if required and ingest data from all of them.
Splunk wins on analytics by a whisker, and ArcSight wins on search.
ArcSight vs. Splunk: Price Comparison
Neither Splunk nor ArcSight come cheap. The various modules within Splunk have a reputation for being expensive. Further, upselling can send the budget much higher. For instance, you need the SIEM module, then you ask about performance monitoring – that adds in an APM module, and slowly other modules creep in and the price tag rises. This is normal enough in IT. But when you are already dealing with a pricey platform, it is important to determine what you really need and what you can dispense with.
ArcSight is also expensive. Its pricing is based on data ingested and events per second. Splunk prefers to price based on the maximum daily data volume. Thus, the most economic platform will vary from enterprise to enterprise based on how the workloads run and performance/data patterns.
Also see: Best Website Scanners
ArcSight vs. Splunk: Conclusion
Splunk and ArcSight are both excellent tools designed to solve a great many challenges related to security and performance monitoring. You can’t go wrong too far wrong with either one. Both are strong in SIEM. User ratings overall from a variety of IT review sites place Splunk slightly ahead of ArcSight. Splunk is regarded as a leader in the latest Gartner SIEM Magic Quadrant. Micro Focus was listed in the Niche Solution category, but of course that means it’s strong in that niche.
Splunk is a much broader platform and toolset that proves invaluable in rapidly analyzing log files and making sense of mountains of data so IT knows what is going on. Whether it’s a performance slowdown or a security incursion, Splunk is a good way to stay one step ahead of trouble. ArcSight can rival Splunk on many features directly related to SIEM.
In the end the choice between these two comes down to needs. Those wanting an all-encompassing security and IT management platform will find Splunk closer to their needs. Additionally, those with aging applications that are ready for a major management makeover will find Splunk a good fit. It covers a large amount of ground. But if it is only SIEM that is needed, the equation shifts. ArcSight begins to rival Splunk on many fronts.