Introduction: Visibility Begins with the Right Foundation
Everyone is at a different stage of maturity in their Splunk journey, but really, we are all driving toward the same goal: data visibility. Whether the use case is compliance or security, or operational monitoring or business analytics, or anything else, once data becomes visible, it can become actionable, and this state of being “actionable” is what every business wants from its Splunk investment.
If your Splunk environment does not have a stable indexing/ingestion tier, a reliable search performance, and consistent access to the platform, then previously visible data can be rendered invisible.
Choosing between Splunk Enterprise and Splunk Cloud should be driven by the resources and needs of the customer/business, and only after those things are understood should other factors, such as financial constraints, be considered.
Overview of Splunk Deployment Models
Splunk Cloud
Splunk Cloud is a fully managed, scalable solution hosted by Splunk. Splunk takes on the responsibility of managing the infrastructure and much of the Splunk platform administration, allowing the customer to focus on data ingestion, dashboards, and analytics. With that said, from the user’s perspective, there is little to no difference between Splunk Cloud and Splunk Enterprise.
Splunk Enterprise (aka “On Prem)
Splunk Enterprise requires the customer to install and configure Splunk (and the host OS, and the networking, and the storage, etc) to a baseline level before sending any data to the platform. Administration of this supporting infrastructure and its configuration must be handled by the customer. From the perspective of the Splunk administrator, it is exactly this overhead that is the major difference between Splunk Enterprise and Splunk Cloud.
For certain organizations, especially more regulated ones, who require complete control over their data, Splunk Enterprise may be the best choice.
Core Differences to Consider
Category | Splunk Cloud | Splunk Enterprise |
|---|---|---|
Scalability (indexing and search) | Managed and well automated by Splunk | Entirely managed by customer |
Data Ingestion | Single URL for configuring API calls, app installation, and search | Different hosts/URLs |
Data Freezing and Thawing | Point and click interface is available (for a cost) for both actions | Relatively complex process, managed by the customer |
Storage | Searchable retention beyond 90 days will incur additional cost beyond the standard SVC/Volume | Clustered Indexers can greatly increase storage requirements (and therefore cost) |
Search Performance | Uses SmartStore, therefore search hygiene is of even higher importance than usual | Can use SmartStore, but non SmartStore is more forgiving of poor search hygiene, and scaling of hardware can mitigate this impact |
App Installation | While a few Splunkbase apps must be installed by Splunk Support, for the vast majority, this process is greatly simplified and is done through the Web UI. Splunk Cloud’s automation puts the app configs on the appropriate layers for you. Apps must be vetted. | CLI or Splunk Web, and often multiple layers of the environment must be administered, or even restarted, just to install a single app |
Environment Tuning | App configuration maintenance is made more complex due to lack of access to Splunk backend.
Some limitations exist, but many important and powerful configurations are exposed in Splunk Cloud’s Web UI. | No limitations beyond what the software and the customer’s infrastructure can support, and CLI commands may be required to make changes |
Rest API | ACS is slightly different and comes with limitations compared to the Rest API for Splunk Enterprise | Allows programmatic access to all layers of a Splunk environment |
Splunk Upgrades | Handled by Splunk | Handled by the customer |
These differences should be considered prior to any licensing concerns.
How to Choose the Right Deployment Model
Choose Splunk Cloud if:
- You need to scale quickly and avoid infrastructure overhead
- You don’t want to administer the OS, Network, and Storage layers
- You want faster time to value with limited internal admin work
Choose Splunk Enterprise if:
- You are required to maintain full control over your data
- You have the resources required to maintain the infrastructure and update the software
- You want unlimited access to Splunk app configurations
If you need some combination of both, a hybrid deployment might be for you!
Always align your deployment model to your business needs, IT resources, and long-term roadmap.
Why Deployment Model Choice is So Important for Early-Stage Data Visibility
Whether you choose to host your own Splunk Enterprise On Prem or pay Splunk for their Splunk Cloud offering, at the most basic level, this choice determines your responsibilities in terms of creating a mature data visibility environment. The initial lift required to install Splunk with the correct sizing should not be underestimated, and choosing Splunk Cloud offloads most of that weight from the customer to Splunk.
Visibility is not just about having a dashboard populated with data. It is about ingesting the right data consistently and extensibly, with consistent access, into a platform that can scale as your needs grow.
Pros and Cons of Each Model
Model | Pros | Cons |
|---|---|---|
Splunk Cloud | Scales fast | Long-term cost may be higher (license) |
Freezing and thawing of data is done at the click of some buttons | No access to file system (must open a ticket with Splunk support) | |
Managed infrastructure and software upgrades | Additional cost for searchable data older than 90 days | |
Low maintenance | ||
Simplified app installation and upgrades | ||
Guaranteed level of availability and performance | ||
Splunk Enterprise | Full control of data and underlying infrastructure | Upfront cost may be higher (infrastructure and engineering hours) |
Direct access to the file system | Customer is completely responsible for availability and performance | |
Maintaining older (90days+) searchable data is cheaper | Freezing and thawing of data requires engineering work |
Common Challenges and How to Address Them
Here are some common challenges and how to address them:
- Slow Search after moving to Splunk Cloud: SmartStore is screaming fast in terms of search performance, but you must ensure that your searches follow best practices. You cannot throw compute resources at this issue like you could in an On Prem environment.
- Data Migration between Splunk Cloud and Splunk Enterprise: Generally speaking, if you can leave the data where it is and simply allow it to age out, this is the recommended approach. If you absolutely must migrate indexed data from one to the other, you should leverage certified resources. In the case of moving data to Splunk Cloud, you must work with Splunk’s engineers.
- Migration complexity: Migrating knowledge objects is tedious and can be complex. Organizations migrating to Splunk Cloud should expect some issues to arise due to the complexity, from data short term outages to initial misconfiguration, and should plan accordingly.
- Cost surprises: Monitor ingest volume, retention policies, and compute usage to stay within budget. Don’t ingest data that you don’t search for. A tool like Presidio’s Atlas can identify data you don’t need, and compute cycles/SVCs you shouldn’t be spending.
Real World Example
Splunk Cloud
An organization decides to purchase Splunk Cloud. A few days or weeks later (the sales and sizing process can take a bit of time), Splunk provides the URL and password, and the organization has data on dashboards. As the ingestion grows and exceeds the license, Splunk sizes the infrastructure accordingly, but the Splunk clients may need to rightsize their license.
Splunk Enterprise
An organization decides to manage and host Splunk Enterprise on prem. After determining the sizing and provisioning the hardware, the installation process can be expected to take up to a week or more, depending on the scope and any automation tools available. Fortunately, the hardware sizing was accurate.
As ingestion grows beyond the capacity of the initial hardware, scaling to meet the new and future needs becomes a new challenge.
Review Your Requirements and Get Expert Guidance
Choosing the right Splunk deployment model sets the tone for your entire Splunk maturity journey. Get it right, and everything becomes easier.
