Friday, September 25, 2009

Comparing log management products

In the last few weeks, I've been looking into SIEMs and log management products. Yes, you know it already, I've blogged extensively on how I was upset that I had to go through a sales channel to get a bit of info, but promised I would give out details on what I preferred between ArcSight and Splunk.

It turns out that doing a public comparison of these products won't be easy as ArcSight gives out technical info only under NDA. While I can probably announce loudly that "their appliances log stuff", I can probably say no more. So technical details will remain sealed to my business documents. Sorry. One thing I can say, however, it that their range of products seem to be the Cadillac of log management, and everything I could possibly think of needing to better score at our next audit will be in it.

Concerning Splunk, I inquired about ESS using the "contact sales" button as I didn't find much details on that application. They left me a VM some 4 business days after my initial request for info although I said in it I preferred e-mail, and that didn't rub me the right way (I hate voicemail but that subject is more fitting for a future blog post). No follow-up e-mail. I'll try to call them back when I'll be near a phone when it's California time, and with all these governance'n'compliance-related meetings I'm assisting to these days, it might turn out to be never.

Q1labs read my blog, knew I was looking for log management products, and gave themselves the trouble to track me down and find me at my workplace. I normally would have turned them away, but they showed some good will by having someone call me up in french, and their products being designed in Fredericton N.B., I just had to give them a chance. I saw what they make and it's similar in spirit to what ArcSight does, and their selling point is that their technology is simpler and quicker to deploy than ArcSight's. It sure looks interesting.

I'll see what political pressures I'll face internally but compared to some other cost centers in our company, for us IT is an expense, not a revenue. What will determine whoever wins might come down to be strictly business... as long as the tool does the job and has the feature set we're looking for, the financial aspect might end up having the most weight.

I'm all new to pleasing this IT Governance gestapo that came out of nowhere to bully our small, under-the-radar-IT dream team. But from what I understand until now, I first need to submit a "business opportunity" document to them to justify my funding, giving ball park figures and a few vendors, THEN I can make another "business case" document to explain which one I've chosen. Such a process takes time, and when I cannot give any clear timeframe, it's no wonder that these sales people get their hopes down.

Want to know why I prefer Open Source software? Because since it costs nothing, I've been able to pull it off for years without having to go through this shit. Now I'm knee-deep in it.

O.

2 comments:

Michael Wilde said...

Olivier...

You have compelled me to comment on your blog (again). Being a long time Splunk employee, I'll share with you our general approach--user empowerment and self service. We have a provided software (free for less than 500MB/day) directly to anyone who wants to download and use and evaluate it. We openly provide all of our documentation online. Our product roadmap is online for everyone to see. We provide forums, a community wiki and other ways for those interested in, or using Splunk to communicate with each other. Our employees publicly blog, enthusastically create videos, post messages on Twitter and have a vast following of experts around the world on Splunk. Why the other vendors don't have this level of openness--I will never know.

Honestly, we think you can probably make your own evaluation of our software without our sales team needing to guide you through the process. In fact, most people appreciate this approach, allowing unfettered access to the product universe.

Having been in pre-sales engineering since 1997, I can offer this advice. Any company that sells a product has sales people that have a yearly, quarterly, and sometimes monthly quota--discreetly measured. Their motivation is to figure out whether their products are a fit for your challenges--and they prioritize based on your timeline and decision criteria. A little known secret by "buyers"...Sales people actually love to hear you say "no i am not interested, or no not this year"--that's why they will all ask you a reasonable set of qualifying questions. If you don't want to buy, they generally will pass. Show this blog post to your sales team at your employer and i'm sure they'll say.. "yes.. he's got us pegged.." Use this to your advantage. Be upfront with all the sales teams you engage with (there's plenty of time in the negotiation phase to pressure them for discounts). Let them know what you're intent is and you may find you get the resources you need, when you need them.

As I said earlier, at Splunk--unless its a quote--you almost shouldn't need us to figure out if Splunk is right for you.

There are times when prospective customers don't have the time to do their own evaluation and need help from vendors. I'll bet if you ask Q1 Labs, Arcsight, or even our sales team for help with an onsite evaluation--you will get it--provided resources are available. I know for a fact that my friends at both Arcsight and Q1 Labs are very busy--so on behalf of all of us--we're sorry for not getting back to you in a timeframe that's acceptable.

In the past I have left my email address on your blog, but I am going to go one further. Please feel free to contact me 24 hours a day, 7 days a week. I am the Splunk Ninja and there are zero questions I cannot have answered for you. I live in Austin, Texas and am only 1 hour in time difference from you.

Michael Wilde
Splunk Ninja
thewilde@splunk.com
+1-512-524-9742
twitter: @michaelwilde
http://splunkninja.com

Olivier S. Masse said...

Thanks Michael. I have not been clear in my post by using the term "Splunk" rather than "Splunk ESS", and will correct this right away. Yes it is true your flagship product doesn't have any secrets. I tried it six months ago.