Skip to content

Devo Drives Out Splunk and Datadog for Security Needs of Large Fleet Management Firm

November 6, 2020

[wtr-time]

About the Large Fleet Management Firm

This large fleet management software firm grew unhappy with Splunk as the company migrated to the cloud. Poor query performance, dissatisfaction with ease-of-use, and high cloud costs convinced the IT group to bring in Datadog and Azure Sentinel as potential Splunk replacements.


However, there was a major problem with both solutions—the inability to ingest data from key sources such as Palo Alto Networks and Amazon Web Services. This led the company to evaluate alternatives.

 

Wanted: A Solution To Handle Diverse Data Types, With High-Performance Query And Ingest Capabilities

A large fleet management firm was dissatisfied with its Splunk installation for many reasons. Performance was a primary problem, as ad hoc queries took an average of 24 hours to return results, negatively impacting analysis activities.

The team also was not enamored with the requirement to learn and use Splunk’s Search Processing Language (SPL), which was difficult to use and would have forced their analysts to become proficient in a proprietary language.

Another major issue was a threefold Splunk price increase due to the move to the cloud. This was unacceptable, especially since they were already unhappy with Splunk’s support and account management churn (five reps in five years). They tried to fix these issues by bringing in Datadog. But both Splunk and Datadog failed the critical technical test of ingesting Palo Alto Networks log data. Datadog, in particular, failed in both accommodating the data volume and parsing performance.

 

Why Devo

Several critical capabilities made Devo attractive to the customer, including:

  • The ability to ingest machine data in raw format from any source—including AWS log files, Palo Alto Networks firewalls, Crowdstrike, and Okta—and combine with other on-premises sources into a single, centrally managed set of data sources
  • High performance; because Devo does not index or parse upon ingest, all data is available immediately for querying
  • Devo combines at least 400 days of hot data with the most recent data; ad hoc query results across the entire data set are virtually instantaneous, compared to taking more than 24 hours for Splunk
  • Devo queries are conducted via an easy-to-use graphical user interface which appeals to casual users; more advanced users can use the Microsoft LINQ language, which is more widely known and easier to use than SPL
  • The ability to easily analyze data, using the built-in Activeboards to bring machine data to life with rich visuals, intuitive dashboards, and interactive capabilities suitable for both advanced and novice security professionals
  • The ability to easily scale and smoothly ingest large volumes of data (e.g., multiple terabytes) and query as needed. This was an especially important requirement as this firm is going to be expanding into the IoT space which will increase their data collection volume immensely
  • The ability to send event data and analysis files via secure API to other applications was a bonus

 

Next Steps

Based on Devo’s strong performance compared to Datadog, the customer’s IT operations team will evaluate Devo for use in its organization, as well.

More Data. More Clarity. More Confidence.