[lusis]

Please don't call logstash "an open source splunk". It's no such thing. Splunk still has features that logstash doesn't have (yet). Logstash has quite a few features that Splunk doesn't have.

Jordan had never seen (or to my knowledge has yet to see) splunk at all. I don't know about Pete. Myself, I haven't used Splunk since trying a very early release once in the very first days of it.

Point being, Logstash doesn't call itself an "open source splunk". In fact I've considered adding an output to SplunkStorm to Logstash.

Do I think Logstash is better? Yep. Do I know people who swear by Splunk? Yep. Competition is healthy.

[drone]

I agree, "an open-source X" implies it re-implements X.

LogStash is a log management system, which is one application of Splunk. (There are a lot of players in this space.) And, much like Splunk, it seems to be well-fit for users who prefer to get down to the nuts and bolts. I haven't tried it yet, but I don't have a need for real LM or IT search these days, when I do - it'll be in my list of things to set up and try. I like what I've seen, but I don't see much IT search or automation here.

Disclaimer: I was the architect of a closed-source competitor to Splunk in the log management space.

[meritt]

Speaking as someone who has only casually heard of these products, they are exactly the same thing to the uninitiated. That's not being negative. Just saying both products provide a way to bring sanity through search, indexing and analysis to tons of logs.

[klerk]

Does anyone know how many events/sec Logstash can handle? I've only seen people talking about 250 events/sec on the Google Group, but we're a couple orders of magnitude greater than that.

[kordless]

The commonality is they both ingest logs and provide fulltext search for said logs. That's enough to loosely comare the two for purposes of promotion here on HN, or even getting good mentions on ServerFault: http://serverfault.com/questions/62687/alternatives-to-splun...

I'm certainly not the first to make this comparison.

[adient]

Although logstash does have a built in elasticsearch, I wouldn't really say anyone uses logstash itself to provide search for the logs. Logstash itself just provides a way to move events from one place to another, that's all.

[sciurus]

"I wouldn't really say anyone uses logstash itself to provide search for the logs"

Huh? The front page of http://logstash.net/ suggests that one of the primary uses!

"logstash is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs.

All your logs from all over your infrastructure in one place - with searching and graphing. Since we can easily parse text-based logs, you can query for more precise things like, all 404 http errors, nagios critical alerts in hard state, or mail server faults - all without accidentally finding logs with the word ‘404’ or ‘critical’ in the wrong place."

[adient]

Elasticsearch, the recommended backend for making your logs searchable, is a separate project from logstash. Logstash does come with a built in elasticsearch, designed to get people up and running very quickly, but if you are considering any serious use of elasticsearch you would set it up yourself as a standalone service.

Logstash does come with a simple web interface, and kibana is a slightly better but still simple interface being ported into logstash. Again this is geared towards getting people up and running quickly, and at the end of the day it's just a pretty curl wrapper for elasticsearch.

You can also use logstash without elasticsearch/kibana, which we do for a good bit of our logs. I think logstash intentionally blurs the lines of what it is or isn't so people don't get caught up in trying to figure out how to get it running. Give it a try and see for yourself exactly what it is or isn't.

[kordless]

Right! Speaking of that, have you looked at Grok (field extractor)? It's pretty awesome.

[adient]

Grok, grep, multiline, date, etc. Logstash changes my events prior to reaching their destination, but logstash itself is not the end destination.