Splunk is a commercial log management and SIEM platform. You install forwarders (lightweight agents) on servers, they ship data to Splunk indexers, which store and index logs. Kibana shows dashboards; Splunk has its own SPL query language which is more SQL-like and powerful for ad-hoc analysis. Key differences from ELK: Splunk is fully managed (no Elasticsearch cluster tuning, no shard management). SPL is generally considered more expressive than KQL for complex queries. Splunk has built-in alerting, machine learning, and SIEM capabilities. Cost: Splunk charges by data ingestion volume (GB/day) — expensive at scale. ELK is open-source but requires significant operational expertise. In my experience: ELK is the right choice for teams comfortable with Kubernetes operations and wanting cost control. Splunk is the right choice when you need enterprise SIEM, compliance reporting, or have a team without ELK expertise. At Vodafone-scale telco environments, Splunk is common because of compliance requirements — regulators want auditable log trails and Splunk's audit capabilities are mature.

During an incident, Splunk is your fastest path from symptom to root cause. Scenario: payment errors spiking at 14:23. First search: index=production sourcetype=payment log_level=ERROR earliest=-15m to see what errors appeared in the last 15 minutes. The errors show database connection timeout. Second search: index=production sourcetype=database host=db-01 earliest=-30m to correlate. Found: database logs show disk I/O saturation starting at 14:21 — two minutes before payment errors. Third search: find what caused the I/O spike. index=production sourcetype=batch host=db-01 to find batch jobs. Found: a batch job that runs quarterly started at 14:18 and triggered a full table scan. Root cause identified in 8 minutes. Resolution: kill the batch job, database I/O normalises, payment errors stop. Post-incident: create a Splunk alert that fires when batch jobs run during business hours to prevent recurrence. This is the real value of Splunk — correlating events across multiple systems quickly during high-pressure incidents.

Splunk pricing is based on daily ingestion volume — at enterprise scale this can be hundreds of thousands of dollars per year. Cost control strategy: First, filter at the forwarder level. Universal Forwarder has nullQueue routing — send noisy logs (health checks, debug logs, verbose framework output) to null instead of Splunk. This reduces volume by 20-40% with no loss of useful data. Second, use summary indexing — pre-compute common expensive searches and store results in summary indexes. The expensive raw search runs once, the dashboard reads the tiny summary. Third, data model acceleration — pre-build knowledge objects so complex SPL runs in seconds instead of minutes. Fourth, tiered retention — hot/warm/cold buckets. Last 30 days on fast SSD (hot, fast searches), older data on cheaper storage (cold, slower but available). Delete compliance-irrelevant data after retention period. Fifth, SmartStore — keep only recent data locally, archive older data to S3 or Azure Blob (95% cheaper storage). In practice: a 500GB/day Splunk deployment reduced to 280GB/day with forwarder filtering, saving approximately 40% of licence cost with no reduction in operational visibility.