Elastic Search Reviews

I'm involved in architecting and implementing Elasticsearch-based solutions, catering to various use cases including IIoT, cybersecurity, IT Ops, and general logging and monitoring.

The intention of this article is not to compare AWS Elasticsearch with Elastic ELK Elasticsearch and at the end declare the winner. Elasticsearch by itself is one of the coolest and versatile Big Data stacks out there. If you are planning to use it in your organization or trying to evaluate if it is the right stack for your product/ solution, this article offers some insights from an architect's perspective.

I'm not the right person to answer this question as I'm the service provider. My clients are the right people to answer.

The Spaces feature in Kibana is really useful. I can ingest all data and then offer multi-tenancy on a single stack to various departments (internal) or customers (external). This feature isn't available in AWS Elasticsearch, and Machine Learning isn't available either.

Other useful features such as Canvas (used to create live infographics) and Lens (used to explore and create visualisations using a drag-and-drop feature) are available only in Elastic's ELK Elasticsearch.

In the last 18 months Elastic has really caught up and also gone way beyond AWS by putting together all the missing components that make ELK Elasticsearch the most comprehensive stack in the entire Big Data ecosystem. Comprehensive because one stack addresses all of the three essential technical components of an end-to-end system: collect, store and visualise terabytes (and even petabytes) of structured or semi-structured data at ease.

Enhance the Spaces feature to make it fully multi-tenant by enabling role-based access control (RBAC) at a Space level rather than overall Kibana or stack level like it is currently.

Elastic needs to work on their Machine Learning offering because currently they have been trying to make it a black box which doesn't work for a serious user (a Data Scientist) as it doesn't give any control over the underlying algorithm. It's like a point-and-click camera vs a DSLR. The offering started with a single/ univariate anomaly detection on time-series data. Now, they have a multivariate which is good, but beyond this, we cannot build any other Machine Learning models, like traditional supervised models. Anomaly detection uses mostly unsupervised algorithms and also it is a very broad problem space for a black box to solve it fully.

Make index’s metadata searchable (or referenceable in search queries).

5 years

Elastic ELK Elasticsearch is one of the most stable Big Data engines and the simplest to maintain and scale. Redundancy is built into the design so there is no single point of failure. We can configure a DR easily and if something goes wrong, we can restore the system into a brand new cluster in hours.

Elasticsearch by itself is 100% scalable as scalability is built into the design like any Big Data system. We just have to add more nodes, and it scales horizontally and then redistributes the data into the new nodes, and the cluster becomes faster and agile automatically. Cross-cluster replication comes with a Platinum license. But this feature is highly exceptional and not a common need.

I have worked with all the flavours of Elasticsearch viz. Elastic.co's ELK which is popularly known as the ELK stack (pronounced as 'yelk'), AWS Elasticsearch and Open Distro plugins for Elasticsearch.

All (including Solr that comes with Hadoop) are built on a common underlying technology, Apache Lucene. The difference is the added features that I call 'batteries included'. To be precise, Elastic's ELK Elasticsearch, unlike others, comes with free enterprise-grade apps (called plugins in Kibana) and a bunch of cool and useful Kibana features. It also features a good deal of engineering automation conveniences built into the stack.

Did you know that the original founders of Elasticsearch are the folks at Elastic.co, the company that has recently transitioned to an open-core philosophy by design. But since AWS took the initial lead and started offering the stack as AWS Elasticsearch service it became more popular and a preferred option for the uninformed. Elastic, on the other hand, was busy innovating and adding more muscle to the stack that it is no more limited to being just the fastest search engine on the planet. In fact, the keyword ‘search’ in Elasticsearch is not relevant anymore and, moreover, it is misleading.

Initial setup is indeed straightforward and fast because it will mostly be a single-node cluster. But as the data volume grows and we start seeing a performance lag, the stack requires scaling (by adding more nodes) and a professional intervention for doing the right capacity design and configuration fine tuning.

It is always a good idea to engage a professional vendor to implement it right the first time and save yourself a lot of time in experimenting and trying to figure out the optimisation hacks and how-to’s all by yourself.

A stack like Elasticsearch that enables heavy lifting of the data effortlessly comes with its intrinsic yet obvious ROI. If one is not able to realise the ROI it means either the data is bad (garbage in, garbage out) or the stack is not implemented properly.

The basic license is free, and it comes with a lot of features that aren't supposed to be free! With a Gold license, we get Alerting (called Watcher) and some modest enterprise features. Note that if alerting is a must feature for you, you can install open-source alerting plugins like Open Distro Alerting or ElastAlert and avoid the Gold license cost. Active Directory integration, SAML, SSO, Machine Learning etc. come with Platinum license. The licensing is per-node and per-annum basis for an on-premise installation and for Cloud Elastic-managed service the cost is baked into the hourly pay-as-you-go fee. Kibana does not have a license, so it's free.

If you don't want alerting, Active Directory or LDAP integration and are good with native authentication, the basic license will suffice. The basic license also comes with many internal stack features, which are free. For example, data segregation into hot and warm storage, automatic configuration, and rolling over the index after achieving a certain size limit. 

SIEM (Security Information and Event Management) app is free. Also is another cool app called Uptime that helps us monitor the uptime of servers and web services. We can do this without any third-party licensing cost. Just turn on the apps, ingest data using Beats and the apps will start thriving. Over time they become mission critical to your business.

For example, the SIEM app will automatically populate the dashboards and allow us to monitor network traffic, successful logins, unsuccessful login attempts, and anomalous security events. All that comes off the shelf and is free. You'll pay a lot, on the other hand, for a traditional SIEM like ArcSight or LogRhythm.

Another free app called Infrastructure (formerly known as Metrics) helps monitor the server infrastructure by configuring light-weight data collectors called MetricBeats (for Windows systems) and AuditBeats (for Linux systems). The Beats will start pumping in all the system performance metrics into the stack and help monitor the memory, CPU and disk utilization.

I have worked with all the flavours of Elasticsearch viz. Elastic.co's ELK which is popularly known as the ELK stack (pronounced as 'yelk'), AWS Elasticsearch and Open Distro plugins for Elasticsearch.

All (including Solr that comes with Hadoop) are built on a common underlying technology- Apache Lucene. The difference is the added features that I call 'batteries included'. To be precise, Elastic's ELK, unlike the others, comes with free enterprise-grade apps (called plugins in Kibana), a bunch of cool and useful Kibana features, and a good deal of engineering automation built into the stack.

Moreover, the original founders of Elasticsearch are the folks at Elastic.co, the company that's built on open-core philosophy. But AWS took the initial lead and offered the stack as AWS Elasticsearch service catering mostly to search-engine use cases. But ELK, with all its goodness, is much more than a search engine! In fact, the keyword search in Elasticsearch is very misleading.

You can spin up Elastic ELK Elasticsearch fully-managed service either on AWS, GCP, or Azure, or have your own on-premises installation and dockerize it. Whereas the AWS Elasticsearch is available only on AWS. That's the hosting difference.

Elastic ELK Elasticsearch comes with a support-only subscription, and there are a lot of updates happening. Kibana is constantly improved and there’s a new release every two weeks.

Our primary use case of this solution is for monitoring our logs and infrastructure. We are customers of ELK and I'm a system administrator. 

A positive feature of ELK is that it directly interacts with Elasticsearch. The UI is very nice, and performance wise it's quite good too. A key feature is that this is a reasonably priced monitoring solution.

We run this solution on multiple servers. ELK has three lanes which comprise a single package made up of Elasticsearch, Logstash, and Kibana. To my mind, this is not efficient because we have to individually deploy the different applications. In contrast, we're able to deploy Splunk with a singe application. Implementing the dashboards is also quite difficult. With Splunk and Nagios it's much easier to directly interact with Elasticsearch. I'd like to see some additional features in the front end which currently make it a bit difficult to implement and it should be simplified.

I've been using this solution for six months. 

This solution is stable. 

This is a scalable solution, we have eight to 10 users. We had initially planned to expand use of ELK because of its cheap price and the services that are included, but given the difficulty with implementation we've decided to go with Nagios instead. 

The technical support people are very knowledgeable but the response time is quite slow which is not very good. 

The initial setup of ELK is more difficult than the setup of other monitoring applications. I was able to carry out the deployment alone. 

For anyone looking to implement a monitoring product with almost no cost or at a cheaper price, I would suggest the ELK stack. However, it does require a high skill set because of the difficulty with implementation. 

I would rate this solution a six out of 10. 

I run the function to review the usage for the team and for the organization itself.

We use this product internally and then some of our business relationships with the other businesses that we have, they get their data from our data. It's more for collaborative data reporting that we have with them.

The most valuable feature is the out of the box Kibana. You plug it in and start the basic analysis on the data out of the box. This also gives a quick way to check the data and the models to figure out what fits the needs.

There are a few things that did not work for us. 

When doing a search in a bigger setup, with a huge amount of data where there are several things coming in, it has to be on top of the index that we search. 

There could be a way to do a more distributed kind of search. For example, if I have multiple indexes across my applications and if I want to do a correlation between the searches, it is very difficult. From a usage perspective, this is the primary challenge.

I would like to be able to do correlations between multiple indexes. There is a limit on the number of indexes that I can query or do. I can do an all-index search, but it's not theoretically okay on practical terms we cannot do that.

In the next release, I would like to have a correlation between multiple indexes and to be able to save the memory to the disk once we have built the index and it's running.

Once the system is up, it will start building that in memory.

We need to be able to distribute it across or save it to have a faster load time.

We don't make many changes to the data that we are creating, but we would like archived reports and to be able to retrieve those reports to see what is going on. That would be helpful.

Also, if you provide a customer with a report or some archived queries, that the customer is looking at when they are creating, at first it will be slow while putting up their data or subsequently doing it. I want it to be up and running efficiently. 

If the memory could be saved and put back into memory as it is, then starts working it would reduce the load time then it will be more efficient from a cost perspective and it will optimize resource usage.

I have been familiar with this product for approximately four years.

ELK Elasticsearch is stable.

It's scalable, but there are some limitations.

If you are scaling a bit too quickly, you tend to break the applications into different indexes. 

The limitations come in when getting the correlation between the applications or the logs.

It is difficult to get the correlations once the indexes have been split.

We are using the open-source version, that is installed on-premises.

We have not worried about technical support, but the community is good.

Before ELK, we used another solution for internal usage, and also, we used Splunk for different use cases in a different organization altogether.

It wasn't a switch per se, it was a different organization with a different use case.

The initial setup is simple, not too difficult. 

Getting the index, doing your models, and putting the data in, correctly, is done more on a trial and error basis. You have to start early and plan it well to get it right.

We are using the open-source version. 

We are not looking into the subscription because it's on-premises in-house.

For anyone who is looking into implementing this solution, the only tip is to get your models for the type of actual use that you are looking at upfront in order to have a good run.

I would rate ELK Elasticsearch a seven out of ten.

We use Elasticsearch as an alternative to Splunk. It is basically for log monitoring.

It's probably a cost-efficient alternative to Splunk. The search interface is nearly the same. When it comes to visualizations, Elastic is a bit better than Splunk.

Elastic Search needs better guides for developers. Better guides for development.

I have been using it for a year.

I would rate the stability an eight out of ten. 

It's fairly scalable. I would rate the scalability of this solution a ten out of ten. 

There are around five end users using it in my team. 

Till date, we did not have any issues with  customer service and support. Like, initially, we had issues in accessing the portal. But that was the only issue, but it was resolved pretty quick.

The initial setup is fairly simple. Initially, it was on-prem, but right now, it's on the cloud.

It is pretty easy to integrate as well.

It's like, when someone is buidling products for scale, it reduces the time to market.

I would rate the pricing a seven out of ten, with one being high price and ten being low price. It could be cheaper for certain use cases, but since it gets the job done, no complaints for the pricing. 

Overall, I would rate it a nine out of ten. I would definitely recommend it to other users. 

The tool's stability and performance are good. 

Elastic Search needs to improve its technical support. It should be customer-friendly and have good support. 

I have been using the product for a year. 

The tool is stable; I rate it an eight to nine out of ten. 

The product is scalable, and I rate it a ten out of ten. My company has three users. We use it regularly. 

You need three resources to handle the deployment. 

The tool is not expensive. Its licensing costs are yearly. 

I rate Elastic Search an eight out of ten. You can use the product if you are looking for value for money. 

We use the product for log analytics and metrics features. 

We can easily collect all the data and view historical trends using the product. We can view the applications and identify the issues effectively.

They could improve some of the platform's infrastructure management capabilities. There should be better visualization and insights about the cost of the SaaS services, which are not effective. Additionally, there needs to be more native integrations to merge the data.

We have been using Elastic Search for about a year.

I rate the stability a ten out of ten.

It is a highly scalable application. We have 15 users in our management team. I rate the scalability an eight out of ten.

I have experience working with Splunk in the past.

The initial setup for the SaaS platform is quite easy. We took assistance from an engineer for the onboarding. Thus, it was straightforward for us. However, there could be a better integration with AWS.

I rate the process a seven out of ten.

I rate Elastic Search's pricing an eight out of ten.

By integrating Deepgram insights with the product, we've gained visibility into logging, service behavior, and cost optimization.

I rate Elastic Search a nine out of ten.

We use the solution for search engines and indexing. 

The solution is valuable for log analytics. 

The solution's integration and configuration are not easy. Not many people know exactly what to do.  

I have been working with the product for five years. 

The product's deployment took a couple of days to complete. 

The product's deployment was done in-house by myself. 

I would rate the product a nine out of ten. 

We are internal integrators. We are in the bigger group as of now, but other groups, our clients, are affiliates from our group. They are our internal clients. 

The solution is currently on-premises.

I was mostly responsible for the SOC team, and I helped them create the detection rules for the production. I wanted to know how it could be implemented in different kinds of products, like Sentinel.

The most valuable features are the detection and correlation features.

Something that could be improved is better integrations with Cortex and QRadar, for example. 

I have been using this solution for no more than one year. 

Not really, because I'm not the engineer and so most problems appear during the installations or maintenance and I'm not in developing infrastructure operations.

The price of Elasticsearch is fair. It is a more expensive solution, like QRadar. The price for Elasticsearch is not much more than other solutions we have.

I would say that Elasticsearch is better than all the other solutions. QRadar is getting better, but it is still behind Elasticsearch in my opinion.

I would rate this solution 8 out of 10.

I would recommend Elasticsearch if you don't have bigger budget limitations to use other enterprise solutions or if you want to avoid the vendor lock-in.