I haven't used Splunk in a number of years due to its cost. Splunk seems like a good pairing for Cisco - it's complementary to its other offerings to less price sensitive orgs, like Meraki.
I've used several Splunk competitors (Sumo Logic, Datadog, etc.) that all have various strengths but suffer from a lesser version of Splunk's problem (once you're locked in and up for renewal, watch out). I also tried some ELK-based stuff, which just plain sucked.
The one thing that hasn't sucked is AWS CloudWatch Logs, after they added Insights (a log query engine). It has reasonable pricing and works really well if you're on AWS.
We’ve got some logs in CloudWatch, but I barely use it because the query interface is unfathomably slow (in terms of query throughput). Do you use the web interface to query, or some other way?
For some applications, it also makes sense to use the built in Logs API that exports logs to S3 (the export process is very fast) then use any of a variety of tools geared toward searching through data on S3.
I've used several Splunk competitors (Sumo Logic, Datadog, etc.) that all have various strengths but suffer from a lesser version of Splunk's problem (once you're locked in and up for renewal, watch out). I also tried some ELK-based stuff, which just plain sucked.
The one thing that hasn't sucked is AWS CloudWatch Logs, after they added Insights (a log query engine). It has reasonable pricing and works really well if you're on AWS.