Elasticsearch
As mentioned, I did some comparisons between Spot and Metron somewhat recently. Note that this was done in March, 2018, so there are likely changes since then, but this should give you a good idea of what the differences are likely to be.
Note also that Metron is supported mainly by Hortonworks, while Spot is supported by Cloudera, so if you are using one of those two distributions, that should inform your opinion on which one to use.
Metron Pros:
- Much more stable at this point
- Supports Kerberized clusters
- Installable through an MPack
- More flexible as far as what you can track and what you want to alert on
Spot Pros:
- More Machine Learning algorithms baked in and easier to use
- Once built, it seems to be more of a straightforward solution out of the box (i.e. it knows what it's looking for, so you don't have to) Differences That May Matter When Deciding:
- Spot requires Impala, while Metron requires Elasticsearch and Kibana
- I've seen some documentation discussing using Solr instead of ES, but I'm not sure how solid this is yet.
My current guidance personally would be to use Metron if you are in HDP. If you are on another distribution, Metron still might be the right choice at the moment, but personally that would change once they get around to supporting kerberized environments and fleshing out their installation steps more. FWIW, the client ended up going with Metron, since they were on a secured HDP cluster anyways.
Social Plugin