# Dynatrace vs Splunk: A Complete Comparison for 2026

Ask what Splunk is, and even longtime users often answer with a list rather than a sentence: log search, then SignalFx for infrastructure, then VictorOps for on-call, then AppDynamics after the Cisco acquisition, then Enterprise Security bolted alongside all of it. Ask what Dynatrace is, and the answer is one sentence: OneAgent instruments everything, Smartscape maps everything, Davis explains everything, all built together from the start. Neither company set out to build the platform they ended up with. **Splunk grew by acquisition into a conglomerate of genuinely deep products that don't share a query language. Dynatrace grew by design into one integrated system that doesn't have that problem, and doesn't have Splunk's security depth either.**

That's the actual axis of this comparison, and it's a different one than most Dynatrace matchups run on. Dynatrace's usual competitive story is "integrated but expensive versus disjointed but open." Against Splunk, the disjointedness is real but the depth behind each piece is not a weakness, it's Splunk's entire value proposition. **Splunk Enterprise Security is an 11-time Gartner Magic Quadrant Leader for SIEM.** ITSI does AIOps-driven service health modeling that neither Dynatrace nor most observability tools attempt. If your evaluation includes security operations, Dynatrace's Application Security suite is real but **it isn't in Splunk's category, full stop.**

Where Dynatrace wins back ground is exactly where you'd expect: one interface, one topology model, one AI reasoning over both, and an instrumentation story (OneAgent, zero configuration) that Splunk's multi-agent, multi-product reality can't match for speed to value. This comparison works through both, treating Splunk's security and ITSI depth honestly rather than dismissing it as scope creep.

## Quick comparison at a glance

| Feature | Dynatrace | Splunk |
|---|---|---|
| **Primary purpose** | Enterprise observability + security platform | Multi-product data platform (observability + security + ITSM) |
| **Deployment** | SaaS (managed on-prem retired) | SaaS (Cloud), self-hosted (Enterprise), hybrid, air-gapped |
| **Free tier** | 15-day trial only | No (free trial available) |
| **Pricing model** | Consumption rate card (many dimensions) | Workload (SVC), entity (per host), ingest (GB/day), or activity-based |
| **Minimum commitment** | ~$24,000/year reported | Custom (no published minimum) |
| **Instrumentation** | OneAgent (auto-inject) or OTel (metered) | Language-specific agents or OTel (first-class, no surcharge) |
| **Query language** | DQL | SPL (Platform), separate UI (Observability Cloud) |
| **Query fees** | Yes ($0.0035/GiB scanned) | No (SPL and O11y Cloud query included) |
| **Topology mapping** | Smartscape (automatic, real-time) | Via O11y Cloud service map (configured) |
| **APM / tracing** | Yes (PurePath, method-level) | Yes (NoSample, AlwaysOn Profiling) |
| **Code-level profiling** | Yes (PurePath) | Yes (AlwaysOn: Java, .NET, Node.js) |
| **Log management** | Yes ($0.20/GiB + retention + query fees) | Yes (~$150-225/GB/day at base tiers) |
| **Infrastructure monitoring** | Yes (deep, incl. mainframe, SAP, VMware) | Yes (entity-based, ~$15/host/month) |
| **AI / GPU infrastructure monitoring** | Limited | Yes (AI Infrastructure Monitoring, GA) |
| **Session replay** | Yes ($4.50/1K sessions) | Yes |
| **Synthetic monitoring** | Yes (per-action pricing) | Yes |
| **Application security** | Yes (runtime protection + posture) | Yes, but as Enterprise Security (separate SIEM product) |
| **Cloud SIEM** | No | Yes (Enterprise Security, 11-time Gartner MQ Leader) |
| **IT Service Intelligence / AIOps** | No | Yes (ITSI, separate product) |
| **AI root cause analysis** | Davis AI (deterministic, since 2017) | AI Troubleshooting Agent (O11y Cloud) |
| **MCP server** | Yes (GA, query costs apply) | Yes (O11y Cloud GA; Platform beta) |
| **On-call scheduling** | No (external tools) | Via Splunk On-Call (separate SKU) |
| **Status pages** | No | No |
| **Self-hosted / air-gapped** | No | Yes (Splunk Enterprise) |
| **SOC 2 Type II** | Yes | Yes |
| **FedRAMP** | Yes (Moderate) | Yes |
| **ISO 27001** | Yes | Yes |

---

## Platform architecture and philosophy

Neither company built its architecture on a blank page, but only one of them built it as a single design. That difference explains almost everything else in this comparison.

### Dynatrace: OneAgent, Smartscape, Grail, Davis, one system

![SCREENSHOT: Dynatrace Smartscape topology view](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/e374c122-699a-48e9-f35c-3b8722b9e400/md2x =3982x1828)

OneAgent installs on a host and auto-discovers every process, injecting monitoring code without configuration. Smartscape turns that discovery into a real-time topology graph. Grail stores logs, traces, metrics, and events with schema-on-read DQL querying. Davis reasons over the topology graph to produce deterministic root cause analysis. Four pieces, one design, one team building all of them to work together from the start.

The bill follows the same "everything automatic, everything metered" pattern: Full-Stack Monitoring at $0.01 per memory-GiB-hour, logs at $0.20/GiB with either metered queries ($0.0035/GiB scanned) or 28x-priced bundled retention, Kubernetes pods at $0.002/pod-hour. It's transparent line by line and genuinely hard to forecast in aggregate, and the pay-per-query logs model means a thorough investigation costs more than a shallow one.

### Splunk: four products, four histories, one Cisco parent

![SCREENSHOT: Splunk Observability Cloud product overview page](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/9c11d0de-cc08-431f-38bd-8d5986152500/public =2048x1485)

Splunk's portfolio reflects its history rather than a single design: the Cloud Platform (SPL-based log search, Splunk's original product), Observability Cloud (infrastructure, APM, RUM, built on the SignalFx acquisition), ITSI (AIOps and service health), On-Call (incident notification, from the VictorOps acquisition), and Enterprise Security (SIEM). Each is genuinely deep in its domain. None of them shares a data model or query language with the others by default; Log Observer Connect bridges Cloud Platform logs into Observability Cloud, but it's a configured integration between two products, not one database.

The pricing mirrors the product sprawl: workload-based SVC units for the Cloud Platform, entity-based per-host rates for Observability Cloud, ingest-based pricing (roughly $150-225/GB/day at base tiers) for log management, and activity-based billing for specific Observability Cloud features. Four models, and getting the model choice wrong for your data pattern can mean paying significantly more than your initial estimate suggested.

| Architectural factor | Dynatrace | Splunk |
|---|---|---|
| Design origin | Built as one system | Assembled via acquisition (SignalFx, VictorOps, AppDynamics) |
| Data storage | Grail (proprietary lakehouse) | Separate per product |
| Query language | DQL | SPL (Platform), separate UI (O11y Cloud) |
| Query fees | Yes (pay-per-query) | No |
| Product count | One | Four+ (Platform, O11y Cloud, ITSI, On-Call, ES) |
| Self-hosted / air-gapped | No | Yes |
| SIEM / ITSI | No | Yes (both, genuinely deep) |

[summary]
### Neither platform gets you to a paged human

Dynatrace explains problems automatically and Splunk's products, deep as each is, still require a bridge to reach on-call. Better Stack connects observability directly to incident response in one platform.

<iframe width="100%" height="315" src="https://www.youtube.com/embed/l2eLPEdvRDw" title="Incident management overview | Better Stack" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

**From heartbeat monitoring to incident timelines to status pages, one platform for the whole reliability lifecycle.** [Start free.](https://betterstack.com)
[/summary]

---

## APM and distributed tracing

Both companies are genuinely OTel-native here and neither surcharges for it, which is worth noting since it's not universal in this comparison series. The real difference is what sits behind the trace once you've got it.

### Dynatrace: PurePath, method-level, entirely automatic

![screenshot of PurePath](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/94df4112-2877-4428-b323-e59fc70f6d00/lg2x =1312x738)

OneAgent auto-instruments and PurePath traces follow every transaction from browser through service calls and database queries down to the specific method responsible for latency, with flame graphs and thread contention analysis for JVM and .NET estates. Here's how trace analysis works in practice:

<iframe width="100%" height="315" src="https://www.youtube.com/embed/O4zWlwJ4hsA" title="Analyze and filter trace data with Dynatrace | Dynatrace App Spotlights" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

The trade: trace queries on pay-per-query bill per GiB scanned, and your data lives in Grail's proprietary format.

### Splunk: NoSample fidelity and code-level profiling across three languages

![SCREENSHOT: Splunk APM service map showing distributed traces](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/5ecab8d2-e2c8-43ea-fec1-82c886fbd100/md1x =750x367)

Splunk APM in Observability Cloud runs NoSample end-to-end tracing, full-fidelity retention across all connected services with no sampling decisions to manage. AlwaysOn Profiling adds continuous CPU and memory profiling for Java, .NET, and Node.js at the code level, running in production without a separate triggered session, real depth that goes toe-to-toe with PurePath for the languages it covers.

The honest limitation is architectural, not technical: APM lives in Observability Cloud, a separate product from the Cloud Platform where logs live. Log Observer Connect bridges the two, but it's a bridge, not a shared backend, and pivoting from a trace to its surrounding logs takes a configured integration where Dynatrace's Grail does it by default.

| APM / tracing | Dynatrace | Splunk |
|---|---|---|
| Instrumentation | OneAgent (automatic) or OTel | Language-specific agents or OTel |
| Full trace retention | Yes (all traces, metered queries) | Yes (NoSample) |
| Code-level profiling | Yes (PurePath) | Yes (AlwaysOn: Java, .NET, Node.js) |
| Trace query fees | Yes (pay-per-query) | No |
| Log-to-trace correlation | Native (same Grail store) | Via Log Observer Connect (bridged) |
| APM pricing | $0.01/memory-GiB-hour | ~$60/host/month (entity) |

[summary]
### Tracing without the meter or the product-bridging

Dynatrace charges to query your own traces and Splunk asks you to bridge two separate products to correlate them with logs. Better Stack's eBPF tracing captures HTTP, gRPC, and database traffic with zero code changes in one warehouse, priced by volume with no query fees.

<iframe width="100%" height="315" src="https://www.youtube.com/embed/7tQ7haFmSXI" title="Explore traces | Better Stack" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

**Full-fidelity distributed tracing from every service, priced by volume with no surprises.** [Explore Better Stack tracing.](https://betterstack.com/tracing)
[/summary]

---

## Log management

This is where Splunk's DNA actually shows. It was a log search company before it was anything else, and that history is either a decisive advantage or an expensive one, depending entirely on your scale.

### Dynatrace: topology-enriched, a pricing model you have to commit to upfront

![Screenshot of Dynatrace log analytics](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/6f4e9898-a601-4ed3-49b7-3acff2896a00/public =1920x1080)

Dynatrace logs land in Grail at $0.20/GiB, with Smartscape context, service, host, dependency chain, attached automatically. Here's the Logs app:

<iframe width="100%" height="315" src="https://www.youtube.com/embed/cwF-Md_oFHM" title="Logs App | Dynatrace App Spotlights" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

Then the plan decision: pay-per-query (cheap retention, metered queries) or bundled (queries free, retention 28x higher). Guess wrong and pay for it monthly.

### Splunk: SPL, the deepest log query language in this entire series, at a price to match

Splunk's SPL is genuinely the most expressive query language covered anywhere in this comparison series: multi-step transformations, statistical aggregations, subsearch, external lookups, time-series charting, backed by 2,000+ Splunkbase apps encoding years of community detection logic. Organizations with years of saved SPL searches and dashboards have a real, non-trivial investment that transfers to nothing else.

That expressiveness costs accordingly: roughly $150-225/GB/day at base list tiers, meaning 100GB/day of logs runs $15,000-22,500/month for the platform alone, before observability or security. Against Dynatrace's $0.20/GiB, that's not a close comparison at equivalent volume; it's a different pricing universe entirely, reflecting petabyte-scale enterprise log analytics rather than application observability logs.

| Log management | Dynatrace | Splunk |
|---|---|---|
| Query language | DQL | SPL |
| Ingest pricing | $0.20/GiB + retention + query fees | ~$150-225/GB/day at base tiers |
| Query fees | Yes (pay-per-query) or 28x retention | No (included) |
| Ecosystem | Dynatrace Hub | 2,000+ Splunkbase apps |
| Topology enrichment | Yes (Smartscape) | Via O11y Cloud correlation |
| Petabyte-scale strength | Enterprise-capable | Category-defining |

[summary]
### Log search with no plan to commit to in advance

Dynatrace asks you to bet on a pricing model and Splunk charges enterprise log-analytics rates for application logs. Better Stack stores everything in one SQL-queryable warehouse at $0.10/GB with no query fees and no upfront tier decision.

<iframe width="100%" height="315" src="https://www.youtube.com/embed/XJv7ON314k4" title="Live tail | Better Stack" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

**Unified log management with SQL search, live tail, and no indexing surprises.** [See how it works.](https://betterstack.com/logs)
[/summary]

---

## Infrastructure monitoring

### Dynatrace: broadest legacy and enterprise coverage in this whole series

![Screenshot of Dynatrace infrastructure obsevability](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/7f329c71-71ec-4e46-1ca7-32f3dd3d1800/md1x =1356x762)

Dynatrace covers cloud hosts and Kubernetes, then keeps going: mainframes, SAP, VMware Tanzu, hybrid data centers, automatically mapped by Smartscape. Tiered pricing ($7-~$58/month per host by depth and memory) scales coverage to criticality. The familiar catch: memory-based pricing penalizes dense hosts, and default-enabled cloud metrics bill as custom consumption.

### Splunk: entity pricing, plus a category Dynatrace hasn't caught up to yet

![SCREENSHOT: Splunk Infrastructure Monitoring dashboard](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/ed8f089c-e1a8-4c74-9c53-c9865e0c6d00/lg1x =1520x1000)

Splunk Infrastructure Monitoring, built on the SignalFx acquisition, runs entity-based pricing around $15/host/month, cheaper than Dynatrace's memory-scaled model at the low end but with its own cardinality problem: custom metrics beyond the per-host allotment count against entitlements with overage charges. What's genuinely notable is **AI Infrastructure Monitoring**, GA coverage of GPU performance, LLM token costs, model latency, and vector database performance. For teams running production AI workloads, Splunk has native visibility here that Dynatrace's AI Observability doesn't match at the GPU-infrastructure layer.

| Infrastructure monitoring | Dynatrace | Splunk |
|---|---|---|
| Mainframe / SAP / VMware | Yes | No |
| Base host pricing | Memory-GiB-hours (~$7-58/month) | Entity-based (~$15/month) |
| Custom metric cardinality | Counted toward consumption | Yes (MTS-based overages) |
| GPU / AI infrastructure monitoring | Limited | Yes (AI Infrastructure Monitoring, GA) |
| Topology mapping | Smartscape (automatic) | Via O11y Cloud correlation |

---

## Digital experience monitoring

Both platforms are complete here, so this section is short. Dynatrace's DEM suite (web and mobile RUM with crash analysis, session replay at $4.50/1K sessions, synthetics) correlates automatically to backend PurePaths.

![Screenshot of dynatrace RUM](https://imagedelivery.net/xZXo0QFi-1_4Zimer-T0XQ/904bdea3-c34a-454a-cc74-d2307f5eec00/public =1312x738)

Splunk's Digital Experience Analytics (GA March 2026) combines behavioral data with RUM and APM, and its native mobile SDK support (iOS, Android, React Native, Flutter) is broader than Dynatrace's mobile story. The correlation tradeoff repeats: Splunk's RUM-to-APM-to-logs path crosses Observability Cloud into the Cloud Platform via Log Observer Connect, while Dynatrace's equivalent stays inside one product.

| Digital experience | Dynatrace | Splunk |
|---|---|---|
| Session replay | Yes | Yes |
| Synthetic monitoring | Yes | Yes |
| Mobile RUM | Yes (crash analysis) | Yes (broader native SDK support) |
| Digital Experience Analytics | No | Yes (GA March 2026) |
| Frontend-to-backend correlation | Native (one product) | Via bridged products |

---

## AI capabilities

Davis has an eight-year head start on deterministic reasoning. Splunk's AI story is younger but arguably more comprehensive on the infrastructure side, thanks to its own hosted models.

### Dynatrace: Davis, still the most proven engine in this series

<iframe width="100%" height="315" src="https://www.youtube.com/embed/Tud2K3zyync" title="Analyze Incidents with Davis® AI | Dynatrace App Spotlights" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

Davis runs fault-tree analysis over the Smartscape topology graph, collapsing alert storms into one problem with a traced causal chain, in production since 2017. The agentic layer (Dynatrace Assist, SRE Agent, AutomationEngine) builds on that foundation, and the MCP server is GA with the now-familiar caveat that MCP queries bill per GiB scanned against Grail.

### Splunk: AI Troubleshooting Agent, hosted models, and the deepest AI infrastructure story anywhere in this series

Splunk's AI Troubleshooting Agent in Observability Cloud provides root cause summaries in context, and Splunk hosted AI models went GA in February 2026, bringing foundation models (including a security-specific model) directly into the platform without external AI provider dependency. The MCP server for Observability Cloud is GA, supporting Claude Desktop, VS Code, and Cursor. On the security side, AI-powered triage using those hosted models reduces manual alert review overhead in Enterprise Security. And Splunk's AI Agent Monitoring, covering GPU performance, LLM token economics, and vector databases, has no real equivalent in Dynatrace's current offering.

The honest split: Davis wins on maturity and deterministic reasoning quality. Splunk wins on breadth, particularly anywhere AI workloads intersect with infrastructure, and on owning its own model hosting rather than depending on a third party.

| AI capability | Dynatrace | Splunk |
|---|---|---|
| Root cause engine | Davis (deterministic, since 2017) | AI Troubleshooting Agent |
| Hosted AI models | No (external LLM dependency) | Yes (GA Feb 2026) |
| MCP server | GA (queries metered) | GA (O11y Cloud) |
| GPU / AI infrastructure monitoring | Limited | Yes (GA) |
| AI-powered security triage | No | Yes (Attack Analyzer, Detection Studio) |
| Automated remediation | AutomationEngine | Via SOAR (Enterprise Security) |

[summary]
### AI investigation connected to the response, either way

Davis explains what broke and Splunk's agent summarizes root cause across bridged products, but neither pages the on-call engineer directly. Better Stack's AI SRE investigates autonomously and delivers its hypothesis into a live incident, responder already paged.

<iframe width="100%" height="315" src="https://www.youtube.com/embed/3bw21kiNAuM" title="AI SRE and MCP server overview | Better Stack" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

**Autonomous root cause investigation connected to on-call, incidents, and status pages.** [See the AI SRE.](https://betterstack.com)
[/summary]

---

## Security and IT Service Intelligence

This is the section where the comparison stops being close, and it's worth being direct about which direction it tilts.

Dynatrace Application Security is real: runtime vulnerability detection using OneAgent's process visibility to see which vulnerable libraries are actually loaded and reachable, runtime application protection, security posture management against CIS, NIST, DORA, and HIPAA. It is a genuine security product.

It is not a SIEM. **Splunk Enterprise Security is an 11-time Gartner Magic Quadrant Leader for SIEM**, with SOAR, UEBA, Detection Studio for custom detection development, and Attack Analyzer for automated forensic analysis, detection rules that are MITRE ATT&CK-aligned and inspectable on GitHub. For organizations evaluating security operations as part of this decision, Dynatrace simply is not in that conversation, and pretending otherwise would be dishonest.

Splunk ITSI adds a second category Dynatrace has no equivalent for: service health modeling with KPI-based entities, predictive degradation scoring, and episode-based alert correlation for IT operations teams managing hundreds of interdependent services. Dynatrace's Applied-Intelligence-equivalent (Davis's alert correlation) solves noise reduction; it doesn't do KPI-based service modeling the way ITSI does.

| Security / AIOps | Dynatrace | Splunk |
|---|---|---|
| Runtime vulnerability detection | Yes | Via Enterprise Security |
| SIEM | No | Yes (11-time Gartner Leader) |
| SOAR | No | Yes |
| UEBA | No | Yes |
| ITSI / service health modeling | No | Yes (separate product) |
| Self-hosted / air-gapped | No | Yes |

---

## Pricing comparison

The gap here isn't a percentage, it's a different unit of measurement, and which platform "wins" depends entirely on your scale and which products you'd actually enable.

**Scenario: 100 hosts (8 GiB average), moderate log volume (50GB/day), full observability stack**

| Cost component | Dynatrace (DPS, list) | Splunk (entity + ingest) |
|---|---|---|
| Host/APM monitoring | ~$5,840/month | ~$6,000/month ($60/host entity) |
| Logs (50GB/day ≈ 1.5TB/month) | ~$300-400/month (ingest + retention/queries) | ~$7,500-11,250/month (log ingest alone) |
| On-call (external, both) | ~$245-415/month (PagerDuty-equivalent) | Splunk On-Call, separate SKU, similar range |
| Security (SIEM/ITSI, if enabled) | N/A (not offered) | Separately priced, substantial add |
| **Estimated monthly total (observability only)** | **~$6,385-6,655/month** | **~$13,500-17,250/month+** |

At this log volume, Splunk's ingest pricing dominates the comparison; Dynatrace's consumption model, expensive as it is per host, doesn't punish log volume nearly as hard. The math flips at lower log volumes or when Splunk's negotiated enterprise rates (often 30-50% off list) come into play, and it flips entirely if security or ITSI enter the equation, since Dynatrace has nothing to offer there at any price.

| Pricing factor | Dynatrace | Splunk |
|---|---|---|
| Free tier | 15-day trial | No (trial only) |
| Log ingest rate | $0.20/GiB | ~$150-225/GB/day (base list tiers) |
| Query fees | Yes (logs, traces) | No |
| Pricing models | One (consumption rate card) | Four (workload, entity, ingest, activity) |
| Security/SIEM available | No | Yes (separate, substantial cost) |
| Enterprise discount norms | Standard negotiation | Often 30-50% off list |

[summary]
### Predictable neither way, and the response layer missing from both

Splunk's log pricing and Dynatrace's consumption meters both require real modeling before signing. Better Stack combines volume-priced logs, metrics, and traces with on-call scheduling, incident management, and status pages, one bill, no separate SIEM negotiation required for basic reliability work.

<iframe width="100%" height="315" src="https://www.youtube.com/embed/E8JQPRVR20E" title="On-call and escalations overview | Better Stack" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

**Fewer vendors, fewer context switches, and a single place for the full reliability workflow.** [Talk to us.](https://betterstack.com)
[/summary]

---

## What each platform genuinely lacks

**Dynatrace gaps worth knowing:**

1. No SIEM, no SOAR, no UEBA, no threat detection at Splunk's scale, this isn't close.
2. No ITSI-equivalent for KPI-based service health modeling.
3. No self-hosted or air-gapped deployment option at any tier.
4. Query fees mean thorough investigation, including its own MCP-connected AI, carries a metered cost.
5. No free tier beyond a 15-day trial, and a reported minimum commitment that excludes smaller teams.
6. No hosted AI models; depends on external LLM providers.
7. No status pages, no native on-call.

**Splunk gaps worth knowing:**

1. Log ingest at list rates ($150-225/GB/day) is dramatically more expensive than Dynatrace's $0.20/GiB at equivalent volume.
2. Multi-product architecture creates genuine investigation friction: pivoting from logs to APM to on-call means navigating three separate interfaces.
3. No unified query language; SPL for the Platform, a different UI for Observability Cloud.
4. Pricing complexity across four models requires careful planning to avoid surprises.
5. No free tier at all, evaluation requires a sales-mediated trial.
6. Self-managed Splunk Enterprise adds real operational overhead if you go that route.
7. No status pages, and on-call requires a separate SKU (Splunk On-Call) even after everything else is bought.

---

## Final thoughts

The question that actually decides this comparison isn't "which platform is better," it's **whether your evaluation includes security operations or IT service health modeling as first-class requirements, or is it strictly application and infrastructure observability for engineering teams.**

If the answer is strictly observability, **Dynatrace's single-system design wins on almost every axis that matters day to day**: one topology model, one AI reasoning over it, zero-configuration instrumentation, and an investigation flow that never requires a bridge between products. You pay for that in a consumption model that takes real discipline to forecast, but you're not assembling four products into a coherent incident workflow either.

If security or ITSI belong in the conversation, **this stops being close.** Dynatrace has nothing resembling Splunk Enterprise Security's SIEM depth or ITSI's service health modeling, and no amount of Davis's deterministic elegance changes that. Organizations that need both serious observability and serious security operations will often end up running Splunk for exactly that reason, accepting the multi-product friction as the cost of getting SIEM and observability under one roof, or Cisco umbrella, at least.

The uncomfortable middle case is the one worth naming honestly: a team that wants Dynatrace's integrated observability experience but also needs Splunk-grade security will end up running both, or running Splunk alone and accepting a less unified observability workflow than Dynatrace would have given them. **Neither platform was built to be the other**, and pretending the gap doesn't exist wastes a procurement cycle finding out the hard way.

[summary]
### The layer neither one owns, security or not

Neither Dynatrace nor Splunk includes uptime monitoring, incident management with unlimited phone and SMS, and customer-facing status pages as a unified, simply-priced product. Better Stack brings all of that together with logs, metrics, and traces, usage-based pricing, and no per-host or per-GB-day surcharges.

<iframe width="100%" height="315" src="https://www.youtube.com/embed/ddfuZrT7RCg" title="MCP Server | Better Stack" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

**The full reliability lifecycle in one place. Start free, no credit card required.** [Try Better Stack.](https://betterstack.com)
[/summary]

