Ask what Splunk is, and even longtime users often answer with a list rather than a sentence: log search, then SignalFx for infrastructure, then VictorOps for on-call, then AppDynamics after the Cisco acquisition, then Enterprise Security bolted alongside all of it. Ask what Dynatrace is, and the answer is one sentence: OneAgent instruments everything, Smartscape maps everything, Davis explains everything, all built together from the start. Neither company set out to build the platform they ended up with. Splunk grew by acquisition into a conglomerate of genuinely deep products that don't share a query language. Dynatrace grew by design into one integrated system that doesn't have that problem, and doesn't have Splunk's security depth either.
That's the actual axis of this comparison, and it's a different one than most Dynatrace matchups run on. Dynatrace's usual competitive story is "integrated but expensive versus disjointed but open." Against Splunk, the disjointedness is real but the depth behind each piece is not a weakness, it's Splunk's entire value proposition. Splunk Enterprise Security is an 11-time Gartner Magic Quadrant Leader for SIEM. ITSI does AIOps-driven service health modeling that neither Dynatrace nor most observability tools attempt. If your evaluation includes security operations, Dynatrace's Application Security suite is real but it isn't in Splunk's category, full stop.
Where Dynatrace wins back ground is exactly where you'd expect: one interface, one topology model, one AI reasoning over both, and an instrumentation story (OneAgent, zero configuration) that Splunk's multi-agent, multi-product reality can't match for speed to value. This comparison works through both, treating Splunk's security and ITSI depth honestly rather than dismissing it as scope creep.
Quick comparison at a glance
Feature
Dynatrace
Splunk
Primary purpose
Enterprise observability + security platform
Multi-product data platform (observability + security + ITSM)
Neither company built its architecture on a blank page, but only one of them built it as a single design. That difference explains almost everything else in this comparison.
Dynatrace: OneAgent, Smartscape, Grail, Davis, one system
OneAgent installs on a host and auto-discovers every process, injecting monitoring code without configuration. Smartscape turns that discovery into a real-time topology graph. Grail stores logs, traces, metrics, and events with schema-on-read DQL querying. Davis reasons over the topology graph to produce deterministic root cause analysis. Four pieces, one design, one team building all of them to work together from the start.
The bill follows the same "everything automatic, everything metered" pattern: Full-Stack Monitoring at $0.01 per memory-GiB-hour, logs at $0.20/GiB with either metered queries ($0.0035/GiB scanned) or 28x-priced bundled retention, Kubernetes pods at $0.002/pod-hour. It's transparent line by line and genuinely hard to forecast in aggregate, and the pay-per-query logs model means a thorough investigation costs more than a shallow one.
Splunk: four products, four histories, one Cisco parent
Splunk's portfolio reflects its history rather than a single design: the Cloud Platform (SPL-based log search, Splunk's original product), Observability Cloud (infrastructure, APM, RUM, built on the SignalFx acquisition), ITSI (AIOps and service health), On-Call (incident notification, from the VictorOps acquisition), and Enterprise Security (SIEM). Each is genuinely deep in its domain. None of them shares a data model or query language with the others by default; Log Observer Connect bridges Cloud Platform logs into Observability Cloud, but it's a configured integration between two products, not one database.
The pricing mirrors the product sprawl: workload-based SVC units for the Cloud Platform, entity-based per-host rates for Observability Cloud, ingest-based pricing (roughly $150-225/GB/day at base tiers) for log management, and activity-based billing for specific Observability Cloud features. Four models, and getting the model choice wrong for your data pattern can mean paying significantly more than your initial estimate suggested.
Architectural factor
Dynatrace
Splunk
Design origin
Built as one system
Assembled via acquisition (SignalFx, VictorOps, AppDynamics)
Data storage
Grail (proprietary lakehouse)
Separate per product
Query language
DQL
SPL (Platform), separate UI (O11y Cloud)
Query fees
Yes (pay-per-query)
No
Product count
One
Four+ (Platform, O11y Cloud, ITSI, On-Call, ES)
Self-hosted / air-gapped
No
Yes
SIEM / ITSI
No
Yes (both, genuinely deep)
Neither platform gets you to a paged human
Dynatrace explains problems automatically and Splunk's products, deep as each is, still require a bridge to reach on-call. Better Stack connects observability directly to incident response in one platform.
From heartbeat monitoring to incident timelines to status pages, one platform for the whole reliability lifecycle.Start free.
APM and distributed tracing
Both companies are genuinely OTel-native here and neither surcharges for it, which is worth noting since it's not universal in this comparison series. The real difference is what sits behind the trace once you've got it.
OneAgent auto-instruments and PurePath traces follow every transaction from browser through service calls and database queries down to the specific method responsible for latency, with flame graphs and thread contention analysis for JVM and .NET estates. Here's how trace analysis works in practice:
The trade: trace queries on pay-per-query bill per GiB scanned, and your data lives in Grail's proprietary format.
Splunk: NoSample fidelity and code-level profiling across three languages
Splunk APM in Observability Cloud runs NoSample end-to-end tracing, full-fidelity retention across all connected services with no sampling decisions to manage. AlwaysOn Profiling adds continuous CPU and memory profiling for Java, .NET, and Node.js at the code level, running in production without a separate triggered session, real depth that goes toe-to-toe with PurePath for the languages it covers.
The honest limitation is architectural, not technical: APM lives in Observability Cloud, a separate product from the Cloud Platform where logs live. Log Observer Connect bridges the two, but it's a bridge, not a shared backend, and pivoting from a trace to its surrounding logs takes a configured integration where Dynatrace's Grail does it by default.
APM / tracing
Dynatrace
Splunk
Instrumentation
OneAgent (automatic) or OTel
Language-specific agents or OTel
Full trace retention
Yes (all traces, metered queries)
Yes (NoSample)
Code-level profiling
Yes (PurePath)
Yes (AlwaysOn: Java, .NET, Node.js)
Trace query fees
Yes (pay-per-query)
No
Log-to-trace correlation
Native (same Grail store)
Via Log Observer Connect (bridged)
APM pricing
$0.01/memory-GiB-hour
~$60/host/month (entity)
Tracing without the meter or the product-bridging
Dynatrace charges to query your own traces and Splunk asks you to bridge two separate products to correlate them with logs. Better Stack's eBPF tracing captures HTTP, gRPC, and database traffic with zero code changes in one warehouse, priced by volume with no query fees.
Full-fidelity distributed tracing from every service, priced by volume with no surprises.Explore Better Stack tracing.
Log management
This is where Splunk's DNA actually shows. It was a log search company before it was anything else, and that history is either a decisive advantage or an expensive one, depending entirely on your scale.
Dynatrace: topology-enriched, a pricing model you have to commit to upfront
Dynatrace logs land in Grail at $0.20/GiB, with Smartscape context, service, host, dependency chain, attached automatically. Here's the Logs app:
Then the plan decision: pay-per-query (cheap retention, metered queries) or bundled (queries free, retention 28x higher). Guess wrong and pay for it monthly.
Splunk: SPL, the deepest log query language in this entire series, at a price to match
Splunk's SPL is genuinely the most expressive query language covered anywhere in this comparison series: multi-step transformations, statistical aggregations, subsearch, external lookups, time-series charting, backed by 2,000+ Splunkbase apps encoding years of community detection logic. Organizations with years of saved SPL searches and dashboards have a real, non-trivial investment that transfers to nothing else.
That expressiveness costs accordingly: roughly $150-225/GB/day at base list tiers, meaning 100GB/day of logs runs $15,000-22,500/month for the platform alone, before observability or security. Against Dynatrace's $0.20/GiB, that's not a close comparison at equivalent volume; it's a different pricing universe entirely, reflecting petabyte-scale enterprise log analytics rather than application observability logs.
Log management
Dynatrace
Splunk
Query language
DQL
SPL
Ingest pricing
$0.20/GiB + retention + query fees
~$150-225/GB/day at base tiers
Query fees
Yes (pay-per-query) or 28x retention
No (included)
Ecosystem
Dynatrace Hub
2,000+ Splunkbase apps
Topology enrichment
Yes (Smartscape)
Via O11y Cloud correlation
Petabyte-scale strength
Enterprise-capable
Category-defining
Log search with no plan to commit to in advance
Dynatrace asks you to bet on a pricing model and Splunk charges enterprise log-analytics rates for application logs. Better Stack stores everything in one SQL-queryable warehouse at $0.10/GB with no query fees and no upfront tier decision.
Unified log management with SQL search, live tail, and no indexing surprises.See how it works.
Infrastructure monitoring
Dynatrace: broadest legacy and enterprise coverage in this whole series
Dynatrace covers cloud hosts and Kubernetes, then keeps going: mainframes, SAP, VMware Tanzu, hybrid data centers, automatically mapped by Smartscape. Tiered pricing ($7-~$58/month per host by depth and memory) scales coverage to criticality. The familiar catch: memory-based pricing penalizes dense hosts, and default-enabled cloud metrics bill as custom consumption.
Splunk: entity pricing, plus a category Dynatrace hasn't caught up to yet
Splunk Infrastructure Monitoring, built on the SignalFx acquisition, runs entity-based pricing around $15/host/month, cheaper than Dynatrace's memory-scaled model at the low end but with its own cardinality problem: custom metrics beyond the per-host allotment count against entitlements with overage charges. What's genuinely notable is AI Infrastructure Monitoring, GA coverage of GPU performance, LLM token costs, model latency, and vector database performance. For teams running production AI workloads, Splunk has native visibility here that Dynatrace's AI Observability doesn't match at the GPU-infrastructure layer.
Infrastructure monitoring
Dynatrace
Splunk
Mainframe / SAP / VMware
Yes
No
Base host pricing
Memory-GiB-hours (~$7-58/month)
Entity-based (~$15/month)
Custom metric cardinality
Counted toward consumption
Yes (MTS-based overages)
GPU / AI infrastructure monitoring
Limited
Yes (AI Infrastructure Monitoring, GA)
Topology mapping
Smartscape (automatic)
Via O11y Cloud correlation
Digital experience monitoring
Both platforms are complete here, so this section is short. Dynatrace's DEM suite (web and mobile RUM with crash analysis, session replay at $4.50/1K sessions, synthetics) correlates automatically to backend PurePaths.
Splunk's Digital Experience Analytics (GA March 2026) combines behavioral data with RUM and APM, and its native mobile SDK support (iOS, Android, React Native, Flutter) is broader than Dynatrace's mobile story. The correlation tradeoff repeats: Splunk's RUM-to-APM-to-logs path crosses Observability Cloud into the Cloud Platform via Log Observer Connect, while Dynatrace's equivalent stays inside one product.
Digital experience
Dynatrace
Splunk
Session replay
Yes
Yes
Synthetic monitoring
Yes
Yes
Mobile RUM
Yes (crash analysis)
Yes (broader native SDK support)
Digital Experience Analytics
No
Yes (GA March 2026)
Frontend-to-backend correlation
Native (one product)
Via bridged products
AI capabilities
Davis has an eight-year head start on deterministic reasoning. Splunk's AI story is younger but arguably more comprehensive on the infrastructure side, thanks to its own hosted models.
Dynatrace: Davis, still the most proven engine in this series
Davis runs fault-tree analysis over the Smartscape topology graph, collapsing alert storms into one problem with a traced causal chain, in production since 2017. The agentic layer (Dynatrace Assist, SRE Agent, AutomationEngine) builds on that foundation, and the MCP server is GA with the now-familiar caveat that MCP queries bill per GiB scanned against Grail.
Splunk: AI Troubleshooting Agent, hosted models, and the deepest AI infrastructure story anywhere in this series
Splunk's AI Troubleshooting Agent in Observability Cloud provides root cause summaries in context, and Splunk hosted AI models went GA in February 2026, bringing foundation models (including a security-specific model) directly into the platform without external AI provider dependency. The MCP server for Observability Cloud is GA, supporting Claude Desktop, VS Code, and Cursor. On the security side, AI-powered triage using those hosted models reduces manual alert review overhead in Enterprise Security. And Splunk's AI Agent Monitoring, covering GPU performance, LLM token economics, and vector databases, has no real equivalent in Dynatrace's current offering.
The honest split: Davis wins on maturity and deterministic reasoning quality. Splunk wins on breadth, particularly anywhere AI workloads intersect with infrastructure, and on owning its own model hosting rather than depending on a third party.
AI capability
Dynatrace
Splunk
Root cause engine
Davis (deterministic, since 2017)
AI Troubleshooting Agent
Hosted AI models
No (external LLM dependency)
Yes (GA Feb 2026)
MCP server
GA (queries metered)
GA (O11y Cloud)
GPU / AI infrastructure monitoring
Limited
Yes (GA)
AI-powered security triage
No
Yes (Attack Analyzer, Detection Studio)
Automated remediation
AutomationEngine
Via SOAR (Enterprise Security)
AI investigation connected to the response, either way
Davis explains what broke and Splunk's agent summarizes root cause across bridged products, but neither pages the on-call engineer directly. Better Stack's AI SRE investigates autonomously and delivers its hypothesis into a live incident, responder already paged.
Autonomous root cause investigation connected to on-call, incidents, and status pages.See the AI SRE.
Security and IT Service Intelligence
This is the section where the comparison stops being close, and it's worth being direct about which direction it tilts.
Dynatrace Application Security is real: runtime vulnerability detection using OneAgent's process visibility to see which vulnerable libraries are actually loaded and reachable, runtime application protection, security posture management against CIS, NIST, DORA, and HIPAA. It is a genuine security product.
It is not a SIEM. Splunk Enterprise Security is an 11-time Gartner Magic Quadrant Leader for SIEM, with SOAR, UEBA, Detection Studio for custom detection development, and Attack Analyzer for automated forensic analysis, detection rules that are MITRE ATT&CK-aligned and inspectable on GitHub. For organizations evaluating security operations as part of this decision, Dynatrace simply is not in that conversation, and pretending otherwise would be dishonest.
Splunk ITSI adds a second category Dynatrace has no equivalent for: service health modeling with KPI-based entities, predictive degradation scoring, and episode-based alert correlation for IT operations teams managing hundreds of interdependent services. Dynatrace's Applied-Intelligence-equivalent (Davis's alert correlation) solves noise reduction; it doesn't do KPI-based service modeling the way ITSI does.
Security / AIOps
Dynatrace
Splunk
Runtime vulnerability detection
Yes
Via Enterprise Security
SIEM
No
Yes (11-time Gartner Leader)
SOAR
No
Yes
UEBA
No
Yes
ITSI / service health modeling
No
Yes (separate product)
Self-hosted / air-gapped
No
Yes
Pricing comparison
The gap here isn't a percentage, it's a different unit of measurement, and which platform "wins" depends entirely on your scale and which products you'd actually enable.
At this log volume, Splunk's ingest pricing dominates the comparison; Dynatrace's consumption model, expensive as it is per host, doesn't punish log volume nearly as hard. The math flips at lower log volumes or when Splunk's negotiated enterprise rates (often 30-50% off list) come into play, and it flips entirely if security or ITSI enter the equation, since Dynatrace has nothing to offer there at any price.
Pricing factor
Dynatrace
Splunk
Free tier
15-day trial
No (trial only)
Log ingest rate
$0.20/GiB
~$150-225/GB/day (base list tiers)
Query fees
Yes (logs, traces)
No
Pricing models
One (consumption rate card)
Four (workload, entity, ingest, activity)
Security/SIEM available
No
Yes (separate, substantial cost)
Enterprise discount norms
Standard negotiation
Often 30-50% off list
Predictable neither way, and the response layer missing from both
Splunk's log pricing and Dynatrace's consumption meters both require real modeling before signing. Better Stack combines volume-priced logs, metrics, and traces with on-call scheduling, incident management, and status pages, one bill, no separate SIEM negotiation required for basic reliability work.
Fewer vendors, fewer context switches, and a single place for the full reliability workflow.Talk to us.
What each platform genuinely lacks
Dynatrace gaps worth knowing:
No SIEM, no SOAR, no UEBA, no threat detection at Splunk's scale, this isn't close.
No ITSI-equivalent for KPI-based service health modeling.
No self-hosted or air-gapped deployment option at any tier.
Query fees mean thorough investigation, including its own MCP-connected AI, carries a metered cost.
No free tier beyond a 15-day trial, and a reported minimum commitment that excludes smaller teams.
No hosted AI models; depends on external LLM providers.
No status pages, no native on-call.
Splunk gaps worth knowing:
Log ingest at list rates ($150-225/GB/day) is dramatically more expensive than Dynatrace's $0.20/GiB at equivalent volume.
Multi-product architecture creates genuine investigation friction: pivoting from logs to APM to on-call means navigating three separate interfaces.
No unified query language; SPL for the Platform, a different UI for Observability Cloud.
Pricing complexity across four models requires careful planning to avoid surprises.
No free tier at all, evaluation requires a sales-mediated trial.
Self-managed Splunk Enterprise adds real operational overhead if you go that route.
No status pages, and on-call requires a separate SKU (Splunk On-Call) even after everything else is bought.
Final thoughts
The question that actually decides this comparison isn't "which platform is better," it's whether your evaluation includes security operations or IT service health modeling as first-class requirements, or is it strictly application and infrastructure observability for engineering teams.
If the answer is strictly observability, Dynatrace's single-system design wins on almost every axis that matters day to day: one topology model, one AI reasoning over it, zero-configuration instrumentation, and an investigation flow that never requires a bridge between products. You pay for that in a consumption model that takes real discipline to forecast, but you're not assembling four products into a coherent incident workflow either.
If security or ITSI belong in the conversation, this stops being close. Dynatrace has nothing resembling Splunk Enterprise Security's SIEM depth or ITSI's service health modeling, and no amount of Davis's deterministic elegance changes that. Organizations that need both serious observability and serious security operations will often end up running Splunk for exactly that reason, accepting the multi-product friction as the cost of getting SIEM and observability under one roof, or Cisco umbrella, at least.
The uncomfortable middle case is the one worth naming honestly: a team that wants Dynatrace's integrated observability experience but also needs Splunk-grade security will end up running both, or running Splunk alone and accepting a less unified observability workflow than Dynatrace would have given them. Neither platform was built to be the other, and pretending the gap doesn't exist wastes a procurement cycle finding out the hard way.
The layer neither one owns, security or not
Neither Dynatrace nor Splunk includes uptime monitoring, incident management with unlimited phone and SMS, and customer-facing status pages as a unified, simply-priced product. Better Stack brings all of that together with logs, metrics, and traces, usage-based pricing, and no per-host or per-GB-day surcharges.
The full reliability lifecycle in one place. Start free, no credit card required.Try Better Stack.