Log Aggregation solutions

We are currently evaluating log aggregation solutions at my company. I understand that Splunk is one of the best solutions, but what are some of the "negatives" with using Splunk? Is there anything else out there that maybe does a better job of log aggregation?

We use Splunk (the free version), and have found it to work very well. To answer your question best I would need to know what kind of logs you want to parse. You can count on being able to parse syslog and many other types of log files. However, for Windows event logs, you can still aggregate but you'll need to install Splunk on a Windows machine. Not necessarily a negative, but something to consider. The free version will let you gather from as many sources as you want, but you're limited in the amount of data per day (I think it's 500MB/day). I don't know exactly what the enterprise edition offers, but I think I remember it having an unlimited amount of data to index, multiple user accounts, and the ability to have multiple servers for indexing and searching.

Some of the downsides I've seen with our free edition are with the saved searches and notification. Using it to search is very powerful, and it does notification based off of saved searches, but this is a manual process for each search. It can e-mail results automatically, but this displays the raw format of the log. In order to have nicer e-mail notifications, I've had to create scripts for each saved search in order to send the e-mail the way I would like. I'm sure I'm probably using it differently than how it was designed to be used, but it's something to watch out for if you have the same uses in mind.