Have you researched any ROI documents from these solutions?  This may give some hard facts as well.  Also, you may want to ask a third-party vendor(s) for this information as well since they probably have a vast amount of customers that have bast information with them.

Hi there,
to really go beyond, start thinking about create rules that can say something to your company. Something like: If you could generate incidents from diferent logs and prove a fraud by combining them, you are in the right path. But always keep in mind to be focused where your company does the money or loose the money.
From there you can attract managers and directors attention. I've done this way and now everytime we detect an incident we are heard.
And no matter wich tool you choose to be your SIEM, the response quality is the object to be achieved.
As an example: If you get hit by a DDOS, your SIEM will not be able to handle so much trafic logs from the firewall and the same will happen to your IPS/IDS. But if you can say: we are loosing money, because I got multiple logins to our sales portal using the same userid/password and the responsible for this userid was fired 3 months ago.
This will attract their attention for sure!

I'm a big fan of OSSIM which uses a slew of open source tools, Snort, Nagios, OpenVAS, etc., and one of the main reasons why I like it is that you could easily program slash tailor it to do what you need it do it unlike other closed source (Windows) applications. With that said, SIEM for incident response means little if your staff isn't vigilant on monitoring what is going on. For example, let's imagine a new 0day on the market. Most SIEM's, IDS' (which are the core of SIEM anyway), IPS, etc., won't have the proper signatures to detect what is going on. An event will solely be an anomaly. Is your staff vigilant enough to investigate further?

With OSSIM, SIEM goes a little further in my opinion. Not only are you capable of the typical "assessments" you can use it to alert yourself and tailor responses. E.g.: If EventA then Perform ActionB it's all a matter of know how and this could be said for most SIEM's to a degree. I so happen to like OSSIM because of its *nix based root. This allows me to do things like create ssh session keys, create rules on the fly and have those rules pushed to other machines.

I've actually looked at a couple of solutions including ArcSight and RSA.  They both have similar capabilities, but the downside to both of these is the cost.  I'm currently testing out a vendor named HAWK Security Network Defense which has the same, if not more custom/correlating capabilities.  One of my friends referred me to them.  So far I've been pleased with their proof of concept, and price wise, they're not event half of what the others cost.  Hope this helps. 

Splunk is great!

I use Splunk daily. It is very intuitive once you get it installed and running. I am still running version 3 b/c you don't get alerts with the free version of 4.*, so what I am about to say may not be the case with the most up to date version, but it can be a little slow depending on your configuration. I have Splunk reading roughly 1200-2000 files worth of syslog data, and it takes anywhere from 5 mintues to 20 minutes for an event to show up in the interface. So, its not "real-time" and it doesn't do correlation like ArcSight, but its a great option if you don't have the money that ArcSight costs...