We use the product mostly just to pull out the reports, medical investigations, et cetera. As a security analyst, we can look at and pull data. You can make a central hub for a lot of different sources, including servers and endpoints. It makes it easy to check logs for every device connected.
Analyst, TSG Information Security Cyber Operations at a consultancy with 5,001-10,000 employees
Lots of learning materials, responsive support, and good visualization capabilities
Pros and Cons
- "There are lots of free learning materials on their website."
- "The level of scalability depends on the license you have. You can expand or reduce it based on the environment. It does cost more money to scale, however."
What is our primary use case?
How has it helped my organization?
If you are a data analyst, security analyst, or anyone who basically requires a set of data in your database job, and you have to have normalized data represented or, just to check for any patterns, this is quite helpful. With Splunk, you can pull in the data, you can transform it, and represent the data via graphs or pull the data and export it into Excel and perform further investigations. The use cases are quite deep.
What is most valuable?
With this product, you can go for an in-depth search or just perform a surface-level search. There are different modes in which you can perform searches, and that basically defines the speed of how fast you can get the data. If you are going for a more detailed version offered, it'll take a bit of time. However, they'll give you more and more data. There's also a fast mode in it.
The data which you can pull, you can basically visualize it, you can normalize the data, evaluate it, and convert the data into tables. It's much easier to pull the data, organize it, and normalize it as you are performing the searches. That's quite helpful.
I prefer working with cloud infrastructure like this as you can increase the storage capacity or the license at any time and search for a number of different endpoints. If you want to ingest more and more data, having something like Splunk available on the cloud is preferable.
I take advantage of the incident response part of the solution. If anything happens at the endpoint, if anything happens at the user system, servers, or something like that, my role is to look into the logs, go through other investigations, perform a time scan, and create a timeline of all the events. This helps do that job.
I'm also aware they have a Mission Control. I have actually attended a few surveys on that, however, I haven't really implemented it due to the fact that we are in the middle of a few of the projects, and things are at higher priority as of now. So we haven't really focused on that.
Using Splunk, we can check out what server versions we have. If we just cross-check with the database, we can see if we have any availability and then we can pull in the files. If you have a database, you can perform a query to check for any particular problems in the entire environment. For the threat notifications, it's quite helpful.
Indirectly, it's helped us reduce our alert volume. If you have a list of files, you can run it through the environment and, based on that, create rules and exceptions. This indirectly helps reduce alert amounts. You can go through false positives and sort them out as well and create a rule against them.
It's helped speed up security investigations. Being a central hub of logs, we can jump into a different log or source and jump into any investigation. You don't have to jump from one tool to another. This automatically reduces the investigation time.
There are lots of free learning materials on their website.
Overall, things are quite easy. It's a simple solution.
What needs improvement?
I haven't explored beyond the security aspect as a data analyst. I haven't noticed any shortcomings so far.
Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,054 professionals have used our research since 2012.
For how long have I used the solution?
I've been using the solution for more than a year now.
What do I think about the stability of the solution?
There are different modules, and I haven't activated all yet, however, the stability is okay. I would rate it seven out of ten. If we run into issues, there are materials they provide and online support. You can even call them.
What do I think about the scalability of the solution?
The solution is deployed to one location. It's deployed across the entire environment.
The level of scalability depends on the license you have. You can expand or reduce it based on the environment. It does cost more money to scale, however.
I would rate scalability seven out of ten.
How are customer service and support?
Support is quite responsive. They also offer 24/7 support services.
Which solution did I use previously and why did I switch?
I previously used Palo Alto XDR.
I also used an email solution whose name I can't recall. You could check emails flowing into or out of your environment.
How was the initial setup?
I wasn't involved in the deployment; the solution was set up when I arrived.
That said, I did go through some setup videos, and the process does not look difficult. They provide the steps for every aspect. There's also always support you can reach out to if you have questions.
There may be some maintenance required in terms of upgrading. When you upgrade the version, you may need to upgrade your sensors on the endpoints. However, Splunk is quite compatible with other devices, so it's not difficult. In our company, the administrators handle maintenance.
What was our ROI?
I haven't witnessed an ROI in terms of how I'm using the tool.
What's my experience with pricing, setup cost, and licensing?
It's mostly for EDR. You can cover servers as well; however, that requires additional licenses. Pricing is based on usage. As an EDR specialist, I interact with the tools and perform investigations. I don't deal with licensing directly.
This is quite new to me. I've only recently started working with Splunk. I used to work in EDR. It took me two to three months to understand the internal architecture of the organization, and based on that, I can use Splunk for all kinds of searches. So, how long it takes to realize the benefits of Splunk depends on the person and the complexity of the environment.
Which other solutions did I evaluate?
I did not evaluate other options. I adopted this tool when I joined my current organization.
What other advice do I have?
We're a Splunk customer.
To those considering just going with the cheapest solution, it depends on your level of comfort with support. If you have a cheaper tool, the support would be addressed. With Splunk, that's the difference - their support response. If you have a tool with a good license, you will be able to get immediate help if there's any vulnerability.
I'd rate the solution eight out of ten.
I'd advise others to take time to learn the solution and develop skills. It's all about DSL queries. If you are off on queries, it won't give you any results. You need to be accurate with your SQL commands.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
IS Engineer at a hospitality company with 10,001+ employees
Enables us to drive down the alert count and the alert fatigue for analysts to make the alerts they see more valuable and actionable
Pros and Cons
- "The UI of Splunk makes it easier for our analysts to move around and see what they need to see."
- "Features related to content management must be improved."
What is our primary use case?
Our SOC uses the solution to monitor our corporate and franchise environments.
What is most valuable?
Risk-based alerting is the most valuable feature. It really allows me to drive down the alert count and the alert fatigue for my analysts to make the alerts they see more valuable and actionable. The way that alerts are handled is better in Splunk. SPL is easier in Splunk. The UI of Splunk makes it easier for our analysts to move around and see what they need to see.
What needs improvement?
There are a lot of areas that are currently being improved that I want to be improved. Features related to content management must be improved. The product is adding more drill-downs.
When the tool was originally set up, things were not configured properly due to the rapid deadlines for installing everything. Now, we have to go back and recover a lot of things that aren't properly configured.
For how long have I used the solution?
I have been using the solution for approximately four years.
What do I think about the stability of the solution?
I haven't seen any issues with stability. Most of the stability issues I've seen have actually been on the on-prem hardware.
What do I think about the scalability of the solution?
We have no issues at all with scalability. The tool has high scalability and usability. The size of our environment is relatively large since it is an enterprise solution. We have around 5000 users and a franchise base.
How are customer service and support?
I have never had an issue with Splunk’s support team. Every time I ask a question, I usually receive really quick responses. We are in the middle of a migration, and the engineers helping us migrate to Splunk Cloud have been fantastic every step of the way. They provide really rapid and complete answers when we ask questions.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I use LogRhythm a lot. I worked for an MSSP, so I have seen several products. So far, Splunk has been my favorite.
What was our ROI?
We have definitely seen an ROI on the solution. Any security tool has a fantastic ROI. A lot of companies don't like to budget for security until there's an incident or something goes terribly, terribly wrong. Just having that SIEM and having eyes on potential security issues is an ROI.
What other advice do I have?
We are behind a few versions. So I hope that as we upgrade, I get more ideas for what I'd like to improve. We're still in the process of moving to the cloud.
The product has improved our organization's business resilience. The right tools are available to our analysts within the product, and we use them daily. It has drastically driven down our time to remediate, which is huge for us. It's huge for any company. We don't want four hours to find out that something has gone terribly, terribly wrong. Finding such issues before they turn into full-blown security incidents has been our biggest impact.
Splunk Enterprise Security empowers our staff. It is so user-friendly. It allows our analysts at every level to learn the tool and learn more about security through the tool. I progressed from level one. Now, I'm a content developer for enterprise security. The usability of Splunk is the best on the market. The solution has helped reduce our mean time to resolve.
As we add new features and applications into Splunk, time to value is pretty quick on most things. As long as we have someone that's willing to go through the effort to configure, the time to value is rapid. Adding applications to Splunk is a seamless experience. The UI of Splunk makes life so much easier. Some of my experience is based on technical debt in the organizations I worked with. I would probably rate the tool a ten if we didn't have so much technical debt.
By attending Splunk conferences, I get to learn about all the new tools and how to implement them. I use it for RBA and Machine Learning Toolkit. I develop content for our company. I am here to learn how to implement RBA and Machine Learning Toolkit better to reduce alert fatigue for my analysts.
Overall, I rate the product an eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,054 professionals have used our research since 2012.
IT Consultant at a tech services company with 51-200 employees
We can script advanced queries with limited knowledge, uncover unknown threats, and identify anonymous user behavior
Pros and Cons
- "The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge."
- "The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex."
What is our primary use case?
Our customers utilize Splunk Enterprise Security for either their cybersecurity program or their data warehouse program.
How has it helped my organization?
Splunk Enterprise Security's threat detection capabilities are effective in assisting organizations to uncover unknown threats and identify anonymous user behavior. However, this effectiveness is dependent on using the UBA modules and having the proper infrastructure in place.
MITRE ATT&CK is the framework that we use to detect and track well-known threats. When there are well-known threats, we can utilize the MITRE ATT&CK to identify any anomalies.
Splunk Enterprise Security has its own routine and process defined for analyzing malicious activities and detecting breaches. Mainly, we baseline the client's business process and day-to-day activity and then use it to detect malicious activity through various scenarios.
Splunk Enterprise Security assists us in detecting threats more quickly. We have an abundance of unrelated and meaningless data from the raw logs, and the solution aids us in organizing and correlating this data so that we can extract meaningful events and take appropriate action. This is the primary objective for the majority of our clients.
In most cases, we provide monitoring and intelligence to our customers based on how they use the solution. This allows other technical teams, such as PC, system support, and other tech units, to take appropriate actions. Our main role is to provide them with alerts and use case scenarios, while the detection and actions are primarily related to other aspects.
When we initially implement Splunk Enterprise Security, there are many alerts and false positives. However, with time, we are able to align our configuration with the client's requirements and do more baselining, reducing such issues.
Splunk Enterprise Security helps to expedite security investigations. Without a security solution, our security team is unable to identify threats because the log and auditing data are unrelated and uncategorized. Consequently, we cannot access them promptly. Therefore, having a solution like Splunk Enterprise Security is crucial for our cybersecurity program. For certain clients' needs, we prefer using open-source applications like ELK and ESK. However, if they opt for an enterprise and commercial product, Splunk is among the top three choices.
What is most valuable?
The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.
What needs improvement?
The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.
I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier.
For how long have I used the solution?
I have been using Splunk Enterprise Security for six years.
What do I think about the stability of the solution?
I rate the stability of Splunk Enterprise Security an eight out of ten.
What do I think about the scalability of the solution?
Splunk Enterprise Security can be easily scaled once it has been installed and deployed.
Cyber threat levels are increasing every day, especially during the pandemic when most employees needed remote access to their business services. As a result, many organizations experienced a surge in attacks and required a resilient SIEM and cybersecurity solution.
Which solution did I use previously and why did I switch?
I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.
The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.
How was the initial setup?
The initial setup is straightforward, but we need to make some configurations afterward that can be a bit complex. The deployment time depends on the size, but it usually takes several months to ensure stability and requires two SIEM engineers.
What's my experience with pricing, setup cost, and licensing?
Splunk Enterprise Security is hardly affordable for most of our clients, causing many of them to resort to using open source solutions instead.
In addition to the licensing fee, there is also a support and maintenance charge.
What other advice do I have?
I would rate Splunk Enterprise Security an eight out of ten due to its high total cost of ownership, difficulties in maintenance, and the complexity of configuration immediately after deployment.
Splunk Enterprise Security may not be cost-effective for small and even some medium-sized companies. While each organization has different requirements, we do recommend Splunk for medium and large organizations.
Organizations should take into account the complexity of their environment. For instance, if they have a purely vendor-based environment for their network security appliance, it may be easier for them to handle security, fabric, and architecture requirements. However, if they operate in a multi-vendor and mixed environment, they need to conduct more research on how to integrate various components. Often, they rush into negotiating their cybersecurity program without sufficient research, leading to potential problems for clients.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Delivery Manager at a tech services company with 1,001-5,000 employees
Provides more versatile dashboard than other solutions and very fast search functionality
Pros and Cons
- "Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great."
- "Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported."
What is our primary use case?
The primary use case is security and data analytics. In general, we manage and maintain it for our customers.
What is most valuable?
Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.
What needs improvement?
I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.
For how long have I used the solution?
I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.
What do I think about the stability of the solution?
The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.
What do I think about the scalability of the solution?
It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.
How are customer service and support?
The technical support is good.
However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.
Still, the people I have worked with there are all an eight-plus out of 10.
How would you rate customer service and support?
Positive
How was the initial setup?
It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud.
The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.
The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing, or designing and handing it over to them.
If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.
Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.
What about the implementation team?
We do it ourselves.
What's my experience with pricing, setup cost, and licensing?
The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.
IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.
Which other solutions did I evaluate?
I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm.
If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.
Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search.
If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in.
Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Head Senior Manager, Security Operations Center at a financial services firm with 10,001+ employees
Helps us normalize our data because it comes with predefined dashboards
Pros and Cons
- "The most valuable function is the notable events. When I joined the team, I asked them what they could currently see, and they said nothing. I was pretty shocked. I know for a fact that they're using Enterprise Security or at least they had purchased it. I told them that there are several dashboards within Splunk that we can leverage. There is also notable events where we can see potential incidents or potential alerts about the infrastructure and the network itself."
- "I would like to have fraud detection features. Fraud is within the same turf as with security operations. Fraud and cybersecurity work hand in hand. I would like to have detection capabilities, or at least dashboards in Enterprise Security for fraud."
What is our primary use case?
We use Splunk Enterprise Security for a lot of use cases. We use the predefined use cases and dashboards for AWS, notable events, endpoint detection network, and audit notable events.
What is most valuable?
The most valuable function is the notable events. When I joined the team, I asked them what they could currently see, and they said nothing. I was pretty shocked. I know that they were using Enterprise Security or at least they had purchased it. I told them that there are several dashboards within Splunk that we can leverage. There is also notable events where we can see potential incidents or potential alerts about the infrastructure and the network itself.
The dashboards give us numbers for malware infection. So long as those dashboards are actionable, they help the SOC team a lot.
It's important to respond to incidents in a timely manner. Having end-to-end visibility across the board equips the team to make sure that whatever incident happens, it has a very minimum impact on the business. It also allows us to fix things that need to be fixed immediately. That's the asset of having end-to-end visibility across the board.
Enterprise Security really helps us normalize our data because it comes with predefined dashboards, so we only need to ingest the logs and Splunk will do the work to display what we need to see on a day-to-day basis.
When we started using Splunk, we had tons of false positives. We reduced our alerts by 90%. Most of our alerts now are actionable.
What needs improvement?
I would like to have fraud detection features. Fraud is within the same turf as with security operations. Fraud and cybersecurity work hand in hand. I would like to have detection capabilities, or at least dashboards in Enterprise Security for fraud.
There's already a fraud offering from Splunk for fraud use cases but it's different. I need to get professional services for me to get that feature. It would be much more cost-efficient for customers if all those dashboards could be readily available within ES.
For how long have I used the solution?
I have been using Splunk Enterprise Security since I joined my company in 2019, so it's been roughly five years.
What do I think about the stability of the solution?
Cisco just acquired Splunk so I expect the stability to still be the same since Cisco is established.
How are customer service and support?
I would rate support a nine out of ten because there's always room for improvement.
How would you rate customer service and support?
Positive
What other advice do I have?
I would rate Splunk Enterprise Security an eight out of ten. To make it a perfect ten, I would like to see them implement the fraud detection features.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
IT Security Specialist at a financial services firm with 10,001+ employees
Helped improve our organization's ability to ingest and normalize data but the incident response dashboard could be more user-friendly
Pros and Cons
- "The benefits include the easy integration with other Splunk tools including Splunk UEBA, Splunk ITSI, and Splunk Core. The ease of integration and the organization's experience and familiarity with searching and passing logs through Splunk are the main benefits."
- "The incident response dashboard could be more user-friendly."
What is our primary use case?
Our use cases are for creating security analytics for our SOC team.
How has it helped my organization?
Splunk Enterprise Security is one of the Splunk tools we use to mature our security posture. We use it to be on top of potential threats to the organization.
The benefits include the easy integration with other Splunk tools including Splunk UEBA, Splunk ITSI, and Splunk Core. The ease of integration and the organization's experience and familiarity with searching and passing logs through Splunk are the main benefits.
Apart from the legal and compliance requirements for the bank, it's important that the bank is ahead of bad actors to be able to proactively detect and prevent threats to the organization. At the end of the day, the goal is to protect the organization, the stakeholders, shareholders, the bank's reputation, and the users and customers of the bank.
What is most valuable?
The Splunk incident response dashboard is pretty useful because it helps first responders triage incidents and properly escalate when necessary.
We find Splunk very useful on the enterprise level to detect and prevent security threats.
Splunk Enterprise Security has definitely helped improve our organization's ability to ingest and normalize data. We have many log sources and over ninety thousand staff. We have endpoints, servers, Syslog Data, and BYOT data. Splunk has been instrumental in maturing the security posture of the organization.
Splunk does a pretty good job at identifying threats in real-time.
It provides us with the relevant context to help guide our investigations. During onboarding, once the log sources are properly onboarded based on Splunk's recommendation for SIEM compliance, we found real value in being able to aggregate different types of data and load them properly so that we can then pass on and access them very easily.
It has improved my organization's business resilience. We've been able to mature our security program and posture over the years.
The ability to see everything from a single tool is very helpful. From the context of communication with our executives, being able to show them a unified dashboard to see the security posture has been very useful. For example, our executives can see the security posture or position of all of the branches of the bank from a single dashboard. Dashboards like that give them peace of mind to have that kind of visibility to know the state of things. Splunk is very instrumental in that.
What needs improvement?
The incident response dashboard could be more user-friendly.
In the next release, I would like to see the integration of Splunk Enterprise Security with Splunk UEBA. That's a big one. We've spoken with the engineers working on a new UEBA integration with Splunk but right now Splunk UEBA is a separate setup entirely.
For how long have I used the solution?
I have been using Splunk Enterprise Security for three years.
What do I think about the stability of the solution?
Splunk Cloud has its advantages. The company might be moving in that direction because you don't worry about infrastructure. But being on-prem part of what we worry about is the underlying infrastructure of Splunk, which is directly relevant to the stability. The resources used for search and load are tied to the infrastructure behind it. It's been stable.
What do I think about the scalability of the solution?
We've been able to scale rapidly to meet our needs. Splunk Cloud could be advantageous because it's a platform and it will cut out the worry and the need to manage infrastructure on your own.
How are customer service and support?
I work more with Splunk UBA. My experience with my rep has been good.
I would rate support an eight out of ten only because everything has room for improvement.
How would you rate customer service and support?
Positive
How was the initial setup?
It's an on-prem deployment. I have more experience setting Splunk up in a Linux environment. It's been a good experience.
What other advice do I have?
I would rate Splunk Enterprise Security a seven out of ten because there's room for improvement. Splunk always positions itself as a market leader. This would involve understanding your competition, seeing their products, and seeing how you can improve to meet their customers' needs.
From my experience, Splunk has done a good job at that because we have customer success reps who are concerned about how Splunk is meeting our needs. Splunk can definitely do better which is why I'm giving it a seven.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Engineer at a government with 10,001+ employees
Provides a single pane of glass platform, but it needs a better and solid configuration guide
Pros and Cons
- "Splunk Enterprise Security gives us a single pane of glass so that we can use just one tool instead of having to use different tools."
- "It'd be really nice if Splunk Enterprise Security had a better and solid configuration guide."
What is our primary use case?
We wanted the solution to enhance the SOC ability. We were having trouble with some of our data being SIEM-compliant.
How has it helped my organization?
We hope the solution meets some SOC-like abilities.
What is most valuable?
Splunk Enterprise Security gives us a single pane of glass so that we can use just one tool instead of having to use different solutions.
It is pretty important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment, and it gets more important every year.
Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.
It has helped us reduce our alert volume.
Splunk's unified platform helps consolidate networking, security, and IT observability tools. It gives us a single pane of glass, so instead of having to go to different tools, we just go to one tool.
It is deployed as an app on its own server.
What needs improvement?
It'd be really nice if Splunk Enterprise Security had a better and solid configuration guide.
For how long have I used the solution?
I have been using Splunk Enterprise Security for roughly one year.
What do I think about the stability of the solution?
Splunk Enterprise Security is a very stable solution, and we haven't had many issues in five years.
How are customer service and support?
The solution’s technical support team is very knowledgeable.
How would you rate customer service and support?
Positive
How was the initial setup?
It was a little difficult for us to set up the solution mainly because some of our data sources were not SIEM-compliant.
What about the implementation team?
We did engage with Splunk professional services, but it still didn't work. Although our experience with them was good, the tool was still not set up correctly.
What was our ROI?
We have seen a return on investment with Splunk Enterprise Security.
What's my experience with pricing, setup cost, and licensing?
My experience with the solution's setup cost, pricing, and licensing was really good.
What other advice do I have?
Overall, I rate the solution a seven out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Director of Detection and Response at a consultancy with 10,001+ employees
Integrates easily with other solutions and fastens investigation and response
Pros and Cons
- "The incident review pane is the best part of it because that is where the SOC lives. It is the heartbeat of what the SOC needs to do. You are able to start the investigative process. As you are sitting in the incident review pane, you see the alert, and from that one alert, which is called a notable alert, you can drill in and see all the different specific details that are tied to that."
- "Being able to have a one-stop shop where you have the alert, but then you can generate the case right there from Splunk Enterprise Security instead of having to pivot to another tool such as Mission Control. You do not have to keep bouncing between them, so if you could do it all in one place, that would be great. The new release is supposed to start getting in that direction."
What is our primary use case?
There are a lot of use cases for Splunk Enterprise Security. The main one is when you are trying to detect an authentication attack. There are lots of people trying to get access to a system, so they are constantly trying to authenticate. Splunk Enterprise Security can quickly detect that through its correlation engine. If there is a specific attack of the anomalous amount of users trying to log into a system, it generates an alert. Our SOC is then able to analyze that alert and determine whether it is a false positive or a true event. If it is a true event, they can work towards containing that attack. If anything is a success, they can quickly provide that information to our incident response team.
How has it helped my organization?
The benefits that we have seen from using Splunk Enterprise Security have been faster response time and faster enrichment of information so that the analyst can act and respond in a more timely and efficient manner, which then provides more information to leadership, such as myself. We are then able to respond. We know how to present risks and how efficiently our SOC is doing to our senior leaders. There is a 30% to 40% improvement because, with the system we had before, the capability of figuring out what was going on to analyze the event was cumbersome. Splunk Enterprise Security has driven and given analysts the ability to analyze a lot more efficiently.
Splunk Enterprise Security provides end-to-end visibility into our environment. It is very critical for us.
Splunk Enterprise Security helps us find any security event across multi-cloud, on-premises, or hybrid environments. It helps in all of this. We have multi-cloud environments. We have all four main cloud environments. We also have our on-prem environments. We have also set up a hybrid environment. It has improved our ability to detect and find needles in the haystack that we were not able to see before. There are lots of things they have been able to detect. People were installing things and misusing AUP violations that we were not able to see before.
Splunk Enterprise Security helped reduce our alert volume with the implementation of risk-based learning. When you are doing risk-based learning, you can definitely reduce the volume, but initially, when you move from one SIEM to Splunk Enterprise Security, you do not really reduce volume. You are generating more. Because you are getting better visibility, you are generating more information for the analysts to look at, and then over time, as Splunk Enterprise Security and the team learn the environment, you are able to tune down and then use the risk-based alerting to help reduce a lot of false positives.
Splunk Enterprise Security provides us with the relevant context to help guide our investigation. There are limitations, which is where Splunk SOAR helps with the enrichment of the information, but it definitely provides good context. In the notable alerts, it provides a lot of key information that you need, and then there is the ability to drill in to see what the actual events were, so it really helps.
Splunk Enterprise Security is efficient at predicting, identifying, and solving problems in real time. With the correlation rules, the ability to have adaptive responses, and the ability to tie in even machine learning into that, we are able to do real-time analysis and quickly gather and detect.
Splunk's unified platform helps consolidate networking and security tools, but sadly, our organization does not use IT observability tools. We are purely from a security perspective.
What is most valuable?
It has so many features. The incident review pane is the best part of it because that is where the SOC lives. It is the heartbeat of what the SOC needs to do. You are able to start the investigative process. As you are sitting in the incident review pane, you see the alert, and from that one alert, which is called a notable alert, you can drill in and see all the different specific details that are tied to that. You then have adaptive response action that can be taken automatically on that, or you can even drill in to look at what events drove that alert to be created. You can then start doing more hunting and querying that way. There is so much information contained in the notable alert itself in that panel. It helps to drive the direction of where the engineer should go.
What needs improvement?
I am looking forward to seeing what is coming out in the new release that was announced, but case management is an important thing. Being able to have a one-stop shop where you have the alert, but then you can generate the case right there from Splunk Enterprise Security instead of having to pivot to another tool such as Mission Control. You do not have to keep bouncing between them, so if you could do it all in one place, that would be great. The new release is supposed to start getting in that direction.
For how long have I used the solution?
I have one environment that has been using Splunk Enterprise Security for two years in the Splunk Cloud. I am currently in the process of migrating my on-premise corporate environment to Splunk.
What do I think about the stability of the solution?
At this point, Splunk Enterprise Security is very stable.
What do I think about the scalability of the solution?
It is very scalable. Particularly, when you do search and clustering, you are able to scale rapidly to be able to meet the demands of what is needed for your SOC. The data model setup helps to quickly drive and get rules created without having to need a new data source or a new rule. You just send that new data source to one of the data models, and you already have the rules there, and it automatically starts generating alerts based on those existing rules.
How are customer service and support?
I would rate their support a seven out of ten. Sometimes, you get some solid people, but other times, it takes a bit of effort to get across what the actual issue or situation is. This is a challenge for any help desk organization particularly when you have lots of customers calling in and all of them with unique situations.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We were using another tool previously. There were many reasons for switching. One big reason was the ease of integration of data into the tool. With the previous tool, to integrate a normal log source, such as an identity access tool, into the SIEM, we had to pay for PS engagement in order to even get the information in. Splunk has native integration with all these different apps. It is natively tied to all the different IDAM and ID tools out there. It is very easy for the team to implement it themselves. They do not have to go and get extra help to do it. They can install the app, get the keys and authentication set up between the two new tools, and then it just works.
How was the initial setup?
Our deployment experience was just fine. I deployed Splunk at other companies before, so it was not new to me to do it with this company. The pricing and everything else went smoothly. The Splunk team was super helpful. They were very engaging. They helped to build it. We were able to get access to Splunk engineers who worked for Splunk, and they helped define the sizing. They went through and evaluated what our current solution was and helped us build out what we needed in order to meet and exceed that capability. Splunk has been super helpful.
For one environment, I am using the public cloud, and then for my other environment, I am using an on-premise setup. We have the AWS cloud.
What about the implementation team?
We did use professional services to help with this. At my previous company, I would not have used professional services because I had a team of Splunk architects who knew what they were doing and knew how to do it. In this company, we were moving from a different technology to Splunk. My teams were not as familiar with Splunk, so I needed the extra help. We had the help of Splunk professional services and third-party professional services. We used Verizon.
What was our ROI?
The environment that we had set up has been running for two years. I had planned that initially for a certain amount of growth, but within the first year, we had already doubled the size of the data. It was able to handle the information so much more efficiently that a lot of the groups that were not integrated into the SIEM before started saying that they needed their data monitored as well, so we started growing quite quickly. It has helped us exponentially.
Which other solutions did I evaluate?
I evaluated several SIEM solutions before choosing Splunk. With Splunk, we had the ease of integration of data because getting the data in as quickly as possible and making use of it is important. Another area is that in certain tools, you have to generate one rule per data source, whereas Splunk has the data modeling capability where you have all the data sources going into the data model, and then you create one rule per data model instead of per data source. It helps reduce the workload for the system, so there was that aspect of more performance than any other solution.
What other advice do I have?
I would rate Splunk Enterprise Security a nine out of ten. It is a market leader from an SIEM perspective. It has bells and whistles, but it does not let you get lost in those bells and whistles. It helps drive the analyst into what is the most important thing that they need to focus on, and that is protecting the company. They are able to be more efficient. They are able to help do what the mission of the company is, and that has enabled the company to not worry about the security part. Without a risk, they are able to do their business and help their customers.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
MSP ENGINEER at bitsIO Inc.
Helps streamline incident responses, provide visibility into our environment, and reduce alert volume
Pros and Cons
- "Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring."
- "Splunk Enterprise Security offers a vast amount of information to learn and comprehend, resulting in a challenging initial learning curve."
What is our primary use case?
Our security relies on Splunk Enterprise Security to analyze data models for malware, threats, and MITRE ATT&CK techniques. Pre-built dashboards and multiple correlation searches help us identify anomalies. Any suspicious events flagged by the MITRE framework are categorized and assigned as tickets to our engineers for investigation and mitigation.
How has it helped my organization?
Splunk has streamlined our incident response by automating key processes. For instance, alerts trigger upon exceeding three failed login attempts, automatically assigning tickets for review. Similarly, unauthorized access attempts from unfamiliar regions are automatically blocked. These automated data-driven responses significantly improve our overall incident response efficiency.
The customizable dashboards offer great visualization and extra add-ons.
Splunk Enterprise Security helps us to easily monitor multiple cloud environments.
Mission Control lets us monitor and manage our security from a single panel.
Based on my short experience, I would rate Splunk Enterprise Security eight out of ten for its ability to analyze malicious activity.
Splunk Enterprise Security helps reduce our alert volume.
Splunk Enterprise Security streamlines our security investigations by providing a central platform and offering a growing library of add-ons that expand our investigative capabilities.
What is most valuable?
Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring.
What needs improvement?
Splunk Enterprise Security offers a vast amount of information to learn and comprehend, resulting in a challenging initial learning curve.
Extracting logs from Splunk for analysis in other applications is crucial for me. This would allow me to identify correlations between data sets and make informed decisions about next steps. Unfortunately, the current Splunk workflow seems to hinder data verification.
The licensing cost could be more competitive, as some of our competitors offer lower prices.
For how long have I used the solution?
I have been using Splunk Enterprise Security for one year.
What do I think about the stability of the solution?
We have encountered issues when updating features where Splunk Enterprise Security doesn't work properly. I would rate the stability of Splunk Enterprise Security seven out of ten.
How are customer service and support?
The technical support team is always supportive but their response time and knowledge can be improved.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial deployment was straightforward.
What's my experience with pricing, setup cost, and licensing?
The license for Splunk Enterprise Security is expensive.
What other advice do I have?
I would rate Splunk Enterprise Security eight out of ten.
We have Splunk Enterprise Security deployed across multiple locations.
The resilience Splunk offers is good.
I recommend Splunk Enterprise Security to others.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Splunk developer at Maveric Systems Limited
Helps us monitor multiple cloud environments, offers strong capabilities for detecting insider threats, and reduces our alert volume
Pros and Cons
- "Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily."
- "When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise."
What is our primary use case?
Splunk Enterprise Security serves as our primary tool for endpoint detection.
How has it helped my organization?
Our organization manages security across multiple cloud environments. Splunk Enterprise Security is a valuable tool in this process, offering a comprehensive dashboard that centralizes monitoring for all our cloud deployments. This unified view allows us to efficiently track security posture and identify potential threats from a single location.
Splunk Enterprise Security offers strong capabilities for detecting insider threats. This security platform excels at analyzing data from a variety of sources, allowing it to identify unusual user behavior patterns.
It does a good job of analyzing malicious activity and helps us detect threats faster.
Splunk Enterprise Security helps reduce our alert volume and helps speed up our security investigations.
In our financial institution client environment, The insider threat detection capabilities allow us to closely monitor credit and debit card transactions for any signs of compromise. By leveraging Splunk's capabilities, we can proactively identify and address potential security threats that might impact our client's financial data.
We have improved our incident response time with Splunk.
Splunk Enterprise offers a variety of apps that cater to different needs. These apps provide features like directory management, add-on and data model control, report dashboards, and alerts. Notably, some of these functionalities are available in the free version. Additionally, there are separate apps for security purposes. Our EMEA region has its own set of apps, allowing them to upgrade, maintain, and manage separate dashboards specific to their requirements.
Dashboards can be customized to allow users to easily monitor specific data relevant to their needs. This might include data segmented by country, region, or even customer credit card information. By customizing the view, users can quickly identify trends and gain insights into areas of particular interest. Additionally, dashboards can be configured to automatically display default information or alerts upon opening, further streamlining the monitoring process and ensuring users can find the specific data they need right away.
What is most valuable?
Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.
What needs improvement?
Data profiling, data onboarding, and data maintenance are all crucial steps in ensuring the quality and usability of our information. However, encountering missing files disrupts this process. When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise.
For how long have I used the solution?
I have been using Splunk Enterprise Security for many years.
What do I think about the stability of the solution?
Splunk Enterprise Security is stable.
How was the initial setup?
The initial deployment is straightforward.
What other advice do I have?
I would rate Splunk Enterprise Security eight out of ten.
Splunk Enterprise Security is a powerful security solution that offers flexibility. This flexibility empowers our team to adapt and respond to evolving threats. With Splunk Enterprise Security, we have the tools and adaptability to effectively address whatever security challenges we encounter.
I recommend Splunk Enterprise Security as the most suitable solution for monitoring and protecting our data.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Product Categories
Security Information and Event Management (SIEM) Log Management IT Operations AnalyticsPopular Comparisons
CrowdStrike Falcon
IBM Security QRadar
Splunk AppDynamics
Microsoft Sentinel
Elastic Security
IBM Turbonomic
Palantir Foundry
WhatsUp Gold
Elastic Observability
LogRhythm SIEM
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which would you recommend to your boss, IBM QRadar or Splunk?
- What are some of the best features and use-cases of Splunk?
- What SOC product do you recommend?
- Splunk as an Enterprise Class monitoring solution -- thoughts?
- What is the biggest difference between Dynatrace and Splunk?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What are the advantages of ELK over Splunk?
- How does Splunk compare with Azure Monitor?
- New risk scoring framework in the Splunk App for Enterprise Security -- thoughts?
- Splunk vs. Elastic Stack




















