The ability to see logs and correlate them using Splunk has greatly improved our organization's functionality with auditing and troubleshooting.
Owner with 1-10 employees
The ability to see logs and correlate them using Splunk has greatly improved our organization's functionality with auditing and troubleshooting.
Pros and Cons
- "To get visibility from your network devices, servers, and security devices is a great feature."
- "Better directions on search head clusters."
How has it helped my organization?
What is most valuable?
Splunk's capability to receive any types of logs and index them is a very good feature. To get visibility from your network devices, servers, and security devices is a great feature.
What needs improvement?
Better directions on search head clusters. A lot of the documentation that I saw was either old or out of date. I believe I ended up doing a lot of searching and ended up not completing the feature. I opted out of creating a search head cluster.
What do I think about the stability of the solution?
Not at all.
Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,875 professionals have used our research since 2012.
What do I think about the scalability of the solution?
None.
How are customer service and support?
Customer Service:
Excellent. I didn't call often however, when I did they pretty much solved my problem.
Technical Support:
Excellent. I didn't call often however, when I did they pretty much solved my problem.
Which solution did I use previously and why did I switch?
No solution was available at the time.
How was the initial setup?
No the initial setup was fairly basic.
What about the implementation team?
In-house. We had professional services however, we did the install prior to the consultant arriving. So, his workload was light considering we had already installed and configured the Splunk servers.
What was our ROI?
We purchased and paid for it as an annual subscription for three years and working on purchasing the Perpetual edition.
What's my experience with pricing, setup cost, and licensing?
Pricing is pretty fair. However, I would suggest you trial for at least 90 days if you can get the sales person to offer you the option to renew your 30 day trial a couple of more times to evaluate. The 30 day trial is not enough.
Which other solutions did I evaluate?
The other SIEM solution providers we looked at were ArcSight, QRadar and SolarWinds LEM.
What other advice do I have?
Splunk is a good product. Pricing is a bit high however, after it's installed you can understand why and get caught up in reading the logs that are available.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CTA\Owner at UCSolutions
Easy to use and simple to set up with reasonable pricing
Pros and Cons
- "The SIEM is the most valuable feature of the product."
- "The documentation is in definite need of improvement."
What is our primary use case?
I need the product for SIEM, Security Identity Event Management. I also need it for security operations, automated response, as well as mapping adjusting of security components as well. It helps us with how best to look at various events, and orchestrate between various different hyper-scalers.
How has it helped my organization?
The solution has made us more secure and has allowed for more definable mapping.
What is most valuable?
The SIEM is the most valuable feature of the product.
Having a better integration method and then ingesting and mapping the information have been somewhat easier than some of the other tools that I've used previously (other than QRadar and Rapid7).
The initial setup is pretty simple.
The solution is scalable.
Stability has been quite good.
The pricing is pretty decent.
What needs improvement?
The documentation is in definite need of improvement.
There are pieces of it that are somewhat just daunting and there should be better orchestration and automation.
I've done some automation with it, with Terraform, and also with some other sources. If it wasn't so proprietary, that would be ideal.
I'd like to have it so that Splunk integrates better with Terraform and Python.
For how long have I used the solution?
I've used the solution for eight years. I've used it for quite a while.
What do I think about the stability of the solution?
Splunk is probably the best brand in terms of stability. I'd rate its reliability at a four out of five. There aren't bugs or glitches. It doesn't crash or freeze.
What do I think about the scalability of the solution?
The scalability is great. I'd give it a score of four out of five. If a company needs to expand, it can do so.
We have 450 people in our organization that use the product. We've also done this for clients that needed access for over 200,000 people.
We use the solution extensively and likely will increase usage.
How are customer service and support?
The support is okay, however, there are a couple of things that they couldn't figure out and they couldn't help me with automation or stuff like that. It could have been better from there, however, it's not that bad.
Which solution did I use previously and why did I switch?
I've previously used QRadar and it wasn't ideal.
There were certain times I integrated with other solutions too.
How was the initial setup?
The initial implementation is pretty simple and straightforward. It's not too complex. I'd rate the experience at an eight out of ten.
The initial deployment took us about two weeks or so.
The amount of personnel you need for deployment and maintenance tasks depends on the size of the deployment. Typically, it's just one or two people. That said, it needs to be proportionate to certain sizes. Usually, the staff is from procurement or provisioning.
What about the implementation team?
I handled the implementation myself. I didn't need any outside assistance from any integrators. I'm a consultant myself.
What was our ROI?
We've seen quite extensive ROI, however, it's more of a qualitative assessment and I don't have numbers to share. It works well and customers are happy. That's what counts.
What's my experience with pricing, setup cost, and licensing?
It's a little bit more expensive than some of the other tools. It's not as expensive as QRadar. That said, it's more expensive than LogRhythm or Sentinel.
There aren't really other fees beyond the standard costs of licensing.
Which other solutions did I evaluate?
I evaluated other things. I also integrated with other solutions too. I decided to go with Splunk due to the fact that it worked well.
What other advice do I have?
I'm a consultant. I'm also a customer and use it myself.
We use multiple deployment models, including public and private clouds.
We typically use the latest version of the solution.
I'd advise potential new users to get a proper plan. They should have a good partner or someone that can help them and quickly map and orchestrate.
I'd rate the solution at a ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,875 professionals have used our research since 2012.
Good visualization, reliable, scales well, and has good support
Pros and Cons
- "The additional vendors we've brought on board, particularly the elastic, have been quite beneficial."
- "The configuration had a bit of a learning curve."
What is our primary use case?
We are currently using it with SIEM, and SOAR which is Security Orchestration, Automation, and Response.
Splunk is primarily used for security, incident response, and security analytics.
How has it helped my organization?
Using Splunk, give us the visualization we need, we can easily observe things such as user behavior analytics, irregular traffic, frequency, and any spikes in unusual activity inside the network.
What is most valuable?
The additional vendors we've brought on board, particularly the Elastic, have been quite beneficial.
It's a solid platform.
What needs improvement?
Other than the pricing modules, I have no issues with the product itself.
The configuration had a bit of a learning curve.
I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications.
If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.
For how long have I used the solution?
I did a POC, but we have recently procured it. We did a rudimentary setup to get an understanding of how it works. We are into our sixth month of using it now.
What do I think about the stability of the solution?
Splunk is a very stable solution.
What do I think about the scalability of the solution?
This solution is quite scalable.
In our organization, we have 10 users, who use this solution but we have plans to increase our usage.
How are customer service and support?
The technical support has been quite helpful.
Which solution did I use previously and why did I switch?
The previous solution was limited in its functionality.
We were looking at the additional controls that enterprise security may have, as well as visualization, to gain greater visibility.
Splunk offered us more visibility.
How was the initial setup?
The initial setup was complex.
We had some assistance with the actual deployment, but while I was doing the POC, I was working with a vendor. There were things I had to do myself, such as the configuration, which was a bit challenging for me, it was a big learning curve.
What about the implementation team?
For the installation, we received some assistance from the vendor.
What was our ROI?
It's too early to know if there will be a return on investment.
What's my experience with pricing, setup cost, and licensing?
The pricing modules could be improved.
The licensing fees are paid on a yearly basis.
There is a standard license with provisions for more. As we are still exploring the functionality, there may be other departments that want to use it.
What other advice do I have?
Those who are interested in implementing this solution should be prepared to dig deep into their pockets.
I would rate Splunk a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Principal Systems Engineer at Aricent
A complete solution that satisfies the needs of our clients, but it is complex to set up and use
Pros and Cons
- "It's the completeness of the solution that we like the most."
- "Our two main complaints are about the difficulty of the initial setup and the licensing model."
What is our primary use case?
We are a software development company and Splunk is one of the products that we have implemented for our clients. It is used for log analytics as well as the mobile SDK for checking the stability of mobile applications.
What is most valuable?
It's the completeness of the solution that we like the most. It has a solution for backend log analytics, but also one for mobile applications.
What needs improvement?
Our two main complaints are about the difficulty of the initial setup and the licensing model.
The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.
For how long have I used the solution?
I have been working with Splunk for more than five years.
What do I think about the stability of the solution?
There have been no issues in particular. What we are using has not been that heavy.
What do I think about the scalability of the solution?
We have not had any problems with respect to scalability.
How are customer service and technical support?
Based on when we have been in contact with them, I think that technical support was fine.
I'm not sure if they have different support models but I think it took a long time for them to respond. It may be a consequence of the support contract our client had with them.
How was the initial setup?
This is a complicated product to use and you need constant help to set it up. I really wish that it was easier to set up and use.
What about the implementation team?
We do not have any dedicated people who are working on Splunk, but we have a team of approximately 100 people that are responsible for the development of mobile applications, backend systems, DevOps, etc.
What's my experience with pricing, setup cost, and licensing?
I think that most of the log analytics solutions are expensive and I'm not sure if it's worth it. However, I wish that they were less expensive. I am not talking about a single product but rather, all of the ones that are in the domain of log analytics.
What other advice do I have?
Splunk is a good product but I would definitely tell people to analyze their requirements to see if Splunk fits their use case, or not. The licensing model is very complicated, so if there is a product that has a better licensing model then it would probably be good to start with that. Then, later on, if the product is not working well enough, then they can switch to Splunk. At that point, they will have knowledge of the data they are using and will understand the costs that they might incur while using it.
The only way that I would suggest somebody use this as their first solution is if they already had all of the data that is required to get a cost estimate.
I would rate this solution a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Principal Systems Engineer at Aricent
A reliable and complete solution, but the pricing model is complex and it's expensive
Pros and Cons
- "The completeness of the solution is what we like the most."
- "It's difficult to set up initially, and their billing model is also a bit complicated."
What is our primary use case?
We are using the mobile SDK to check the stability of mobile applications.
What is most valuable?
The completeness of the solution is what we like the most.
What needs improvement?
It's difficult to set up initially, and their billing model is also a bit complicated.
We have to predict in advance how much data we will have and what the storage would be that we don't have. This makes the licensing complicated because when you start you don't have these numbers.
In order to know how much it will cost, you need those numbers.
I really wish that it was an application that was easier to use.
For how long have I used the solution?
I have been working with Splunk for more than five years.
What do I think about the stability of the solution?
We have not experienced any issues.
What do I think about the scalability of the solution?
For our use cases, we have not required any scaling.
How are customer service and technical support?
The technical support is fine. At times, they take time to respond back but it may have been the support contract that our client had.
I would assume that they are not as responsive as we want them to be.
How was the initial setup?
We have a team of approximately 100 people who are responsible for the development of mobile applications, DevOps, and application development.
What's my experience with pricing, setup cost, and licensing?
The licensing cost model is complicated.
I think that most of the monitoring solutions are expensive. I wish they were less expensive, for all types of products for monitoring.
Which other solutions did I evaluate?
We work with Splunk, but we are looking for some LOG Kinetics solutions for our clients.
What other advice do I have?
I would definitely suggest sending people to analyze or evaluate Splunk.
Because the licensing model is very complicated to understand, it would be better to start with another product that provides a better licensing model. Later, if the product is not working well, they can consider using Splunk and may have a better understanding of the cost.
For me, I would not recommend Splunk as their first solution unless they have all of the data that is required.
I would rate Splunk a seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Consultant at Securian Financial Group
Low barrier to start searching with the ability to normalize data on the fly
Pros and Cons
- "Low barrier to start searching with the ability to normalize data on the fly."
- "I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs."
- "The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files."
- "Most of my interaction is with the user community, which is how Splunk wants it. When I need help, that community is very hit or miss."
What is our primary use case?
Security analysis to identify issues and for use in incident handling. Correlating logs across over 1000 servers with different operating systems and applications logs to provide security insights.
How has it helped my organization?
Before we analyzed required manual correlation of individual log files, and this was almost impossible to do. With Splunk, what was once almost impossible, is now unbelievably fast.
What is most valuable?
Low barrier to start searching with the ability to normalize data on the fly.
I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs.
What needs improvement?
I would like to see Splunk improve its posture as a production operations tool. This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have.
I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.
Efficiency of Security Team
It has absolutely improved the efficiency of my security team.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
No stability concerns.
What do I think about the scalability of the solution?
We did encounter scalability issues. As we scaled out in search heads, we found that some of our activity could only be found on the search heads that it was originally done on. For example, the history of search runs are stored locally, so I needed to logon to each search head to try and find it.
How are customer service and technical support?
Most of my interaction is with the user community, which is how Splunk wants it. When I need help, that community is very hit or miss.
Which solution did I use previously and why did I switch?
I previously used LogRhythm. I found this tool particularly difficult to use. It was more rigid in its normalization of data.
How was the initial setup?
The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files.
Which other solutions did I evaluate?
We evaluated our existing tool, LogRhythm.
What other advice do I have?
Growth in data ingested will be much larger that you anticipated. If you need to prove this first, consider using an ELK Stack Logstash type of solution before using Splunk.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Specialist Master, Cyber Risk at a tech vendor with 10,001+ employees
My clients have visibility into systems and activities that they never had before.
Pros and Cons
- "Splunk gives my clients the ability to bring multiple, disparate types of data together, then correlate and report on them."
- "The GUI can be improved. Splunk has always suffered from having a kind of goofy UI, it needs some updating."
How has it helped my organization?
Some of my clients had rudimentary home-grown security solutions that Splunk ES has completely replaced.
In these cases, the improvement was dramatic; they had visibility into systems and activities that they never had before.
In the case of clients who already had a SIEM solution, the change was more incremental. However, in my opinion, the Splunk ES solution is superior because it is so flexible. It can consolidate data from almost anything.
What is most valuable?
Splunk Enterprise Security is most valuable, my clients use it as a SIEM solution. Splunk gives them the ability to bring multiple, disparate types of data together, then correlate and report on them.
What needs improvement?
The GUI can be improved. Splunk has always suffered from having a kind of goofy UI, it needs some updating.
What do I think about the stability of the solution?
There were no stability issues. It is one of the most stable systems that I have worked with.
What do I think about the scalability of the solution?
As of now, no scalability issues were experienced. Splunk is highly scalable, so don’t anticipate that. However, scaling can get very expensive with their pricing model.
How are customer service and technical support?
Technical support is excellent! It is of top notch level. The customer support folks really know their stuff, the turnaround is fast.
Which solution did I use previously and why did I switch?
Previously, we were using HPE ArcSight.
How was the initial setup?
That’s a hard one. The initial setup is easy but making it actually work is complex. However, the complexity is something that just comes with all top SIEM tools. Very few companies have exactly the same data and issues, so a great deal of data onboarding and normalization are always required.
Which other solutions did I evaluate?
We evaluated HPE ArcSight.
What other advice do I have?
Plan your implementation carefully. Be sure you have someone to implement it, someone who knows what he is doing. Splunk’s inherent flexibility is a great thing, but it also provides an opportunity to really mess things up.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are an alliance partner.
Lead Splunk Architect at a financial services firm with 10,001+ employees
Enables Centralization And Correlation Of Data That Was Unattainable With Other Solutions
Pros and Cons
- "It allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar."
- "Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources."
How has it helped my organization?
Splunk helped reduce development cost since it provides free applications on Splunkbase that can save a huge amount of time and effort. It also gave us the ability to dig into logs to find not just one needle but many needles in the haystack of data, and that helped solve multiple production issues and reduced system downtime.
A great improvement brought by Splunk is the ability to remove sensitive data before displaying it in reports. This allows Splunk administrators to filter data according to the user’s clearance level.
What is most valuable?
Splunk can be seen as a huge box that allows the storage of all sorts of logs. This allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar. Splunk allow schema on the fly and therefore simplifies all the data onboarding process. All that leads to flexibility when it comes to defining the metadata since it is not necessary to have all the fields defined and extracted to be able to use Splunk.
Another great feature is the field extractor that allows persons with little or no experience with Regex to define fields and extract valuable information from the data.
Finally, the ability to connect with various sorts of databases, NoSQL solutions, makes it a very powerful tool, not only as a SIEM but also as a datalake for machine learning and data analysis.
What needs improvement?
Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources.
What do I think about the stability of the solution?
Released versions are quite stable. We encountered some visual bugs following major upgrades but that was due to custom CSS that we had edited into Splunk.
What do I think about the scalability of the solution?
Splunk is a data analytics platform and is designed to scale easily. Adding or removing machines from a splunk index can be done without affecting any of the existing members of the infrastructure.
How are customer service and technical support?
In my opinion Splunk has three levels of support. First level is their forum (Splunk Answers). The Forum is very rich and solves 90% of the issues that can be encountered. Then comes the real technical support team that replies quite fast, depending on the SLA. Finally comes the professional services team, which provides a very advanced level of expertise and can solve any issue.
Which solution did I use previously and why did I switch?
Yes, ArcSight. We switched because of how slow the support can be with HPE sometimes and also because Splunk is simpler to use, is more data oriented, and is more adapted for business security use cases.
How was the initial setup?
We started Splunk on a stand-alone server. Installing that was very easy, a basic RPM install for Linux and an installer for Windows. When we moved to a distributed environment, it was a bit more complicated but the documentation on Splunk Docs was clear and easy to use so we had no problem there.
What's my experience with pricing, setup cost, and licensing?
Splunk licensing model might seem expensive but with all the gain in functionalities you will have compared to traditional SIEM solutions I think it’s worth the price. Also, when you have small volumes of data to index daily (which might account for high EPS) you will be gaining the full advantage of using Splunk for a very low price.
Which other solutions did I evaluate?
Yes, Graylog and QRadar.
What other advice do I have?
You're in for a nice surprise, Splunk is fun, easy to use, and will give you the results you are looking for and more. It's a great tool for security and business analysis, you're looking at a big data platform that will allow a lot more than what the good old SIEMs could do.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Alireza GhahroodConsultant & Instructor -Cyber Security,GovernanceRIskCompliance (CISO as a Services) at Independent
Top 10Real User
According to Splunk documentation posted here, Splunk offers reporting capabilities for various security compliance initiatives, including the following:
Federal Information Security Management Act (FISMA) of 2014
Gramm-Leach-Bliley Act
Health Insurance Portability and Accountability Act
International Organization for Standardization/International Electrotechnical Commission 27001/27002, Information Security Management
North American Electric Reliability Corporation Critical Infrastructure Protection
Payment Card Industry Data Security Standard
Sarbanes-Oxley Act
At least some of these reporting capabilities are provided by specialized apps added onto Splunk Enterprise, such as the Splunk App for PCI Compliance and the Splunk App for FISMA Continuous Monitoring.
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Security Information and Event Management (SIEM) Log Management IT Operations AnalyticsPopular Comparisons
CrowdStrike Falcon
Microsoft Sentinel
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Cortex XSIAM
Securonix Next-Gen SIEM
USM Anywhere
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are some of the best features and use-cases of Splunk?
- What SOC product do you recommend?
- Splunk as an Enterprise Class monitoring solution -- thoughts?
- What is the biggest difference between Dynatrace and Splunk?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What are the advantages of ELK over Splunk?
- How does Splunk compare with Azure Monitor?
- New risk scoring framework in the Splunk App for Enterprise Security -- thoughts?
- Splunk vs. Elastic Stack
- What is a better choice, Splunk or Azure Sentinel?
splunk is user friendly-Better than other similar products