Try our new research platform with insights from 80,000+ expert users
PeerSpot user
Engineer, Infrastructure Applications at a healthcare company with 1,001-5,000 employees
Real User
Ingests machine data and helps to analyze and visualize it.
Pros and Cons
  • "The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data."
  • "It requires a significant amount of relatively complex architecture once you push past the single server instance."

How has it helped my organization?

Imagine a single application with 17 application servers and dozens of log files per server that rotate as often as once per hour. How do you track and analyze anomalies in those log files with the ability to go back and correlate data for the past X weeks? That was use case for just our team, not to mention the hundreds of other application teams.

What is most valuable?

Splunk has a single purpose in life: ingest machine data and help analyze and visualize that data. The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data. It does a great job at handling unstructured data. Breaking data into key/value pairs so that it can be searched is relatively painless.

What needs improvement?

Deploying Splunk as scale is not easy. It requires a significant amount of relatively complex architecture once you push past the single server instance. Breaking out your search and indexing layer requires someone with Splunk experience. Want to add search layer replication for HA? Want to host in AWS and do cross-region index replication?

Splunk expertise is in high demand today and finding talented engineers to pull off your large-scale implementation is hard. Do your homework.

What do I think about the stability of the solution?

Out-of-the-box functions are nearly flawless, but when you push at the edges, then things start to get a little flexible in their eloquence. There is a robust community of support to help through most issues and the documentation is exceptional.

Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,875 professionals have used our research since 2012.

What do I think about the scalability of the solution?

There were no issues with scalability, but we invested some serious time and resources to design a scalable infrastructure up front.

How are customer service and support?

Customer Service:

Customer service is excellent both during the purchase and ownership lifecycle.

Technical Support:

Technical support is mediocre. Splunk is struggling to deliver a consistently exceptional support experience. Their senior engineers are very talented, but those folks are in short supply and many of the most experienced engineers are making hundreds of dollars an hour as consultants not answering your support issues.

Which solution did I use previously and why did I switch?

No enterprise solution was in place.

How was the initial setup?

The initial setup was done without any prior experience and was up and running, including ingesting data, within a few hours. Setup at scale and scalability took months of effort.

What about the implementation team?

We hired a contractor with significant experience with Splunk, Elastic.io, AWS, and custom development. They were expensive, but worth every penny.

What was our ROI?

TBD.

What's my experience with pricing, setup cost, and licensing?

You will eat up whatever you purchase quickly. The level of insights that Splunk empowers is addictive.

Which other solutions did I evaluate?

We evaluated Graylog, Elastic.io, etc.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
MS Alam - PeerSpot reviewer
MS AlamSystem Administrator at Abdullah Al-Othaim Markets
Real User

I am agree with you Mr. Joshua Biggley now days splunk have more demand.

See all 2 comments
Spelunking Consultant at BlueVoyant
Consultant
Top 20
Provides a centralized place to consolidate everything and start investigations
Pros and Cons
  • "The solution's most valuable feature is its data modeling."
  • "It would be good if the solution had some kind of copilot to automate or help write correlation searches."

What is our primary use case?

My customers subscribe to many different tools, like CrowdStrike. They ingest all that into Splunk and use it as an aggregator to launch their investigations into any threats detected.

How has it helped my organization?

The solution has improved our organization by providing a centralized place to start investigations. It allows us to consolidate everything into one place that kicks everything off so we can map it back to at least that Splunk instance.

What is most valuable?

The solution's most valuable feature is its data modeling. Splunk has data from so many different vendors. Moving all that or normalizing that to the data models allows us to look at one place holistically across all the different inputs.

What needs improvement?

The one problem Splunk has is writing correlation searches. My analysts are intimidated to write queries to create correlation searches. It would be good if the solution had some kind of copilot to automate or help write correlation searches. Splunk Enterprise Security should include more automation, AI, and machine learning capabilities.

For how long have I used the solution?

I have been using Splunk Enterprise Security for three to four months.

What do I think about the stability of the solution?

We haven’t faced any issues with the solution’s stability.

What do I think about the scalability of the solution?

We haven’t faced any scalability issues with Splunk Enterprise Security.

What other advice do I have?

The end-to-end visibility the tool provides is not that big of a deal. They have so many tools that can do that kind of part. Splunk doesn't have to be the one place for total visibility, but at least for visibility when it consolidates on threats.

Splunk has helped improve our organization's ability to ingest and normalize data. The tool pretty much consumes everything that we have. Everything from dozens of different vendor products gets ingested into Splunk. Splunk Enterprise Security is just that one central place where everything goes.

Splunk Enterprise Security has helped speed up our security investigations. Something that requires someone to work on it at the beginning of the day would not take more than 15 minutes with Splunk Enterprise Security.

Overall, I rate the solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
November 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
823,875 professionals have used our research since 2012.
Salma Shahin - PeerSpot reviewer
Senior Engineer at Sony India Software Centre
Consultant
Well-organized, user-friendly, and suitable for complex and large environments
Pros and Cons
  • "It is the best tool if you have a complex environment or if data ingestion is too huge."
  • "The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues."

What is most valuable?

It is a very well-organized solution. I find it more user-friendly than ArcSight and QRadar. I can search, and I can do whatever I need in terms of dashboards, reports, etc.

It is the best tool if you have a complex environment or if data ingestion is too huge.

What needs improvement?

The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues.

I would also like to be able to see all the data for internal logs. When we search for internal logs, sometimes, we are not able to find some of the data. For example, when Splunk crashes or something happens, we don't get to know what happened. We tried looking into the internal logs, but we could never figure out the reason from the logs. The information is limited, and it should be improved.

For how long have I used the solution?

We have been using Splunk for more than four years.

What do I think about the scalability of the solution?

Its scalability is very good. Companies nowadays are totally dependent on tools like Splunk. It is widely used in our organization. We have a huge team that uses it on a daily basis. For onboarding, we have another team, and we also have a team for Splunk monitoring. We have a large amount of data ingestion per day, so our team has more than 25 people in it.

How are customer service and support?

In my current company, I have seen the tickets getting resolved soon. In my previous company, which was a startup, a P1 ticket generally took 24 hours or less. They called us back and resolved it as soon as possible, but if it was a P2 or P3, I have seen them taking a month or more.

Which solution did I use previously and why did I switch?

We worked with QRadar for some time, but after that, we just came to Splunk.

How was the initial setup?

It is straightforward. The deployment duration totally depends on how you are working.

We have it on-premises as well as on the cloud.

What's my experience with pricing, setup cost, and licensing?

We have an unlimited one, and we pay yearly, but I don't know how much it costs. Previously, I worked for a startup, and when they started building it up, it was complicated for them because they didn't have the budget for that many licenses. It was very costly for them. So, startups might find it a little bit problematic because of the licensing, but for bigger companies, there is no issue.

What other advice do I have?

If it is a complex environment and data ingestion is huge where you want to ingest Syslogs or networking devices logs, you should go with Splunk. It is better than QRadar. Nowadays, the usage of AWS is growing, and that should be taken into consideration when deciding about on-premises or cloud deployment.

I would rate it a nine out of 10. I find it great. I'm very eager to do the Splunk certifications as well.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer718113 - PeerSpot reviewer
IT Analyst at a energy/utilities company with 1,001-5,000 employees
Real User
Reduced our time to log
Pros and Cons
  • "In the past we used the different application to collect logs. We used SurfWatch and VMware to do so. But, we found that the Splunk has more capacity to do more in less time. They provide a aster speed to index all the events , and this is a huge asset."
  • "Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market."

What is our primary use case?

In the beginning, we just wanted to collect the logs from the different devices, like the nano storage, Linux, Windows, and VMware. We tried to get the uniform solution to collect and analyze all of the system logs.

How has it helped my organization?

Our current companies need this solution. We need it to highlight the old logging events. Based on the different device and systems, we have Splunk and we can clearly explain the everyday field logging of events in the different IT environments.

In the past, we used a different application to collect logs. We used SurfWatch and VMware to do so but we found that the Splunk has more capacity to do more in less time. They provide a faster speed to index all the events which is a huge asset.

What is most valuable?

The user can apply for all kinds of device systems, no matter whether he/she is using Windows or Linux. It can easily collect the logs. In addition, the user can have an index which can help us to collect and analyze all kinds of logs and find the outstanding issues.

What needs improvement?

Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

Scalability could be improved.

Which solution did I use previously and why did I switch?

We used SurfWatch and VMware in the past.

How was the initial setup?

I was not involved with the initial setup. 

What's my experience with pricing, setup cost, and licensing?

I am not personally involved with the pricing of the solution.

Which other solutions did I evaluate?

We also looked at Selopene SIEM. It is a premier logging site.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CTO at IHS Markit
Real User
We were able to create a catalog of dashboards and have a holistic view at all levels, understanding our business better
Pros and Cons
  • "The dashboards are the most valuable feature. We like the ability to drill in and see what queries are under the dashboard, build new visualizations, edit the querying, and see the reports."
  • "We were able to create a catalog of dashboards and have a holistic view at all levels. We could understand our business much better. Real-time errors, which were buried in emails before now, surfaced up on dashboards."
  • "We do have to educate developers on how to not blow it up. It is a little to easy to write an expensive query and overly stress the system. This could be improved."
  • "I would like additional features in different programming models with the support for writing queries in SQL or other languages, such as C#, Java, or some other type of query definitions."

What is our primary use case?

We use it for logging and troubleshooting.

How has it helped my organization?

Every team immediately created their own Splunk dashboard, and all the product owners were ecstatic about this. We were able to create a catalog of dashboards and have a holistic view at all levels. We could understand our business much better. Real-time errors, which were buried in emails before now, surfaced up on dashboards. Even our executives could understand this, and it changed the way teams thought about alerting and reporting. It allowed us to send out real-time notifications to integrate with Opsgenie, and it changed the way IT works.

What is most valuable?

The dashboards are the most valuable feature. We like the ability to drill in and see what queries are under the dashboard, build new visualizations, edit the querying, and see the reports. The dashboards are very intuitive and similar to SQL. They are easy to set up and get running.

What needs improvement?

The query language is pretty slick and easy, but it is not consistent in parts. Some of it feels a little esoteric. Personally, some of my engineers are coming from SQL or other languages. Some things are a little bit surprising in Splunk and a little bit inconsistent in their querying, but once you get use to it and once you get use to the field names and function names, you can get the hang of it. However, if it was a bit more standardized, it might be quicker to get it up and running.

I would like additional features in different programming models with the support for writing queries in SQL or other languages, such as C#, Java, or some other type of query definitions. I would also like a better UI tool for enhancements of advanced visual query editors.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is pretty stable, though it has gone down from our usage. We do need to keep an eye on our query volumes. Right now, it is too easy for a user to write a query, run it, make it available in polling mode (real-time mode), and bring down the server. Some more safety alerting would help and be beneficial.

We do have to educate developers on how to not blow it up. It is a little to easy to write an expensive query and overly stress the system. This could be improved. Overall, once you have people who know what they are doing, it is very stable.

What do I think about the scalability of the solution?

Our environment is on-premise, and it is big. We have a couple hundred users. However, it was slow and unavailable at times before we trained all the engineers on how not write a long, constantly polling query.

How is customer service and technical support?

Our internal tools team did work with the Splunk support team extensively. I was not directly involved, but from my point of view, they were able to fix and resolve issues within a day or less, so they have been okay

How was the initial setup?

It is early days right now to evaluate the integration and configuration of Splunk in our AWS environment. We are just starting to integrate it with regular stuff. While I think it is okay so far, I really do not have enough information.

What was our ROI?

Most of our return on investments have been through faster error resolutions. Our meantime to recovery has dropped for issues. We can often fix things before the customer notices them. Whereas, when logging was done custom by each team in non-standard ways, it would take days to resolve issues that are now resolved in sometimes minutes.

Which other solutions did I evaluate?

We knew we were going to go with Splunk. It was the leader and the one we liked. We didn't consider any others since Splunk met our needs.

We chose Splunk because of the ease of the UI, querying, and creating dashboards. It has a standardized query language, which a lot of the IT staff were already familiar with it. It was the market leader from our prospective for our needs.

What other advice do I have?

Go with Splunk. A lot of people know how to use it because they have experience with it. It works well. While it has some pain points, it provides reports and data visibility.

It integrates great with Opsgenie, PagerDuty and Slack. We love the Slack integration, as works great with the Slack alerts.

We use the on-premise version in our data centers and we use the AWS version. We are just starting to migrate to the AWS hosted version, and I have not seen a difference.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Principal Engineer at Publix Super Markets
Real User
A more secure, robust environment, which keeps out harmful software
Pros and Cons
  • "Visualizations are the best way to understand deviation techniques from the norm."
  • "We have a more secure, robust environment, which keeps the harmful software out of the zone required."
  • "More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results."

What is our primary use case?

Security and incident management, which is helpful when organizing the data from different systems and running analysis on all the data together.

How has it helped my organization?

We have a more secure, robust environment, which keeps the harmful software out of the zone required.

What is most valuable?

The most valuable features are:

  • Risk analysis
  • Machine Learning Toolkit
  • dbConnect
  • Cisco products
  • eStreamer
  • SIEM

Visualizations are the best way to understand deviation techniques from the norm.

What needs improvement?

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

For how long have I used the solution?

Three to five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
PeerSpot user
Information Security Engineer/Architect at The Church of Jesus Christ of Latter-day Saints
Real User
Helped us consolidate all our solutions into an easy tool to use for various employees
Pros and Cons
  • "It helped us consolidate all our solutions into an easy tool to use for various employees."
  • "More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it."

What is our primary use case?

We use Splunk for operations, application monitoring, and security. We are both cloud and on-premise based, so it has been very versatile for us. 

How has it helped my organization?

It helped us consolidate all our solutions into an easy tool to use for various employees.

What is most valuable?

  • Unstructured data
  • Linking things together
  • Building out stuff which is actionable.

Once you learn SPL and what data you need to obtain and merge together, it is really useful. 

What needs improvement?

More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it. 

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

Which solution did I use previously and why did I switch?

While we did not have a previous solution, we took what little of Splunk that we have been using and have increased it greatly.

What was our ROI?

We are a nonprofit, so it is hard to quantify. 

What's my experience with pricing, setup cost, and licensing?

Be upfront about your needs and expectations. Splunk is one of the top SIEM solutions to work with. 

Which other solutions did I evaluate?

No.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer2499678 - PeerSpot reviewer
Cyber Security Analyst at a tech services company with 11-50 employees
Real User
We watch all the information in just one place and it provides end-to-end visibility
Pros and Cons
  • "The risk-based alerting (RBA) is one of the valuable features."
  • "I would like to see the asset and identity lookups be more automatic and less manual."

What is our primary use case?

We use it alongside some endpoints to detect log ins outside of scheduled work hours. If someone logs in outside of that range, we generate an alert for the security team to review.

How has it helped my organization?

I can use the MITRE ATT&CK framework. With the data that I ingest into ES, the MITRE app gives me visibility into what I'm covering from the techniques and tactics in the framework, which is pretty cool and convenient.

At the end of the day, it's the platform receiving the logs from all the other apps. You're watching all the information in just one place, so it's basically the core tool in the company. So, it is really important that Splunk Enterprise Security provides end-to-end visibility into our environment. 

In a way, Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. However, there are a few tools that are hard to normalize or use data models. And some of the add-ons don't work properly sometimes. Not all of them, but a few.

Splunk Enterprise Security helped us reduce our alert volume by 30%.

Moreover, Splunk Enterprise Security provides us with the relevant context to help guide our investigations. And it's important because we need to set up the basis of the context of what we want to see.

Splunk Enterprise Security helped improve my organization's business resilience. It's a pretty powerful tool. We can monitor and ingest all the data, only if it's not encrypted.

Splunk platform helps consolidate networking, security, and IT observability tools. We watch all that information on just one platform, so that's pretty cool. 

What is most valuable?

The risk-based alerting (RBA) is one of the valuable features. It's a really cool concept to explain and see the impact that you're having on the company.

Splunk Enterprise Security's ability to find security events across different environments, whether in the cloud, on-premise, or hybrid, is really good. Because it gives me a lot of content out of the box, the only thing I need to do is ingest the data, and I'm good to go.

What needs improvement?

I would like to see the asset and identity lookups be more automatic and less manual. I have to search everything and type it. So it should be more user-friendly.

For how long have I used the solution?

I have been using it for six months. 

What do I think about the stability of the solution?

The stability is really good. It's very accessible.

How are customer service and support?

Most of the time, some docs are not available. When you see the documents, they add a link, we go to the link but it's not available. 

Also, the customer service and support have a lot of old questions that are not updated.

How would you rate customer service and support?

Neutral

How was the initial setup?

It's pretty easy. The first thing you need to do is the onboarding phase. After that, you need to review that the logs that you're receiving are good. And after that, you need to start working with the correlation searches and setting up everything.

What about the implementation team?

The deployment was done internally. 

What was our ROI?

We have definitely seen an ROI. It is worth it!

What's my experience with pricing, setup cost, and licensing?

The pricing is always going to be different because it depends on the project you are working on and how much data you are going to ingest. But it's definitely worth it.

Which other solutions did I evaluate?

We directly chose Splunk to begin with.

What other advice do I have?

Overall, I would rate it a nine out of ten. There are a few things that need to be more automatic because there's still a lot of manual work to use it.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.