Splunk Enterprise Security Reviews

The project we are working on with Splunk is short as the customer has given us two months to implement. My company is a Splunk partner.

Splunk is quite flexible for our customers. Splunk does not filter from a specific lock, you can define it later.

I would like Splunk to add more integration. QRadar has many indications with more products than Splunk.

I have been working with Splunk for three months.

Splunk is quite good if you want to scale it.

My client has some pain points with QRadar and does not feel the kilogram function is accurate. Other features do not match with the customer behavior as well. They want to replace QRadar with Splunk because they are familiar with this solution.

The initial setup of Splunk is complex. It requires a lot of equipment and uploads.

My company provides the implementation and maintenance services to our customers.

Splunk licensing requires you to purchase licenses for any feature per user. For example, if you need UEBA, it is difficult to propose in the project. QRadar has a free upcharge for UEBA. Customers cannot calculate the additional costs based on gigabytes per day because they can not forecast the future.

Due to the cost of Splunk, I recommend it for larger companies. Splunk is powerful when sorting huge amounts of data. 

Implementation of Splunk takes preparation. It requires a lot of resources and needs the infrastructure to support the project.

I would rate the solution an 8 out of 10.

We primarily use the solution for monitoring and security.

We can use the solution to try to find some correlational data. For example, in banks, there is usually a protocol whereby users cannot withdraw more than a certain amount of money from an ATM. However, we find that, when people are on holiday, they are trying to withdraw more than the allowed amount. It's a use case we can deploy in our country. You can set certain rules and watch the data in order to gain insights.

I cannot speak to a specific example of how the solution has assisted our organization.

The solution's capability is its most valuable aspect.

The initial setup is very straightforward.

The solution has proven to be quite stable.

We've found the solution to be very mature.

The integration capabilities are excellent. They have apps that integrate quite well with Palo Alto and Cisco, for example.

Sometimes it becomes very difficult to find certain results from Splunk. Not all users are developers and they are not able to write code to find specific results or specific details from Splunk. From a user perspective, the solution needs to improve the search functionality.

The dashboard could be improved. If it was easier for non-developers or those working in network security, it would be ideal. It would be nice if they had a built-in dashboard for those who are less knowledgeable in coding.

The product is relatively expensive. 

I haven't been using the solution for very long just yet.

The solution is very stable. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

We do not plan to increase usage at this time.

We've used technical support in the past. We've found them to be very helpful and responsive. We're satisfied with the level of support that we receive when we reach out for help.

I've previously used LogRhythm, among other solutions. We sell a few different solutions.

The initial setup is not too difficult. It's not overly complex. It's straightforward. The code is very easy.

The deployment took two or three months or so.

We used an integrator to assist us in the initial setup.

The problem with the product is that the price of Splunk is very high. It is an industry leader and therefore it's high in terms of price. That is the issue in our country. Sometimes people want to buy Splunk, however, due to the budget, they are not able to.

We are resellers.

We use a variety of deployment models, including private cloud and hybrid.

This solution is the best security solution. If a company is looking for the best, they have to buy Splunk. It is a very good and very mature solution. It is very easy to integrate with some other service or security solutions. If they have specific solutions that need to be integrated for monitoring purposes, it should be a problem. For example, it integrates very well with Cisco.

I'd rate the solution at a ten out of ten. We are quite happy with its capabilities.

We are using Splunk as a SIEM tool. We're using it for monitoring.

The ease of log connection has been great. 

Its compatibility with other SIEMS is very useful. 

They have many basic use cases that we like. 

The cloud version of the solution is especially scalable.

The product has been quite stable so far.

The initial setup is very easy.

Technical support is lacking post-sale.

The modification of firmware could be improved.

We find that the maintenance process could be a lot better. 

The solution is more expensive than other options on the market.

We haven't been using the solution for too long at this point. It's been about four months or so.

The stability has been good. It offers good performance and doesn't seem to be buggy. There aren't glitches. It doesn't crash or freeze. It's reliable.

The solution is scalable. This is especially true for the cloud deployment model. There really isn't anything holding you back if you use that version.

We have around 100 people on the solution currently. 60 to 70 of those are technical users.

We do plan to keep using Splunk. 

Technical support services are lacking, especially after you buy the product. They aren't as helpful or responsive as we need them to be. However, when we do reach them, they are good and they help.

I have used McAfee Nitro in the past and IBM QRadar as well.

The initial setup is not complex. It's very straightforward. In fact, it's far easier to install than other log tools on the market. A company shouldn't have any issues with the process.

That said, I did not work on the installation myself. Other people at the company handled that aspect of the process.

The maintenance process could be better. It's a bit difficult once the deployment is done. We need about five people for maintenance tasks.

When you compare the services and features, the pricing is reasonable. That said, if you compare Splunk to other options on the market, it is more expensive.

As we recently purchased the solution, we are using the latest version right now.

I would recommend the solution to other users. 

I would rate the solution at an eight out of ten. If the solution offered a better price and better support services, I would likely rate it higher. However, for the most part, we have been satisfied with the product and its capabilities.

In the beginning, we just wanted to collect the logs from the different devices, like the nano storage, Linux, Windows, and VMware. We tried to get the uniform solution to collect and analyze all of the system logs.

Our current companies need this solution. We need it to highlight the old logging events. Based on the different device and systems, we have Splunk and we can clearly explain the everyday field logging of events in the different IT environments.

In the past, we used a different application to collect logs. We used SurfWatch and VMware to do so but we found that the Splunk has more capacity to do more in less time. They provide a faster speed to index all the events which is a huge asset.

The user can apply for all kinds of device systems, no matter whether he/she is using Windows or Linux. It can easily collect the logs. In addition, the user can have an index which can help us to collect and analyze all kinds of logs and find the outstanding issues.

Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market.

It is stable.

Scalability could be improved.

We used SurfWatch and VMware in the past.

I was not involved with the initial setup. 

I am not personally involved with the pricing of the solution.

We also looked at Selopene SIEM. It is a premier logging site.

We use it for log aggregation. 

If you have a large number of devices, you need to aggregate log data to make more sense of it for parsing, troubleshooting, and metrics. This is all we use it for.

If I need to track logs for certain application, I will push all of those logs to Splunk so I can run reports on those logs. It is more about what you are trying to do with it and what you need from it.

We use it primarily for troubleshooting. We had an issue with SaltStack recently and were able to look for the same log entry on a thousand servers simultaneously, making the process easy.

The ability to create dashboards.

You can run reports against multiple devices at the same time. You are able to troubleshoot a single application on a thousand servers. You can do this with a single query, since it is very easy to do.

When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved.

I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier.

It's been very stable for us. Most of our stress in not from Splunk, but from disk I/O, like input and output for the disk that you are writing logs to. We have had more issue with our own hardware than Splunk. 

You have to make sure if you're writing an enormous amount of data that you have your I/O sorted out beforehand. 

It scales fine. We haven't had any issues scaling it. Our current environment is about 30,000 devices. 

The integration of this product in our AWS environment was very simple. We just forwarded our logs to it, and that was about it. 

It has agent-base log forwarding, so it is very simple, not complicated at all. This process is the same from on-premise and AWS.

If you have a large number of servers, even a few hundred servers, then you need to track specific data and log information from a lot of servers. You can either go to each server individually or set up jobs to ship those logs somewhere with rsync or Syslog. The other option is use Splunk and push them all to Splunk, then from Splunk you can just create alerts and run reports against all that data in one place with a single query rather than having to do all that work repeatedly. It saves us a lot of time, just in man-hours, and being able to look at hundreds or thousands of servers simultaneously.

Splunk has no real competition. It is just Splunk, and that is it.

Build your environment a lot bigger than you think you will need it, because you fill it up quickly. We log somewhere in the neighborhood of two to four terabytes a day per data center.

We use both AWS and SaaS versions. With the SaaS version, you don't have as much control, but it functions the same, so there is no real difference. Though, the AWS version is probably easier to scale, because it is AWS. 

We typically use it for centralized log management and SIEM functionality.

I am using the most recent version of it.

As per government requirements, a lot of government sites have to have the active monitoring of logs. So, we use their security appliance add-on that essentially combs through the log. It pre-filters and brings out the critical events so that you can focus on those instead of having to create your own searches and whatnot. It helps simplify the process of monitoring security events in the logs for people.

The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard.

It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.

To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.

I have been using Splunk for about seven years.

It has been very stable. It is pretty rock solid.

It is as scalable as you can afford. We have a pretty small user base of 75 users, and it is mostly data center administration staff, application administrators, and security people. It is more of an in-house solution than a customer-facing solution.

Our usage is moderate. We're okay right now. We primarily use it as a SIEM and log aggregator. We could use it for other things, but the cost is what is preventing us from that at this point.

We've had a few calls, and they're very responsive.

We were using an assist log backend with Rsync and Kiwi prior to that. It was more of a co-solution than a cobbled-together solution. Splunk was a big improvement. The main reason for going for it was just the rate at which we were growing. We needed to have something that was more scalable than what we had before.

It was pretty straightforward as compared to most applications. It had the ability to auto-deploy agents to end devices. Splunk infrastructure itself wasn't difficult to deploy or set up. They package that process, and it is pretty well-rounded. They even offer a jumpstart install service to help get it off the ground when you buy in, and those components work really well together.

It was all done within a day. Some of the endpoints took a little bit longer, but the basic install was done in the day.

We used packaged professional services from a partner of Splunk. Our experience with them was very good.

In terms of maintenance, it is pretty simple. There are fewer patches than there would be for supporting a Windows device. There is not much labor to maintain it.

It can be cost-prohibitive when you start to scale and have terabytes of data. Its cost model is based on how much data it processes a day. If they're able to create scaled-down niche or custom package offerings, it may help with the cost. Instead of the full-blown features, if they can narrow the scope where it can only be used for a specific purpose, it would kind of create that market for the product, and it may help with the costing. When you start using it as a central aggregator and you're pumping tons of logs at it, pretty soon, you'll start hitting your cap on what it can process a day. Once you've got that, you're kind of defeating the purpose because you're going to have to scale back.

They're kind of pushing everybody away from perpetual licensing into subscription-based models, which a lot of companies are doing too, but in most environments that I've been in, they prefer to go the perpetual license and then just pay maintenance on top of it. That's because it's easier for them to forecast the big expense up front.

I would advise definitely taking advantage of their professional services and making sure that the administrators and whoever is going to be using the tool go through the training. The cost for the training, which depends on if you're commercial or government, is not that much, and there is a definite value there because if you're trying to learn it on your own with a book, it is going to take forever.

I would rate Splunk a seven out of 10. 

The primary use case is to analyse and monitor big data, creating various dashboards, alerts, etc.

• We can do things in minutes instead of days.
• We solve issues that we previously could not since we now have the data.
• We can quickly search for almost anything across many log sources in seconds.
• Teams have the dashboards or alerts that they need.

There are too many features to list, but here are a few:

• Schema on the fly

• Ease of onboarding data

• Machine learning

• Apps or Splunkbase.
• Great list of apps to use and build upon once you learn more about how Splunk works.
• Ease of correlation, creating correlation searches (easy), and you can combine multiple sources with little effort.

• Data Models Acceleration for super fast searches across tens of millions of events.

• Common Information Model

• Security Essentials App

• Enterprise Security

• Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities.

• Log storage or compression is great and retention is not an issue.

• Dashboards are simple to create and has input options, like time range and text.
• Drop-downs are simple to create.

• The integration with cloud solutions is great and keeps getting better.

The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this will become a non-issue.

Also, AngularJS/ReactJS inclusion could be made easier in GUI.

Personnel costs are saved by not having to involve domain developers from multiple teams when tracing a problem that spans multiple platforms.

We build many of our own apps by leveraging the logic in others.

• Monitoring IT and other processes for a large university.
• Leveraging alerts and dashboards to detect and predict security breaches and other events.

Splunk has enabled us to detect, even predict potential security issues, before they become severe. It has enabled our operations and development teams to more efficiently monitor and troubleshoot their systems.

The search language is easy to understand and teach to new users. The SDK is comprehensive and has incredible levels of integration with the platform and data. 

• Certain sections of the developer documentation could use some updating and clarification.
• Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. 
• Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).

Support is quick and competent.