Splunk Enterprise Security Reviews

100%. VMware needs log information to troubleshoot; it's not easy finding problems.

Downloading and uploading logs have become an issue.

• In-depth logs
• Add-ons 
• The ability to ingest data from other tools
• The detailed log view
• It's easy to read

• The amount of time it takes to troubleshoot not-easily-available data
• Also, hours on the phone with VMware techs.

It is mostly centralized logging, a whole bunch of BI metrics, and an aggregation point, which we have adulterated for some PCI data.

It does meet our use case for the most part.

We like the dashboard creation and the ease with which we can harness the APIs to create custom BI dashboards on the fly. This adds most value for us. The nature of some of our microservices that I have run on the cloud are mixed workloads, wherein with the flow of data, it can change over time. In order to adjust for this, and cater to the needs of some of our internal customers, BI dashboards need to be created, tweaked, and modified. Also, doing this by hand is next to impossible. Therefore, we have strung all of this through a programmatic pipeline, which s something which we like because it is easier for us to harness it utilizing the API.

For on-premise, it's more about optimization. With such a heavy byte scale of data that we are operating on, the search for disparate data sometimes takes about a minute. This is understandable considering the amount of data that we are pumping into it. The only optimization that I recommend is better sharding, when it comes to Splunk, so that data retrieval can be faster.

With the AWS hosted version, we have not hit this bottleneck yet, simply because we are not yet at the multiple terabyte scale. We have hit with the on-premise enterprise version. This is a problem that we run into every so often. We don't run into this problem day in and day out. Only during the month of August through October do we contend with this issue. Also, there is a fair bit of lag. We have our ways to work around it. Between those few months, we are pumping in a lot of data. It is between 8 to 10 terabytes of data easily, so it is at a massive scale. There are also limitations from the hardware perspective, which is why it is an optimizing problem.

On the cloud, we are pushing through less than half a petabyte of data. So far, it has been fairly stable because it runs on all the underlying AWS infrastructures. Therefore, we have had no issues at all. In terms of availability or outages that we've experienced, there haven't been any. We've been fairly happy with the overall landscape of how it works on AWS.

On cloud, we absolutely like it. Splunk AMIs make it easy for us to spin up a Splunk cluster or add a new node to it. For our rapid development and scale of deployments in terms of microservices and the number of microservices that we run, we have had no problems here.

On-premise requires a lot of planning, which happens on a yearly basis. We have Splunk dedicated staff onsite for on-premise to help us through this. 

We have 450 people making use of Splunk in our organization, and there was a bit of knowledge transfer needed on how to write a Splunk query. So, there is a bit of a learning curve. Once you get over it, it is fairly simple to use. We also have ready-made Splunk queries to help people get started.

We do deal with technical support on an ongoing basis. They can definitely do better from a technical point of view. Their only purpose working onsite is to make sure that our massive set of Splunk clusters are online, and the clusters are tuned well enough to work well.

We would expect the technical support people onsite to be subject-matter experts of Splunk. We have seen in a few areas where we have been left wanting more, wherein some of our engineers happen to know more than them in terms of some of the query optimizations, etc. This is where we think there is a fair amount of improvement that can be done. 

We wrote the automation to bootstrap everything onto AWS, which was fairly easy. As long as we had all the hooks going into AWS, and we had the SDK. So, we did not have too much trouble getting the bootstrap up and running.

Some of the insights that we have obtained as a part of using Splunk have greatly helped us in increasing our revenue in terms of selling our products.

We have seen a decent ROI. For the month of October 2018, when we had a product launch, we were able to query and generate BI dashboards on the fly. This was huge, and not possible two and a half to three years back because it was more of a manual process. Now, with APIs being available, it is very simple to tweak or write a small piece of glue code to go ahead and create a new dashboard for a business unit to make near real-time decisions to focus more on other geographies when launching the product.

I wasn't there when the evaluation was done. When I came on board, this product was handed down to me, and we have not evaluated any other solutions or products since then.

Make sure it fits your use case. Be clear about what you want to achieve, get out of the product, and how you want to integrate it. Once you tie the solution into your systems, it is not trivial or easy to walk away from. Therefore, due diligence needs to be made to understand what your requirements are before choosing a product. Some companies may not even want to host, and prefer to go the managed services route.

We have it integrated with every product that I can think of.

We use both the AWS and on-premise versions. The AWS hosted version typically caters to all the microservices that we run on AWS, so there is a clear segregation between on-premise and cloud. In terms of usability and experience, both of them have been similar. We have seen a few bottlenecks on the cloud, but that can probably be attributed more on the user side of the house in terms of the way we write our applications and the type of payloads that we sent this month. This is an optimization which is ongoing from our end. Other that, we have been fairly happy with Splunk and what we get out of it.

We primarily use it for SIEM.

It has a big user base, so the community is useful.

The community surrounding the product is okay, but I would like more material supplied by Splunk around some more common integration stuff. I wish there was a bigger library, because we are building stuff. Where I often feel like other people have done things before, we are reinventing the wheel. While it is not a core piece of our organization and it is not a priority, it does inform our SIEM platform. It would be nice if there was a little more cookie cutter solutioning inside of it, and that they would take a little more time to shake it out.

The first year and a half was a little wacky with its usefulness, but now it is a solid piece of our infrastructure.

We don't have any issues with it now. We had some issues in the past, but we chalked those up to user error. We didn't know what we were doing at first.

We haven't had any issues with it.

I haven't heard any complaints about the technical support.

The integration with all our tool sets felt like we were reinventing the wheel, which was a pain point for us.

It would be nice if the pricing were cheaper. However, we did purchase it.

We evaluated Alert Logic and Splunk. We still use both products heavily. 

We have different use cases for the products. At first, Splunk was free, so we started to take more advantage of it.

Do your homework and make sure it fits your needs.

The product is pretty good. We are pretty satisfied with it. It does what it does.

We host the product on AWS, but we did not purchase it on the AWS Marketplace.

Splunk provided me a platform to analyze both infrastructure loads and application performance for quick troubleshooting saving a load of time. Versatile apps at Splunkbase helped me to better configure and enhance visualization of the KPIs in my application.

• Splunk has reduced application downtime by helping identify the point of failure.
• It has helped in identifying information streaming bottlenecks. 
• Its machine learning capabilities along with custom script implementation has helped the organization a lot.
• Visualizations helped the organisation have a better understanding of its KPIs. 

Its huge, versatile AppBase helped me to configure and bring data from different sources to a unified platform. 

• Custom visualizations are real hard. While the default visualizations are good, creating enhanced visualizations are complex.
• Configuring a few apps is complex, not straightforward.

No stability issues.

No scalability issues.

Splunk setup is easy and straightforward. 

Splunk is a bit pricier, but the benefits and ROI are huge.

We also evaluated ELK, Dynatrace, and New Relic, but Splunk provided a comprehensive solution to fit our all around needs.

It is deployed to investigate, detect, respond, and prevent security incidents and threats by providing valuable context and visual insights to make faster and smarter security decisions.

• Splunk delivers a holistic view of an application (the big picture).
• Splunk provides immediate visibility into key business metrics and new business insights that deliver immediate value.
• Significant reduction in mean-time-to-investigate (MTTI) and mean-time-to-resolve (MTTR) production incidents from days to hours.
• Splunk visualization capabilities help pinpoint problem areas, spikes, and anomalies easier and faster.
• Ability to monitor and resolve integration problems before they impact the business user area.
• Splunk is being used as part of the development life cycle, resulting in better quality and more efficient applications.
• Provides additional insights into a 360 degree view of the customer.

We usually have to follow up with technical support on our open cases. Otherwise, Splunk listens to customers and is constantly incorporating their feedback in future releases.

There are no software stability issues. The issues so far have been internal.

There are no scalability issues. If you are planning on using Splunk for security use cases, I would recommend you go with Linux for your OS.

We have the enterprise level of support. This is one area Splunk could improve upon, since we usually have to follow up with them on our open cases.

We did not have a previous solution.

There were no issues with the initial setup. We utilized Splunk’s partner zones for the initial setup. In retrospect, we should have utilized Splunk Professional Services.

Although Splunk is an expensive product, it is designed to be utilized across your organization in order to maximize your ROI and lower your TCO.

We contacted Gartner and other business associates to determine what others are paying for Splunk.

We started researching ELK (Elastic, Logstash, Kibana). But management was so impressed with Splunk that we ended this research.

Ensure you have an executive sponsors to fully deploy Splunk across your organization to maximize your ROI and lower your TCO.

Make use of Splunk Professional Services.

The project we are working on with Splunk is short as the customer has given us two months to implement. My company is a Splunk partner.

Splunk is quite flexible for our customers. Splunk does not filter from a specific lock, you can define it later.

I would like Splunk to add more integration. QRadar has many indications with more products than Splunk.

I have been working with Splunk for three months.

Splunk is quite good if you want to scale it.

My client has some pain points with QRadar and does not feel the kilogram function is accurate. Other features do not match with the customer behavior as well. They want to replace QRadar with Splunk because they are familiar with this solution.

The initial setup of Splunk is complex. It requires a lot of equipment and uploads.

My company provides the implementation and maintenance services to our customers.

Splunk licensing requires you to purchase licenses for any feature per user. For example, if you need UEBA, it is difficult to propose in the project. QRadar has a free upcharge for UEBA. Customers cannot calculate the additional costs based on gigabytes per day because they can not forecast the future.

Due to the cost of Splunk, I recommend it for larger companies. Splunk is powerful when sorting huge amounts of data. 

Implementation of Splunk takes preparation. It requires a lot of resources and needs the infrastructure to support the project.

I would rate the solution an 8 out of 10.

We are a solution provider and Splunk is something that we provide as a service to our customers.

The most valuable feature is the reporting and the information that is provided by the tool.

It is very easy to implement a PoC using Splunk, which will show the value of the reporting and data that it provides.

The integration is seamless with many devices and operating systems.

It is flexible enough that you can choose what kind of deployment model you want.

They have a large solution toolkit that supports IoT, wherein businesses can get a lot of help with the centralized management functionality. There are also tools to assist from the security and SIEM perspective, and there is a centralized dashboard.

Being a SIEM solution with a centralized dashboard, we would like to have more options to customize it. It should be easy to customize dashboards.

When we are monitoring something, we would like to have a more granular outlook. Splunk has a good dashboard that is easier to use than some competing products, but better customizability would be a great help for the users.

We have been working with Splunk for approximately three years.

This product is very stable.

Splunk is a very scalable solution. Being a Japanese product, they will ensure that all of the features work in any environment. It is very heterogeneous. It can integrate with Windows, Linux, AIX, HP-UX, and Solaris. It also supports IoT devices, mobile phones, and more.

We have more than 150,000 people using our services.

The Splunk team has good, proactive support. Also in terms of assisting with the installation, they are quite good.

Splunk is similar to IBM QRadar, which we also have experience with. However, Splunk has advanced SIEM features included with it, so we often use it to satisfy this requirement. Whenever an organization is looking to implement SIEM, they have the flexibility to choose Splunk, QRadar, or the ArcSight Logger solution.

One of the major differences that I see between Splunk and QRadar is that Splunk gives the users fewer devices, so they can do things quicker. 

The installation for Splunk is easier than competing products QRadar and ArcSight.

We have Splunk deployed on the cloud so that we can provide the service, but some of our customers have it installed on-premises.

All the user has to do is download the Splunk server agent, install it on the laptop or endpoint, integrate 50 or 100 devices, then see what kind of reporting is available.

We have an in-house team for deployment in maintenance. Splunk is a tool that does not require much staff to maintain. The users can start with a PoC, simply learn it, and deploy it for themselves. They don't require subject experts to be hired for the installation and configuration.

Price-wise, if you compare QRadar to Splunk for SIEM functionality then they are in the same range but when you integrate SOAR with these solutions, Splunk takes the lead and is more competitive.

This is a product that I recommend for anybody who wants and advanced SIEM solutions. Of the three that I have used including QRadar and ArcSight, Splunk is the one that I prefer.

I would rate this solution a nine out of ten.

We are using Splunk as a SIEM tool. We're using it for monitoring.

The ease of log connection has been great. 

Its compatibility with other SIEMS is very useful. 

They have many basic use cases that we like. 

The cloud version of the solution is especially scalable.

The product has been quite stable so far.

The initial setup is very easy.

Technical support is lacking post-sale.

The modification of firmware could be improved.

We find that the maintenance process could be a lot better. 

The solution is more expensive than other options on the market.

We haven't been using the solution for too long at this point. It's been about four months or so.

The stability has been good. It offers good performance and doesn't seem to be buggy. There aren't glitches. It doesn't crash or freeze. It's reliable.

The solution is scalable. This is especially true for the cloud deployment model. There really isn't anything holding you back if you use that version.

We have around 100 people on the solution currently. 60 to 70 of those are technical users.

We do plan to keep using Splunk. 

Technical support services are lacking, especially after you buy the product. They aren't as helpful or responsive as we need them to be. However, when we do reach them, they are good and they help.

I have used McAfee Nitro in the past and IBM QRadar as well.

The initial setup is not complex. It's very straightforward. In fact, it's far easier to install than other log tools on the market. A company shouldn't have any issues with the process.

That said, I did not work on the installation myself. Other people at the company handled that aspect of the process.

The maintenance process could be better. It's a bit difficult once the deployment is done. We need about five people for maintenance tasks.

When you compare the services and features, the pricing is reasonable. That said, if you compare Splunk to other options on the market, it is more expensive.

As we recently purchased the solution, we are using the latest version right now.

I would recommend the solution to other users. 

I would rate the solution at an eight out of ten. If the solution offered a better price and better support services, I would likely rate it higher. However, for the most part, we have been satisfied with the product and its capabilities.