Splunk Enterprise Security Reviews

We use Splunk primarily to provide our security and ops groups with important insights to more efficiently make decisions and take action.

My favorite example of improving of organization is saving a $60k/mo in payroll fraud and $10k/mo in wasted API credits by using simple searches and clear reports.

Splunk's schema on demand is incredibly useful. I do not have to worry about what my users will need when we onboard their data. They can make connections that we could not have foreseen. They dig deeper when they are searching.

Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run.

While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged.

• Monitoring IT and other processes for a large university.
• Leveraging alerts and dashboards to detect and predict security breaches and other events.

Splunk has enabled us to detect, even predict potential security issues, before they become severe. It has enabled our operations and development teams to more efficiently monitor and troubleshoot their systems.

The search language is easy to understand and teach to new users. The SDK is comprehensive and has incredible levels of integration with the platform and data. 

• Certain sections of the developer documentation could use some updating and clarification.
• Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. 
• Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).

Support is quick and competent.

IT service analytics: 

• Server machine data
• Monitoring data
• Alerting data
• ITSI KPIs
• Real-time reporting
• Month-over-month reporting.

It allows for transparency into IT metrics for insightful business analytics.

It brings together all sorts of data. It has the ability to correlate data, analyze and review it. This makes weekly ops reviews and monthly executive management reporting much easier by saving hours of collecting data. Report automation has been a life saver.

• Free-floating panels in the dashboards are like a glass table. 
• It needs more formatting control without having to be an admin.

Previously, only the service owner could see the data and he might have gone to several places to obtain it. Now, it is all in one place and easy to access. 

Central repository for log collection and analysis in a complex environment. We have used it for a variety of use cases involving SIEM and operational support.

Speeds up root cause analysis and can help identify issues that your organization never realized were occurring. It helps streamline troubleshooting and log analysis.

It has a low barrier to entry, but it is extremely extensible, allowing it to be tailored to highly specific use cases. It makes searching through a wider variety of logs much quicker and enables you to correlate events from one log to another.

It can be tough to determine if you are getting all of the value out of your investment at times. However, our sales seems to be flexible and will work on an organization to organization basis to negotiate license terms. 

On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security.

Pricing can be a limiting factor. You have to continuously tune what you are bringing in and make sure what you bring in is of value. 

The connections to the database are very good and updating the data files is simple to do. The dashboards are useful and user-friendly.

We had some connections issues with the solution at the beginning.

I have used Splunk within the last 12 months.

Splunk is a highly stable solution.

The scalability is good.

We have approximately 50 users using this solution in my organization.

I am satisfied with the support from Splunk.

We were previously using Excel.

We used a consultant for the implementation of the solution. The full process took approximately one week.

We had a big problem with communication sometimes during the implementation. Some files in our network were a little difficult to receive. This was our fault because of some of our firewall configurations.

We have a five-person maintenance team that works on this solution.

I rate Splunk an eight out of ten.

We use it for log aggregation. 

If you have a large number of devices, you need to aggregate log data to make more sense of it for parsing, troubleshooting, and metrics. This is all we use it for.

If I need to track logs for certain application, I will push all of those logs to Splunk so I can run reports on those logs. It is more about what you are trying to do with it and what you need from it.

We use it primarily for troubleshooting. We had an issue with SaltStack recently and were able to look for the same log entry on a thousand servers simultaneously, making the process easy.

The ability to create dashboards.

You can run reports against multiple devices at the same time. You are able to troubleshoot a single application on a thousand servers. You can do this with a single query, since it is very easy to do.

When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved.

I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier.

It's been very stable for us. Most of our stress in not from Splunk, but from disk I/O, like input and output for the disk that you are writing logs to. We have had more issue with our own hardware than Splunk. 

You have to make sure if you're writing an enormous amount of data that you have your I/O sorted out beforehand. 

It scales fine. We haven't had any issues scaling it. Our current environment is about 30,000 devices. 

The integration of this product in our AWS environment was very simple. We just forwarded our logs to it, and that was about it. 

It has agent-base log forwarding, so it is very simple, not complicated at all. This process is the same from on-premise and AWS.

If you have a large number of servers, even a few hundred servers, then you need to track specific data and log information from a lot of servers. You can either go to each server individually or set up jobs to ship those logs somewhere with rsync or Syslog. The other option is use Splunk and push them all to Splunk, then from Splunk you can just create alerts and run reports against all that data in one place with a single query rather than having to do all that work repeatedly. It saves us a lot of time, just in man-hours, and being able to look at hundreds or thousands of servers simultaneously.

Splunk has no real competition. It is just Splunk, and that is it.

Build your environment a lot bigger than you think you will need it, because you fill it up quickly. We log somewhere in the neighborhood of two to four terabytes a day per data center.

We use both AWS and SaaS versions. With the SaaS version, you don't have as much control, but it functions the same, so there is no real difference. Though, the AWS version is probably easier to scale, because it is AWS. 

The primary use case is to analyse and monitor big data, creating various dashboards, alerts, etc.

• We can do things in minutes instead of days.
• We solve issues that we previously could not since we now have the data.
• We can quickly search for almost anything across many log sources in seconds.
• Teams have the dashboards or alerts that they need.

There are too many features to list, but here are a few:

• Schema on the fly

• Ease of onboarding data

• Machine learning

• Apps or Splunkbase.
• Great list of apps to use and build upon once you learn more about how Splunk works.
• Ease of correlation, creating correlation searches (easy), and you can combine multiple sources with little effort.

• Data Models Acceleration for super fast searches across tens of millions of events.

• Common Information Model

• Security Essentials App

• Enterprise Security

• Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities.

• Log storage or compression is great and retention is not an issue.

• Dashboards are simple to create and has input options, like time range and text.
• Drop-downs are simple to create.

• The integration with cloud solutions is great and keeps getting better.

The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this will become a non-issue.

Also, AngularJS/ReactJS inclusion could be made easier in GUI.

Personnel costs are saved by not having to involve domain developers from multiple teams when tracing a problem that spans multiple platforms.

We build many of our own apps by leveraging the logic in others.