Splunk Enterprise Security Reviews

I'm the CSSP manager and we are customers of Splunk. 

Splunk is good at log collection and log management.

I'm a security manager and Splunk is not a good solution for my needs and not as good as other products I've used. I really think they just overreached and are marketing the solution as something that it really isn't. It's really not an SIEM product. It's really not a monitoring solution. If Splunk wants to get into SIEM, they need to make a totally new product. They should just leave SIEM, it's not their thing, not what they do. They're good at log collection and indexing. Stick to it. There are some things with log collection and log retention capabilities that they could actually improve instead of trying to create products for all these other different areas. I don't want their next release, I would rather just kind of scale back on some of the extras, and just really focus on log collection and log retention. I'd like to have more options on how I can perform those features with their products. I'd like to see a lot more integration with other products.

I've been using this solution for three years. 

Once you set up the solution, you don't really have to worry about it. It's very stable. I like the fact that you can pretty much just patch the OS, and it doesn't really affect how Splunk runs. With a lot of products, you almost have to wait for that company to implement a new patch or version of the product before you can upgrade the server it's on, or anything like that. Or you can't upgrade, you just have to go with whatever they give you, because they're giving you an appliance or something. I like the fact that Splunk allows you to integrate and still run as Splunk and still be compliant with most vulnerabilities out there without affecting functionality.

The solution is extremely scalable. We probably have about five or six users, so all our system administrators use it, they're the ones that implement it. Right now, just the CIO, the CTO, and there's a ISSM who has access. There are plans to add more people once we fully implement the Enterprise Security solution. We have admins responsible for maintenance.

The initial setup is kind of complex but I think it's an issue we have and not connected to the solution. We're still deploying. The company didn't have an implementation strategy, they're kind of just flying by the seat of their pants which wasn't a great plan. We're doing it ourselves, we didn't use an integrator. 

We have a 100 gig annual license. I'm not sure of the cost. Their licensing is based on the amount of data you collect. There is an additional cost for Enterprise Security. If there are any other kind of applications, the APIs that we created that we want to add, there are costs for most of those as well. Their pricing structure really could use a revamp. They really need to review and look at that and see if there's a better way that they can do it. Elasticsearch is a little cheaper and a better product in my view. 

It's important to prepare. You can't just get a solution and start to implement it. A big part of that needs to be preparation, and in IT, we're not great at that. I would go with Elastic, a similar product but better. The licensing is a little different but it gives you a little more freedom to do things. It's really flexible with what you can do and versatile in how you can use it. Splunk is still top when it comes to log collection. If you wanted anything more than that, you should probably look into using several different products. There isn't really one product that you're going to find that's going to give you that coverage and I just like the versatility of using several different products. There are some other things you can use that actually do a better job at the correlation part. 

I would rate this solution a seven out of 10. 

Log collection and search.

The search and query feature is very fast but due to the log size limit (in trial version), we did not get the full benefit.

Selecting the relevant events and records.

Due to the size limit, we could not see the full product.

We use it mostly for log monitoring, and also for trying to raise alarms.

It has helped with troubleshooting, making it easier. Now, we have one place where we can find logs and errors. There is no need to go to the actual server to search for the log file. 

It provides logs in one place, so they are easy to find. It collects the logs from multiple places, then you have just one place where you see the whole flow from the front-end to the back-end. This is the best thing.

The search could be improved. Now, it is a bit difficult to write search queries because they become quite long, then maintaining those long search queries is a quite challenging.

I have not had any issues with it, and we have the whole banking infrastructure running on it.

The scalability is okay as far as I have seen and used it. We have dozens of different environment environments using the same Splunk instruments, and it has been able to scale.

I have not used technical support.

Splunk's website is quite useful. You can find a lot of information on it. I would recommend to use it and try to figure out the product's features and what you can actually do with Splunk. You can do a lot of things with Splunk, but you need to know what to do first.

I have used both the AWS and on-premise versions, but in two different environment, so I am unable to compare the versions.

Although my company uses Splunk extensively, my use case is primarily the Enterprise Security add-on.

Splunk has enabled us to utilize many different data sources and is easy-to-use. It has a rapid response search environment in the event of an incident.

The correlation searches (properly configured) populate the Incident Management dashboard and provide me a quick birds-eye view of my most important concerns.

ES is very powerful, but it requires a mature security posture at the company to take advantage of it currently. The use cases provided by Splunk are a good starting point, but could cover many additional topics to ensure that a smaller or less experienced shop might maximize the value of an ES deployment.

We were using a different SIEM, which was old-fashioned and very structured.

• Flexibility when creating dashboards
• Automated cron searches
• Real-time and scheduled searches with alternate functionalities
• User-base integration with LDAP

It alerted many situations before other monitoring systems identified that there is a critical issue.

VMware and security device integration looks a bit complex.

I have used Splunk for almost three years.

As of now, we have had no issues with stability. It is running like a charm.

From a nodes perspective, there have been no scalability issues.

I can say that support is good.

We never used other solutions.

We used the Splunk Cluster setup. It was a bit complex to set up, but management-wise and stability-wise, it was awesome.

License costs fall under the NDA, but Splunk license costs are public, I believe.

We evaluated Logstash and others, but Splunk plays a pivotal role.

I would strongly recommend this product, as it would be very beneficial for service operations and management.

My primary use case is for log management. It's mostly deployed on-premises, but it can be cloud-based as well. 

The most valuable features are how stable and easy to use Splunk is. 

This solution could be improved by better pricing in general and by easier installation. 

I have been a partner of Splunk for three years. 

This solution is stable. 

Technical support is customer-friendly. 

The initial installation is not straightforward. It needs two or three days, depending on the size of the company. But it can be done with one senior engineer. 

I implemented through an in-house team. 

Splunk has a subscription and a perpetual license. 

This product could use better pricing. 

I would rate Splunk a nine out of ten. I recommend this product to others who are considering implementing it. 

We typically use Splunk to collect and check all the logs and events around the diverse network environment which includes, firewall, switches, and routers. For example, we have traffic that needs to go from one part of the network to another and if we think there is a firewall blocking it along the path, rather than log in to all the firewalls to see what is happening, we simply go into Splunk and the check traffic going across the parts of the network to see where it is being dropped and what is the likely reason it has been dropped.

Splunk has saved our organization time by resolving problems in a quicker timeframe. Before if we had networking issues we would have to log into every single device, check the firewall to see why the traffic is not going across to solve the problem. With Splunk, you only have a single pane of glass to check what is likely happening. This has enabled us to easily go to the right environment and write the necessary security policy to permit such traffic. It brings about faster resolution of problems reduced with visibility.

The most valuable features in Splunk are the search function and the ability to run selected session reports. The session reports are important because I can use them to see what is going on in our environment weekly. Additionally, we can use the graph to see how often that particular event is happening.

Over time I will have more requirements and I can foresee the solution could improve the search algorithm to run and output the data faster.

I have been using Splunk for approximately six months.

We have been satisfied with the stability of the solution.

Slunk scale very well.

We have approximately 50 people in our infrastructure and applications teams using this solution in my organization.

We plan to increase usage in the future.

I have not needed to open a ticket up with technical support. 

Previously to using Splunk we only had some Syslog servers that we sent logs to. However, Syslog servers, do not analyze your logs, they only capturing them. Whereas, in Splunk, you can assess the logs and you can do other things with the log.

I do not think the implementation is difficult.

We have an internal team that does the maintenance of the solution.

I have evaluated DataDog.

Splunk is easy to use and not having the need to log into every single network device for management is helpful.

I rate Splunk a seven out of ten.

I am just a user, and from a user's perspective, it does the job.

It has quite extensive support in terms of integration. If you want to do anything, there are tools for that.

Its reporting can be improved. That's the only complaint I have heard. I don't need the reporting part, but I know that other people in the organization need it.

In terms of new features, I got everything that I needed from the tool. If they want to expand the capabilities to different things, they can cover topics besides log aggregation, etc.

I have been using this solution for two years. I am not using it on a daily basis.

It is stable. We don't seem to have any problems related to bugs. We are very happy with it.

We have our own internal team for its maintenance.

I would recommend this solution. If you are a technical person, it does what you need. If you are not a technical person and you require graphs, that's a different story.

I would rate Splunk a ten out of ten because I have no problems with it.