Splunk Enterprise Security Reviews

We use Splunk on-premise. We mostly use it for log analysis and fraud detection. We are also testing using it in machine learning and other solutions. We have 10 people managing Splunk and we have approximately 150 people using the product in total.

With Splunk, we got more insights out of our data as it includes machine and secure data. It also has a logging attendance system and this helps to protect our resources from any  attackers hacking system information at a granular level

The logging features are useful as are the dashboards and alerts in addition to the organization of data. It has options for creating dashboards and alerts. You can also create queries in the SQL language. Splunk is a user-friendly solution.

Index performance is a bit slow but this is partly due to the huge volumes of data for our industry within our environment This makes the index very large and inefficient in terms of performance. Performance could be improved to cater to this, however. We have also had problems with the compatibility between Splunk and other systems. We have previously been on 5.3 and migrated to 5.5. We are now planning to migrate to version 7.7. It has been difficult to find documentation about the compatibility with Linux. In terms of the interface, it could include some improvements for the look and feel.

We have been using Splunk for one year in our infrastructure environment.

The users access the native cloud solution. So we are taking advantage of the native cloud solution provided, and by using the gentle scaling approach this has helped stability.

We scaled up gradually from three processes up to five, and the performance is okay. So we used gentle scaling  but this also helped stability.

We have used Splunk tech support often. If we have a critical issue such as server down or frequently occurring issues they are always reliable and provide us with solutions to our problems. Technical support for Splunk is good.

Setup is complex. We tried to cluster five indexes. This helped us migrate our data into the Splunk environment. We are using 20 applications which make use of this indexed data. The actual deployment took us about two to three weeks because of some problems getting the data into the system.

We worked with a Splunk consultant who shadowed us to help ensure we performed the process correctly. 

Licencing occurs yearly. We now have a three-yearly support contract as of now.  Licensing is a yearly, one-time cost.

We considered a few alternative products because the logging was faster. In the end, we decided to go to Splunk.

I would definitely recommend Splunk. We will review performance within two years of our three-year contract and then decide at that point what other aspects we need to consider. I would rate Splunk 8 out of 10.

I use Splunk on-and-off — I started with in-house projects, then moved up to commercial projects. 

Splunk can extract all kinds of data. There's no limitation on what kind of structured and unstructured data one needs to extract — it can access any kind of data, including machine-generated data. 

The ease of deploying the agent is great in Splunk. One can easily deploy the Universal Forwarder which can extract any amount of information and put it into an indexer. The flexibility of ingesting any kind of data is good with Splunk.

In regards to action-oriented tasks, If an alert is triggered where I have to perform a certain action in the form of executing a Python script or invigorating a PowerShell script — this is easy to do with Splunk. 

The Splunkbase is great. There are thousands of apps that are already available, I can install those apps with full-connectivity and use them to extract any form of data. The community in the Splunkbase is also really strong. 

The ease of integration with third-party tools is great. In the Splunkbase, there are so many apps that are easy to integrate with. 

The user interface is really good. There is a machine learning toolkit — I like it a lot. They have use cases in place so that people with little experience in machine learning can go through these examples of use cases and gain a better understanding. 

Sometimes we experience issues when formatting and configuring files; however, this is a very technical issue that's hard to explain.

When extracting the data or structuring the data in the right format, sometimes it becomes challenging. It's up to the user to understand the regex commands. 

Our customers often complain that the price of Splunk is too high.

When Splunk is deployed on the cloud, there are certain considerations that cannot be met. Cloud-based configuration cannot be done by our Splunk admin team. It needs to be routed via a ticket. You don't have more control on the cloud from a configuration point of view, whereas, with on-premise, you are in control — you can define any configuration settings. 

When you install on-premise, many types of configurations can be done but when Splunk is on the cloud, you're dependent on their specific configurations.

I started using Splunk in 2018.

The scalability is good. If you have the money, you can expand — it's volume-based, not instance-based. 

I'd say I am happy with the technical support, not elated. They provide great support, but sometimes they don't have the answers that I need. I've only ever raised two big support issues, and both times they haven't been about to fully resolve the issue. In the end, I had to figure it out myself.

We have one or two engineers that take care of all maintenance-related issues. It really depends on the scale of your project. One of our projects required a huge deployment — we needed a huge team to match. If it's a small deployment, then two people are enough.

Its cost model is dependent upon the amount of data used — how many GBs we extract in a day determines our price. The price is not dependent upon how many instances we installed in Splunk. I can install thousands of instances, but it will only charge me according to how many GBs I extract per day. 

Overall, our customers complain that the price is too high.

I would definitely recommend using Splunk. They have free learning models available. There are models available on their learning page where you can gain a better understanding of how to use Splunk. Within one month alone, you can at least understand how to operate Splunk, whereas, with other tools, it can take a lot of time to understand.

On a scale from one to ten, I would give Splunk a rating of nine. The only downside is the cost. Price is the only factor; sometimes, companies shy away from Splunk because of the price.

We are a software development company and Splunk is one of the products that we have implemented for our clients. It is used for log analytics as well as the mobile SDK for checking the stability of mobile applications.

It's the completeness of the solution that we like the most. It has a solution for backend log analytics, but also one for mobile applications.

Our two main complaints are about the difficulty of the initial setup and the licensing model.

The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.

I have been working with Splunk for more than five years.

There have been no issues in particular. What we are using has not been that heavy.

We have not had any problems with respect to scalability.

Based on when we have been in contact with them, I think that technical support was fine.

I'm not sure if they have different support models but I think it took a long time for them to respond. It may be a consequence of the support contract our client had with them.

This is a complicated product to use and you need constant help to set it up. I really wish that it was easier to set up and use.

We do not have any dedicated people who are working on Splunk, but we have a team of approximately 100 people that are responsible for the development of mobile applications, backend systems, DevOps, etc.

I think that most of the log analytics solutions are expensive and I'm not sure if it's worth it. However, I wish that they were less expensive. I am not talking about a single product but rather, all of the ones that are in the domain of log analytics.

Splunk is a good product but I would definitely tell people to analyze their requirements to see if Splunk fits their use case, or not. The licensing model is very complicated, so if there is a product that has a better licensing model then it would probably be good to start with that. Then, later on, if the product is not working well enough, then they can switch to Splunk. At that point, they will have knowledge of the data they are using and will understand the costs that they might incur while using it. 

The only way that I would suggest somebody use this as their first solution is if they already had all of the data that is required to get a cost estimate.

I would rate this solution a seven out of ten.

Since we have an IT services company, we have been using Splunk for the deployment to the customer locations as well. Sometimes the customer will come back to us and say that we need to have a SIEM tool, and when we do the benchmarking, we'll do a couple of deployments on the Splunk side and at the customer's locations as well.

As an example use case, we deployed Splunk to a banking institution a few years ago. There the use case was basically this: the customer wanted to set up a security operation center, and they wanted to have a pretty large deployment in terms of the number of endpoints and number of switches and routers. There were many regional branch offices and they have data centers and therefore, many assets in terms of endpoints. They had 30% of their assets are running on the cloud and they needed a complete solution from an incident monitoring and management perspective. That's why we deployed Splunk. 

They wanted to reduce the MTTR, and meantime resolution, and maintain detection. They didn't want to add more SOC analysts into their SOC as the organization scaled up. They have a plan to scale from 5,000 endpoints into 15-20,000 endpoints. They're very particular about deploying the SOC operation center.

Splunk has since acquired Phantom as a SOAR platform. Therefore, we have tried to manage the security automation using Phantom with the help of Splunk deployments. It helps us meet the customer's requirements.

In terms of support, we're able to get the right support at the right time. If there's a break or an appliance issue, they're are on top of it.

This is very important during large-scale deployments. It's not easy to address product-related issues or appliance-related issues, and the number of collectors or number of logs that come into the collector, and managing the collectors across the branch offices, across the corporate offices, etc. It is a cumbersome process for us. That's why it's integral that we get the right support at the right time - and they make this happen.

The most valuable aspect of the solution is the dashboard. It's very intuitive. 

The reporting is excellent. The team and the SOC analyst are able to easily track the alerts and the correlation is very good compared to other SIEM tools. 

There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side.

The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly.

The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available.

In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.

In terms of Splunk, I've been working on it for more than three years in the current company. Prior to that, I worked with it at another company as well. In total, I have been using Splunk for close to six or seven years.

The solution is stable, however, sometimes in some of the collectors, we are facing a lot of issues. That said, overall, if you rate it from one to five, I would say in terms of stability, it will stand at a three. 

The scalability is perfectly fine. It's very awesome compared to all the other tools, as easily we can integrate with the log forwarding modules and the collector management appliances or modules. That aspect won't be a problem. 

If you look at the SIEM as a market today, Splunk is expensive compared to other competitive products. I'm also into the SIEM evaluation in my current role. I've seen that there are many tools are coming up in the last one and half years. I have also seen many other mature tools that are available now. If you compare next-gen SIEM tools compared to the Splunk, it's expensive. Therefore, it's possible we may not use this in the future or expand on current usage.

In terms of technical support, we don't have any issues, as the professional services which they have extended to us are very, very good. We're able to manage many of the critical issues with their support. I'd say we are definitely satisfied with the level of service provided.

In terms of deployment, it's not so complex compared to the competitive products, however, we will be able to manage that deployment. We don't feel there's any problem on the deployment side. In that sense, I don't think deployment is a complex one when somebody going for Splunk as a tool.

How long it takes to deploy the solution depends on the size of the deployment, basically. Even a large deployment won't take more than a week. When I say deployment, I'm considering all the log collection, log management, and the curation of the incidents, and how incidents are created and routed properly according to prioritization. 

In terms of ROI, for example, if you look at one of our customers today, they are managing close to 100 million events per day. If you look at a traditional SIEM with 100 million events, they need to manage this environment with at least 25 to 30 people. That's 30 security analysts that have to be there. However, when Splunk was deployed, a lot of automation was added on top of it, and today we are managing the same environment with Splunk with close to 15 people. In that sense, if you look at it that way, the ROI is between 30-40%.

In terms of a comparison with the rest of the competition, the licensing cost would be, I would say, 30% higher than most.

Before choosing Splunk, we have evaluated QRadar and LogRhythm. QRadar is much more expensive. LogRhythm lacked reporting.

We ended up choosing Splunk due to the pricing and the reporting features. It also had the kind of scalability that was required. We felt it would help us in terms of positioning from both a cost perspective and an incident alert perspective.

We're partners. We have a business relationship with Splunk.

We're using the latest version of the solution.

Overall, I would rate the solution at a seven out of ten.

I'd advise potential new users to ensure they do proper sizing before deploying the product. If it's a very large deployment, the number of endpoints will be quite sizeable. You need to figure out the correct number of endpoints as well as endpoint devices, switches, routers, etc.

It's also a good idea to look at use cases. Splunk is very strong in some use cases. It's important to look into deployment scenarios and check out the use cases before deploying anything.

My biggest takeaway after working with the solution is that the environment is very important. You need to be clear about the problem you are addressing and it takes a lot of planning at the outset.

We are using the mobile SDK to check the stability of mobile applications.

The completeness of the solution is what we like the most.

It's difficult to set up initially, and their billing model is also a bit complicated. 

We have to predict in advance how much data we will have and what the storage would be that we don't have. This makes the licensing complicated because when you start you don't have these numbers.

In order to know how much it will cost, you need those numbers.

I really wish that it was an application that was easier to use.

I have been working with Splunk for more than five years.

We have not experienced any issues.

For our use cases, we have not required any scaling.

The technical support is fine. At times, they take time to respond back but it may have been the support contract that our client had.

I would assume that they are not as responsive as we want them to be.

We have a team of approximately 100 people who are responsible for the development of mobile applications, DevOps, and application development.

The licensing cost model is complicated.

I think that most of the monitoring solutions are expensive. I wish they were less expensive, for all types of products for monitoring.

We work with Splunk, but we are looking for some LOG Kinetics solutions for our clients.

I would definitely suggest sending people to analyze or evaluate Splunk.

Because the licensing model is very complicated to understand, it would be better to start with another product that provides a better licensing model. Later, if the product is not working well, they can consider using Splunk and may have a better understanding of the cost.

For me, I would not recommend Splunk as their first solution unless they have all of the data that is required.

I would rate Splunk a seven out of ten.

We are using it for logging and monitoring.

Splunk Enterprise Security helps with application events. It provides end-to-end visibility into our environment which is most important for us. It reduces the time to react to an event.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. It can help identify and solve problems in real-time, but we have mainly utilized it for post-identification correction.

It provides us with the relevant context to help guide our investigations. It is easier for developers to take action once an anomaly is detected. We have been leveraging Splunk dashboards for that.

Splunk Enterprise Security has helped speed up our security investigations, but I do not have the metrics.

They are a good partner for Google Cloud. It provides great visibility, threat detection, and proactive mitigation of risks for our mutual consumers.

We have been selling Splunk Enterprise Security along with Google Cloud for about two years.

We had a very bespoke solution. It was a shared model. The scalability was good.

Their technical support has been good. I would rate them an eight out of ten.

Positive

We have not used any other solution previously.

Our customers have seen an ROI, but I do not have the metrics.

The variables and the flexibility that Splunk provides are helpful, especially in a hybrid and multi-cloud environment.

I would advise others to start early.

Overall, I would rate Splunk Enterprise Security a ten out of ten.

We use Splunk Enterprise Security for our enterprise security.

Adding more use cases to Splunk can improve our threat detection speed.

It has helped normalize our data.

Splunk Enterprise Security has helped reduce our alert volume and speed up our security investigations.

The graph visualization is the most valuable feature.

Splunk Enterprise Security needs to improve its stability.

The UI can be difficult to understand for non-technical people.

I have been using Splunk Enterprise Security for four months.

I would rate the stability of Splunk Enterprise Security a four out of ten. Some bugs cause downtime.

I would rate the scalability a six out of ten.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security's robust framework enables it to support a wider range of use cases, making it more adaptable and versatile for tackling diverse security challenges.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security's visualizations are detailed and help users normalize data, making it extremely useful.

The vast array of use cases enabled by Splunk Enterprise Security empowers security teams to address diverse threats and enhance overall security posture.

I used it in the SOC environment to get logs, create dashboards, and filter out data.

The indexing and data collection are valuable. 

Its search or filtering capability is nice, but it can be improved. It is currently a bit complicated, and it should be simplified. If we can write the search filter in a more simplified way, it would be better.

Their sales support and tech support need improvement. Their support is really bad.

I used it for nearly one year in my previous organization. I last used it about seven months ago.

It is stable.

Its scalability is good.

Their sales support and tech support are really bad. They take really long to respond.

We were using AlienVault. We switched because we weren't really happy with it. So, we looked into different solutions, such as Splunk.

Its initial setup was okay.

We did it ourselves. We had around two people for deployment and maintenance, but we had around 15 users. They all were SOC people.

We had a yearly subscription.

I can recommend this solution to others. It is a great product. 

I would rate it an eight out of 10.