Splunk Enterprise Security Reviews

Its performance, scalability and most importantly the innovative way of collecting and presenting data.

Fast search! Imagine a scenario with an application environment where a couple of modules are based at a different servers. There is a system issue and a check needs to be completed in a timely manner. Traditionally engineers would have to login to the servers, navigate to different folders and load the log files to check for errors. Splunk can give this at a glance for all of the systems at once! Furthermore a “trap” of known errors could be saved and a real time alert setup to send an email in a meaningful way with relevant details (e.g. priority, affected systems) and instructions what needs to be done next.

Helpful for systems support, monitoring of the operations and deliveries, analysing trends and performance. Great for making sense of the application log’s events for business needs - e.g. requests per day, completed tasks per user, exceptions, KPI etc.

It can be easier to setup and adding new sources which Splunk are improving with every new version.

I have used it for two years.

No issues encountered.

It's running great given the information it processes.

Really scalable solution. Could be split into soft/hard forwarders if needed and even completed in an HA setup.

Splunk have dedicated staff trying to change the world for the better.

Splunk have introduced their own certification path which guarantees that the technical support will have the needed expertise.

I am familiar that there are other solutions out there but I haven't used them. Started with Splunk.

The initial setup requires some good analysis - what would be collected, from where, how to group the incoming data in virtual folders and indexes so it make sense and ease/scope the search later on. Apart from that the initial application setup is straightforward.

Implemented in house with the support of the vendor with high level of expertise.

I'm not sure about the money but in saved time and a new kind of visibility for the system/business process this product has been revolutionary in the working environment. The demand for deeper integration and more details hasn't stopped since the initial implementation and we have moved on from just technical and business reports, KPI reports from other systems and we keep building new alerts, dashboards and reports as per new requirements.

Not sure about the cost but I have heard it can get pretty costly for an Enterprise grade scale as the environment I work in. For home it is free up to 500Mb a day. Day-to-day cost for the product itself is costing just system resources, however the development work that needs to be completed for new requests and keeping the old one up-to-date can raise the budget according to the expertise needed.

Go for it and be brave. Experiment, add, remove, modify. Keep what is not working until it is working how you want and then delete the rest. Make a library of useful search queries and a diagram of systems and related files included in the indexes. Do not allow access for everyone to run DB queries as per the other forms of DB access. Install 3rd party modules and play with them. Collect system events for the OS and relate it to application performance. Trap the errors you have identified, create alerts and follow name convention for email subject (e.g. priority, type, system, description).

The solution is primarily used to monitor the operating system for threats, specifically related to login threats. If someone trying to log-in, or somebody trying to break into the system, the idea is it will check that and catch things. It's mainly for external threats to the operating system.

The solution has improved our organization by providing a comprehensive picture of any external threats to the operating system. It improves asset control.

The logs on the solution are excellent. Mostly I see just the reports or the outcome, however, with the log portion, where you could actually take log entries and pass them through the system in order to create events or conditions, and get reports. You can set up your conditions to the logs that you invested into Splunk, and get the reports or the output that you want. 

We're still going through it at this time. However, there are a few changes that could be made.

It could be more user friendly, in terms of the end-user experience. The end-user aspect of it could be more enhanced, whereby you could probably have a lot more people that could sign into the tool and look at the reports, and have the reports actually laid out in plain English. Usually, with tools like Audit Vault and Splunk, if you're not the IT person and you're not trained on that system and you're seeing all of the outputs, the language is something you have to convert.

Therefore, the end-user experience could be improved so that when you get those alerts and notifications, you could have supervisors and different people actually knowing what those reports mean instead of having someone convert them into something more easily digestible. 

There should be more enhancements done to the end-user dashboards. Improved dashboards are always good. If you have an IT tech that's up there, and they're looking at the dashboards and they're seeing everything, it would help they could do events and have a dashboard that they could log into as a supervisor and see everything, and just get specific reports for specific areas.

We've been using the solution for three years.

I can't really speak to the solution's stability beyond how I use it, which is for training. However, I've never experienced bugs or glitches on it and therefore believe it to be very reliable.

The solution seems to be very adaptable, and if not, we'll figure it out what to do in the next couple of years when the program has developed more, and the general capabilities become apparent. 

It is a log parsing tool, so if you take any type of log, operational or financial or security logs, and you put it in there, hopefully, we will find out that a log is a log, and you just create your events and you get the output that you want. Therefore, I don't foresee an issue with scalability per se.

The technical support is pretty good. I would rate it at a seven out of ten. We're mostly happy with the level of service we receive from them.

What they probably need to do is help make the reports more manageable for the end-user or to help the end-user understand them more easily.

We didn't previously use a different solution. We've only ever really used Splunk.

The initial setup was not complex. It was pretty straightforward. It was already loaded on the environment. It's managed by a third party or service provider, therefore we just kind-of fell into the rhythm of using it pretty quickly.

We're just a customer. We don't have a business relationship with Splunk.

We're using the latest version of the solution.

I'd advise those considering the solution to do some basic training before jumping into using the solution. It will help you understand how everything is supposed to work.

I'd rate the solution at an eight out of ten, due to the fact that it's more flexible than other solutions. I like the idea of taking a log, any log, and putting it into a tool and creating your events and your conditions in order to get the output that you're looking for. It's more scalable and flexible than other options on the market.

Log collection and search.

The search and query feature is very fast but due to the log size limit (in trial version), we did not get the full benefit.

Selecting the relevant events and records.

Due to the size limit, we could not see the full product.

We use Splunk for infrastructure monitoring, application monitoring and in the security space for our organization as well as for our customers.

Since Splunk is a platform for data, we can ingest and correlate data from virtually any type of system.

It has a fast turnaround time for setting up monitoring/alerting and forecasting of trends as per our customers' requirements.

The following are top three features that I find quite valuable:

1. Capability to expand the functionality through custom code for data inputs, commands, visualization, alerts, and machine learning.
2. Quick turnaround time for setting up monitoring and alerting with built-in capabilities, plenty of enterprise grade apps available on Splunkbase, and custom coding based on Splunk development skill level.
3. Free Splunk license for PoCs on personal machines and the ability to scale the PoC to an enterprise level app.

• Scheduled PDF generation does not work well for all visualizations, and it does not work for custom visualizations.
• While scheduled reports can be embedded, Splunk dashboard can not be embedded directly without enabling cross origin.
• Missing capability for audio/video and image processing.

The analytics and querying the indices is super easy.

The data representation options in the dashboards are excellent.

Multiple datasource/filetypes are supported and each can be customized in a few clicks.

Security administration and user access control is pretty basic. This can be improved.

The user access control could be much more granular, so that the admins can control r/w/x access for specific features of the product like dashboards, etc.

If this is improved, with a mapping against LDAP roles, it would be excellent.

We had no stability issues.

We had no scalability issues.

Technical support and the online community are some of the best for any product.

We did not have a previous solution.

The setup was quite easy and there is lot of technical documentation for handholding you through the process.

Pricing and licensing is quite expensive. But for the value the product provides, it seems at par in the market.

We looked at IBM SmartCloud Analytics and Log Analytics.

Please watch out for the licensing agreement. There are a lot of IP specific clauses that Splunk has included in their license agreement. Per my understanding, any plugin available in the community cannot be used OOB, due to licensing restrictions. (This might be specific to our organization.)

• Flexibility when creating dashboards
• Automated cron searches
• Real-time and scheduled searches with alternate functionalities
• User-base integration with LDAP

It alerted many situations before other monitoring systems identified that there is a critical issue.

VMware and security device integration looks a bit complex.

I have used Splunk for almost three years.

As of now, we have had no issues with stability. It is running like a charm.

From a nodes perspective, there have been no scalability issues.

I can say that support is good.

We never used other solutions.

We used the Splunk Cluster setup. It was a bit complex to set up, but management-wise and stability-wise, it was awesome.

License costs fall under the NDA, but Splunk license costs are public, I believe.

We evaluated Logstash and others, but Splunk plays a pivotal role.

I would strongly recommend this product, as it would be very beneficial for service operations and management.

Our company is an IT service provider. We are resellers of Splunk. One of our clients that we monitor is a laboratory that uses this solution.

Splunk is a change management solution. We use the solution as a log collector, and to analyze and provide alerts from the IT instructor.

The product is good, it satisfies our customers.

The price of Splunk is too high for our market.

Our company has been a reseller of Splunk for less than six months.

Splunk is stable.

This is a scalable solution.

We have had no concerns with customer service.

The initial setup of Splunk is somewhat difficult because it was our first time implementing the solution. It was a similar situation to implementing other CM tools like FortiSIEM.

Splunk required two engineers to implement, and we will add another one to maintain the solution.

The prices are complicated as we operate in a small third-world country.

We give support for VMware and other technologies. We purchased Splunk because our customers were asking for our services to take control of the implementation from another company.

If you are considering Splunk and you like what you are seeing; my advice would be to go for it.

I would rate Splunk an 8 out of 10.