No more typing reviews! Try our Samantha, our new voice AI agent.
Vaibhav Mahendra Kolhe - PeerSpot reviewer
Soc Analyst at Softcell Technologies Limited
Real User
Top 5Leaderboard
May 24, 2026
AI-driven threat detection has transformed investigations and reduces false positives for analysts
Pros and Cons
  • "The AI-driven detections have improved the accuracy of my investigations significantly, reduced my mean time to detection by about 30 percent and my mean time to resolution by about 40 percent, and contributed to faster, more efficient threat detection compared to other SIEM tools I have used."
  • "I rate the technical support of Splunk Enterprise Security as a three. I find it not good because whenever I raise a ticket, they take a very long time."

What is our primary use case?

Splunk Enterprise Security is mainly used for detecting and monitoring log analysis, threat detection, and incident investigation. It is primarily used for failed login detection where multiple login failed attempts occur from the same source IP. Brute force attacks are another common use case. Splunk Enterprise Security use cases can be extended through visualization on data dashboards, setting incident triage, and Windows event log analysis in SOC environments. I use it from a SIEM perspective in my organization.

What is most valuable?

The best features of Splunk Enterprise Security are that it is the leading platform in cybersecurity right now in SOC environments. Business resilience is very useful for real-time monitoring and investigation, which improves our business resilience.

The AI-driven detections have improved the accuracy of my investigations significantly. I have worked with two other SIEM tools: Wazuh and Azure Microsoft Sentinel. Compared to both, Splunk AI is very good. When we mark an alert as a false alert, Splunk Enterprise Security automatically detects it as a false positive. Whenever another similar alert comes through, it automatically takes action, so we will not get that alert on our dashboard again. It automatically handles false positive alerts, preventing clutter on our dashboard.

It has reduced my mean time to detection (MTTD) by about 30 percent and my mean time to resolution (MTTR) by about 40 percent. Our SLA has reduced from fifteen minutes to ten minutes, which is very helpful because we are raising alerts within ten minutes.

Risk-based alerting provides significant value. When we raise an alert, we provide the incident classification as either true positive or false positive in Splunk and also in the ticketing tool. If an alert is a false positive, Splunk's AI takes care of this and tells us whether we want this alert to show to the SOC team or not. The decision depends on AI analysis.

The assessment of the threat topology and the MITRE ATT&CK framework in Splunk shows that Splunk already maps MITRE ATT&CK with incidents. Whenever an alert comes, the AI configures it to that framework. For investigation purposes, I check the process tree to see how the alert originates and where the malware is going to end. This is very good for threat investigation.

Splunk Enterprise Security has become at least forty to fifty percent faster at detecting threats compared to Azure Sentinel. It is very fast for detecting alerts.

It has contributed to the reduction of analyst burnout and fatigue because it reduces our alerts. If we raise an alert on Splunk, it takes care of them through AI. False positive alerts will not show up, preventing mess for our team. Our threat hunting team and forensic team handle the true positive alerts, while false positives are automatically taken care of by AI.

When comparing Splunk with other vendors, I find that Splunk use cases have more power to detect alerts. Azure Microsoft Sentinel has inbuilt over two hundred use cases analytics for their team only, and we cannot create more customized use cases. In Splunk, we can create additional customized use cases, plus there is AI for detection. If we miss some use cases for any logs or events, AI takes care of it and creates its own use case, showing alerts for us. The dashboard is also very user-friendly compared to both.

What needs improvement?

Areas that have room for improvement in Splunk Enterprise Security include user access. When we give access to a new user, it becomes difficult for them to log in and understand the interface. It would be beneficial if there is a demo for L1 users. I also see improvement needed in integration. Currently, we have to manually integrate devices, but I would like AI to take care of it, similar to how SentinelOne operates. This would make the process smoother.

For how long have I used the solution?

My experience using the solution has been two years.

Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,680 professionals have used our research since 2012.

What do I think about the stability of the solution?

Stability-wise, Splunk Enterprise Security is very good. I have not experienced any significant performance issue or downtime.

What do I think about the scalability of the solution?

I rate the scalability of Splunk Enterprise Security as an eight. It depends on how stable and scalable you manage Splunk Enterprise Security for your organization.

How are customer service and support?

I rate the technical support of Splunk Enterprise Security as a three. I find it not good because whenever I raise a ticket, they take a very long time. Even if I call the toll-free number, tickets are pending.

Which solution did I use previously and why did I switch?

I have worked with two other SIEM tools: Wazuh and Azure Microsoft Sentinel. The AI-driven detections have improved the accuracy of my investigations significantly compared to these solutions.

How was the initial setup?

It is very easy to deploy Splunk Enterprise Security compared to both other SIEM tools. Splunk connector is very easy to set up.

The time it takes to install depends on whether we are installing on a Windows or Linux machine or the size of the organization. For a moderate-level company, it usually takes around five days to install everywhere the connectors and endpoints.

What about the implementation team?

When it comes to upgrading Splunk Enterprise Security to version eight point zero, I have a team that handles the upgrade, and it is basically easy to upgrade the version.

What was our ROI?

Combining SIEM, SOAR, and UEBA into a single interface has improved my operational efficiency significantly. Before we integrated SOAR, we usually took fifteen minutes to raise SLA alerts. For analysis, L1 would take ten to twelve minutes to decide if they wanted to raise an alert or not. With SOAR, we have predefined playbooks, so if any inbound connection happens from a malicious IP, it automatically blocks on the firewall. We handle most alerts through SOAR now, which allows us to focus on the more significant incidents like malicious attacks, effectively reducing our response time.

What's my experience with pricing, setup cost, and licensing?

Regarding the pricing of Splunk Enterprise Security, I would say it is very expensive for our organization compared to the two others. Wazuh is open-source, and for SentinelOne, we are a partner with Microsoft, but Splunk has a high cost for setup, which is based on the EPS count and storage.

Which other solutions did I evaluate?

When comparing Splunk with other vendors, I find that Splunk use cases have more power to detect alerts. Azure Microsoft Sentinel has already inbuilt over two hundred use cases analytics for their team only, and we cannot create more customized use cases. In Splunk, we can create additional customized use cases, plus there is AI for detection. If we miss some use cases for any logs or events, AI takes care of it and creates its own use case, showing alerts for us. The dashboard is also very user-friendly compared to both.

What other advice do I have?

9

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company has a business relationship with this vendor other than being a customer. MSSP
Last updated: May 24, 2026
Flag as inappropriate
PeerSpot user
RajKumar27 - PeerSpot reviewer
Information Security Analyst at a hospitality company with 5,001-10,000 employees
Video Review
Real User
Top 10
Sep 13, 2025
Enables our team to automate threat detection and prioritize incidents through risk-based alerting
Pros and Cons
  • "I appreciate the Identity and Assets framework the most, as well as the threat analysis framework."
  • "To improve Splunk Enterprise Security, I suggest incorporating more AI features for faster remediation and enhanced responses, allowing users to build more correlation searches quickly."

What is our primary use case?

My main use cases for Splunk Enterprise Security include finding out excessive login failures, any compromised accounts, any compromised emails using phishing tactics with Proofpoint, network anomalies, User Behavior Analysis, and detecting rogue assets.

What is most valuable?

I appreciate the Identity and Assets framework the most, as well as the threat analysis framework. Those are my two favorites in Splunk Enterprise Security, along with correlation searches and the entire incident response workflow.

The Risk-Based Alerting in Splunk Enterprise Security is a great addition to our team, as it correlates data from different sources and adds scores to users or systems, allowing us to make decisions based on risk scores assigned to assets or identities.

Splunk Enterprise Security dashboards communicate our security posture and risk score to executives, including major contributing risk factors, key performance indicators (KPIs), and key risk indicators, which help us make informed decisions about future focus areas.

Splunk Enterprise Security helps our team save time by performing correlation searches automatically, eliminating the need for manual searches. We also utilize SOAR for taking automated remediation responses.

What needs improvement?

To improve Splunk Enterprise Security, I suggest incorporating more AI features for faster remediation and enhanced responses, allowing users to build more correlation searches quickly. Regarding improvements in Enterprise Security, I believe the incorporation of AI would enable Splunk users to spend less time on building correlation searches while still gaining productive ideas.

For how long have I used the solution?

I have over eight-plus years of experience working in the IT sector, with six-plus years of experience collectively working on security and Splunk-related tasks.

What do I think about the stability of the solution?

I would assess the stability and reliability of Splunk Enterprise Security at 90%.

What do I think about the scalability of the solution?

The scalability of Splunk Enterprise Security is impressive, as you can scale it to any size and make various types of data readable, although event types and tagging are necessary for optimal performance.

How are customer service and support?

Customer service and technical support for Splunk Enterprise Security are great; they respond quickly and handle our cases efficiently whenever we require assistance.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I used Splunk Enterprise Security at my previous company yet have not used any different products since then, although I have some knowledge about platforms such as Elastic Search and QRadar.

How was the initial setup?

The challenges with deployment are the fine-tuning and some of the correlations, such as where the data is not normalized. And that's why the CIM module has been great so far.

What was our ROI?

The biggest return on investment with Splunk Enterprise Security lies in the time and effort it saves due to its built-in features, datasets, and pre-built dashboards, providing us with visibility across different data sources.

What other advice do I have?

My advice for other companies considering Splunk Enterprise Security is that if they're looking to enhance their security visibility or establish a security operation center, this tool is an excellent starting point, and they can scale and automate processes using SOAR effectively.

On a scale of one to ten, I rate this solution an eight.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,680 professionals have used our research since 2012.
Sheenam Singla - PeerSpot reviewer
SAP Roles and Authorization Consultant at a tech vendor with 10,001+ employees
Real User
Top 5
Sep 11, 2025
Supports faster incident response and improved threat detection through flexible customization options
Pros and Cons
  • "The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability."
  • "The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability, as it integrates disparate security solutions, offers many out-of-the-box apps through Splunkbase, enables straightforward customization, and supports efficient detection and alerting processes that improve overall business resilience."
  • "Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful."

What is our primary use case?

My main use cases for Splunk Enterprise Security are mostly for SOC, detection engineering, and incident response.

How has it helped my organization?

Splunk features benefit my organization as we can use it for any custom needs. That's the biggest benefit of getting it. It doesn't matter what team has what kind of requirements. There's a possibility through Splunk's back-end that we can customize it and make it work.

What is most valuable?

The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability. 

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations, as one of the biggest advantages is that Splunk Enterprise Security comes with many apps and applications out of the box through Splunkbase, and there's essentially a connector available for any log source imaginable.

I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security pretty straightforward overall. There's a lot of out-of-box content that can be leveraged and many features available to ensure all configurations are working as expected.

My organization uses risk-based alerting in Splunk Enterprise Security. It supports our SOC by significantly reducing the alert count and allowing analysts to focus on what matters most.

My SecOp team's remediation time for security incidents with Splunk Enterprise Security is definitely faster than other solutions.

I am utilizing new threat detection features in Splunk Enterprise Security, specifically the Assets and Identity Framework and risk-based alerting. These features have improved efficiency and helped reduce false positive counts.

Splunk Enterprise Security has helped improve my organization's business resilience. The flexible pricing models allow us to pick and choose, and I can easily see how different business units are consuming Splunk Enterprise Security, thereby distributing the cost within the organization.

I have recently expanded my usage, and the process was smooth.

What needs improvement?

Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful. A good out-of-box application that can help monitor if the data feeds are feeding in properly or if there is any drop will really help make life easier.

For how long have I used the solution?

I have been using Splunk Enterprise Security for six years now.

What do I think about the stability of the solution?

I would assess the stability and reliability of Splunk Enterprise Security in terms of downtime, crashes, and performance issues, as there are no issues with the availability of the platform since it's cloud-based.

What do I think about the scalability of the solution?

Splunk Enterprise Security scales with the growing needs of my organization as it's highly scalable. As the organization grows, Splunk Enterprise Security can also grow.

How are customer service and support?

I would evaluate customer service and technical support as good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I was mostly using Splunk Enterprise Security.

How was the initial setup?

I would describe my experience with deploying Splunk Enterprise Security as time-consuming. It definitely needs some planning and time to ensure that everything is set up and configured properly.

What was our ROI?

I have seen return on investment with Splunk Enterprise Security.

What's my experience with pricing, setup cost, and licensing?

Im not on the licensing side. 

What other advice do I have?

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are that it takes some time to get the hang of the platform, and it has a slight learning curve associated with it. Other than that, I have no complaints.

The advice I would give to other organizations considering Splunk Enterprise Security is to try it out and see if it fits their requirements. It's highly flexible, highly customizable, and can scale according to needs.

On our rating scale, I give Splunk Enterprise Security an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Senior Vice President Cyber Security at Mindsprint
Real User
Top 5
Jul 13, 2026
Extensive integrations have enabled real-time threat detection and continuous security monitoring
Pros and Cons
  • "Splunk Enterprise Security's biggest advantage is the ecosystem, as the large ecosystem can detect threats from a variety of devices, including firewalls and antivirus software, and because it has many built-in rules for detection already, I do not write many playbooks from scratch, which helps me get started on threat detection faster and enables me to predict, identify, and solve problems in real time so security incidents can be prevented."
  • "From a pricing perspective, the costs have become higher, as I understand from our procurement team."

What is our primary use case?

I work with Splunk as a service provider as well as a customer because we use Splunk internally.

This is used to run the Security Operation Center to conduct 24/7 monitoring for any security alerts and incidents for our use cases and use cases for our clients.

We do use some disparate security products that integrate or import data into Splunk. We have integrated Splunk with many threat intelligence sources, including external threat intelligence sources. We have a direct Splunk integration with CrowdStrike, and we have many other integrations with Splunk itself.

We have integrated Splunk with many log sources, including firewalls and other devices. From those firewalls and log sources, we have configured alerting in our Splunk environment. This helps us in detecting and alerting any security incidents.

What is most valuable?

Splunk Enterprise Security's biggest benefit is the ecosystem itself. It has many connectors and plugins built-in, which provides all those capabilities as part of its ecosystem.

I have a very positive impression of the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security. The alerting part does support our SOC.

Splunk Enterprise Security's biggest advantage is the ecosystem. The large ecosystem can detect threats from a variety of devices, including firewalls and antivirus software. Because Splunk Enterprise Security has many built-in rules for detection already, I do not write many playbooks from scratch. Splunk Enterprise Security has many detection rules that are already provided, which helps me get started on threat detection faster. This is due to two primary reasons: the large ecosystem, by which Splunk can integrate with many varieties of devices, and Splunk Enterprise Security, which has many built-in rules that help me detect threats.

It helps me predict, identify, and solve problems in real-time, which helps me detect threats in real-time and then take action faster. Because of this, any security incidents can be prevented.

What needs improvement?

There are two parts to consider for areas of improvement. One, especially after the Cisco acquisition, is from a pricing point of view. From a pricing perspective, the costs have become higher, as I understand from our procurement team. The other area is from a support perspective. Support has declined, but it is starting to improve again, though it still could be better.

For how long have I used the solution?

I have used Splunk for eight years.

How was the initial setup?

I find the installation part quite straightforward.

What was our ROI?

There is no quantification of time-saving or money-saving benefits of Splunk because it is more focused around threat detection itself.

What's my experience with pricing, setup cost, and licensing?

It is worth buying the product, definitely, because no other vendor supports the kind of integrations that Splunk supports, even though the price is a little on the higher side.

What other advice do I have?

The biggest piece of advice I would say to people looking to use Splunk Enterprise Security in the future is to check the compatibility with the ecosystem of products they are using within the enterprise or within their own business, and see if it is supported by Splunk Enterprise Security. Because if they use a firewall which is not supported by Splunk Enterprise Security, then it will become a challenge in detecting any threats on the firewall because the logs cannot be ingested or consumed by Splunk Enterprise Security. The most important thing is to check their ecosystem and whether Splunk Enterprise Security supports logs from their ecosystem. I rate this product an 8 overall.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company has a business relationship with this vendor other than being a customer. MSP
Last updated: Jul 13, 2026
Flag as inappropriate
PeerSpot user
Priyanshu-Singh - PeerSpot reviewer
Soc Analyst Trainee at Softcell Technologies Limited
Real User
Top 5
Jun 30, 2026
Advanced threat detection has reduced alert fatigue and improves faster incident response
Pros and Cons
  • "Over the course of using Splunk Enterprise Security, it has helped us grow our business and attract more clients due to its low mean time to respond and various analytic engines that help us address threats daily, resulting in positive customer feedback and satisfaction."
  • "There is not much to improve in Splunk Enterprise Security, but points such as deep learning and writing complex queries can be time-consuming, and managing multiple correlation rules can become complex over time, especially with high volumes of log data that can affect performance."

What is our primary use case?

I am still working with Splunk Enterprise Security. We are a reseller of Splunk Enterprise Security, providing it to our customers.

On a daily basis, we use Splunk Enterprise Security for advanced threat and ransomware detection, providing it to our customers for threat detection and ransomware detection, as well as for detecting insider threat anomalies and for continuous monitoring and log analysis.

We provide Splunk Enterprise Security both internally as we are an MSSP, managing our customers and our internal operations.

Splunk Enterprise Security Essentials has contributed to a reduction in analyst burnout or fatigue by addressing the issue of receiving thousands of alerts, with nearly half being false positives, which creates a psychological burden and desensitizes analysts to warnings.

The integration of threat intelligence directly into our TDIR workflow helps us identify false IOCs based on external data, normalizing and correlating it with our internal networks, with Splunk Enterprise Security operationalizing TI feeds through highly structured workflows that manage multiple threat feeds effectively.

Over the course of using Splunk Enterprise Security, it has helped us grow our business and attract more clients due to its low mean time to respond and various analytic engines that help us address threats daily, resulting in positive customer feedback and satisfaction.

What is most valuable?

The most useful features of Splunk Enterprise Security are the data handling, schema flexibility, correlation rules, threat detection engines, and log search capability, which makes it easy to find logs among lots of data, as well as customizable dashboards and risk-based alerting, among other features.

These features are valuable because they help us daily find logs related to our customer requirements and provide reports based on that, making it easier to find data for devices such as networks and Windows.

The most benefits from using Splunk Enterprise Security are the drastic reduction in alert fatigue, rapid incident triage, the ability to find a particular log for specific devices, unified security workflows, data flexibility, instant mapping to security frameworks, and correlation rules, along with anomaly-based rule detection and threat hunting that help us on a daily basis.

These benefits are very important for my users, as they help us and our customers secure our infrastructure from unauthorized access and detect spoofing, phishing, and all types of attacks, allowing us to identify vulnerabilities and patch them before exploitation.

What needs improvement?

There is not much to improve in Splunk Enterprise Security, but points such as deep learning and writing complex queries can be time-consuming, and managing multiple correlation rules can become complex over time, especially with high volumes of log data that can affect performance.

For how long have I used the solution?

I have been using Splunk Enterprise Security for almost three years.

What do I think about the stability of the solution?

Regarding stability, we have not faced significant challenges with Splunk Enterprise Security so far, though we have had some minor issues due to service failures, which were resolved without major threats. Its reliability is strong, especially after the visual redesign that helps prevent critical signals from getting lost.

What do I think about the scalability of the solution?

I rate the scalability of Splunk Enterprise Security as nine out of ten based on my use cases and observations.

How are customer service and support?

My experience communicating with technical support has been very good, as we quickly receive resolutions from them.

Which solution did I use previously and why did I switch?

The AI-driven detections and assistance have improved the accuracy of my investigations.

Splunk Enterprise Security is very helpful in triaging and raising alerts before they reach SLA times, which helps us reduce the mean time to respond.

I estimate that we have reduced the mean time to resolve by around 40 to 70%.

Splunk Enterprise Security has helped reduce my team's average mean time to detect by around 50 to 70%, overall for threat detection and alert detection.

Regarding risk-based alerting, it helps us identify true positives and false positives, effectively eliminating alert fatigue; we rarely get false positive alerts, as RBA assigns a risk score to user devices and alerts analysts only when an asset accumulates enough risk score from different systems, exposing advanced persistent threats that traditional SIEM rules miss.

The threat topology or MITRE ATT&CK framework features help us easily identify unauthorized persons and attackers' tactics and techniques used to gain unauthorized access to our data center, making it easy to analyze active correlation rules and identify blind spots.

Splunk Enterprise Security helps us detect threats faster due to its advanced rule-based alerting and anomaly detection, allowing us to catch threats before they impact our services and servers.

I estimate that we can detect threats about 30 to 40% faster compared to traditional SIEM services.

How was the initial setup?

I participated in the initial setup of Splunk Enterprise Security, working with numerous device installations in Wazuh and Splunk Enterprise Security, including network devices, servers, and cloud services.

To set up Splunk Enterprise Security, we need to install Splunk Enterprise Security on the server, share logs with the forwarder, and then receive logs from the forwarder.

I faced some challenges specifically with the AWS integration during the initial setup.

Which other solutions did I evaluate?

I did not participate in the decision-making process for Splunk Enterprise Security, but I highly suggested it for small businesses seeking a low-cost solution.

I did not have any other options besides Splunk Enterprise Security.

What other advice do I have?

I consider Splunk Enterprise Security to be an affordable solution given the capabilities it offers; for organizations with predictable data environments wanting certainty in cost, it is a worthwhile investment. I rate this review as a nine out of ten overall.

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer. partner
Last updated: Jun 30, 2026
Flag as inappropriate
PeerSpot user
reviewer2756187 - PeerSpot reviewer
Security Engineer at a financial services firm with 10,001+ employees
Real User
Top 20
Sep 15, 2025
Risk-based alerting has improved threat visibility and reduced false positives for our analysts
Pros and Cons
  • "The features of Splunk Enterprise Security that I prefer the most are risk-based alerting, the new Mission Control, and the integrations that are coming into place between Mission Control and Splunk SOAR."
  • "Splunk Enterprise Security could be improved by having better role-based access controls."

What is our primary use case?

My main use cases for Splunk Enterprise Security are detections and incident response.

How has it helped my organization?

An example of how these features have benefited my organization is that risk-based alerting has transformed our ability to reduce the number of detections that we have, streamline our observability into risks and threats in our environment, and really focus our analysts on actual real problems, helping to remove the noise and false positives to a large degree. It frees us up to do actual work.

What is most valuable?

The features of Splunk Enterprise Security that I prefer the most are risk-based alerting, the new Mission Control, and the integrations that are coming into place between Mission Control and Splunk SOAR.

What needs improvement?

Splunk Enterprise Security could be improved by having better role-based access controls. We need to be able to better control who can do what, which people can be allowed to take certain actions, run certain playbooks, or view specific items, and separate things between teams.

For how long have I used the solution?

I have been using Splunk Enterprise Security for about 8 years.

How are customer service and support?

I evaluate customer service and technical support as fantastic. Technical support is some of the best that I've worked with.

I work with a lot of different vendors, and Splunk support is very responsive and capable. They have very knowledgeable people who can deep dive into the details and understand the inner workings of the platform without having to engage developers or back-end people all the time; they can just deal with it because they know what they're doing.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have also used Google Chronicle and the Google SecOps platform. The factors that led me to consider a change included the lack of maturity in the other product and the maturity of Splunk. Google SecOps doesn't have anywhere near the capabilities of the Splunk ecosystem.

The search capabilities in Splunk Enterprise Security, and Splunk in general, are far superior to the search capabilities in Google's products. Their automation platform was extraordinarily immature. It doesn't have many of the basic capabilities that you would expect in an enterprise-class platform, and Splunk does have that. The Splunk capabilities were just vastly superior.

How was the initial setup?

I would describe my experience with deploying Splunk Enterprise Security as fairly straightforward.  We have detection engineers who know what they're doing, and so learning the detection platform in Splunk Enterprise Security was quick for them to pick up. Even those who were not familiar with Splunk Enterprise Security to begin with were able to pick that up quickly.

What was our ROI?

I have seen a return on investment with Splunk Enterprise Security.

What other advice do I have?

I would rate it an eight out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Derek Scott - PeerSpot reviewer
Information System Security Officer at SAIC
Video Review
Real User
Top 5
Sep 11, 2025
Risk-based alerting and custom dashboards transform communications and detect threats
Pros and Cons
  • "The stability and reliability of Splunk Enterprise Security is outstanding. It's a software and product that anybody can really pick up and use."
  • "Combating insider threats and advanced persistent threats is an amazing feature of Splunk Enterprise Security, and it gives us the visibility that we need for those detections that other software doesn't have."
  • "I'm not as familiar as I should be to answer how Splunk Enterprise Security can be improved, however, one of the improvement points that Enterprise Security could offer is on-prem training."
  • "One of the improvement points that Enterprise Security could offer is on-prem training, the availability to have a Splunk representative come out to different sites and actually sit down with the organizations and help them understand."

What is our primary use case?

Many of my use cases for Splunk Enterprise Security involve integrating with our networks and systems to troubleshoot and streamline our capabilities.

What is most valuable?

One of the features of Splunk Enterprise Security that I really enjoy is the ability to have the scalability of the product and the moldability that's really customized to meet our specific needs. 

The flexibility of Splunk Enterprise Security is beneficial, and that feature, while a broad statement, is crucial in itself, as it allows us to design our own environments with the flexibility and malleability needed to function effectively.

Splunk Enterprise Security's Risk-Based Alerting or RBA has been really amazing. We're still new at it, however, it's definitely nice to be able to have those results at your fingertips instead of having to search what you need to.

Using Splunk Enterprise Security's dashboards to communicate security posture to executives is probably one of the nicest things that Splunk offers. Not everyone is as skilled with the inner workings of the system as we are in my industry, so being able to put a visualization on there is critical.

The ability of Splunk Enterprise Security to ingest data has been amazing for our threat detection. Combating insider threats and advanced persistent threats is an amazing feature of Splunk Enterprise Security, and it gives us the visibility that we need for those detections that other software doesn't have.

The stability and reliability of Splunk Enterprise Security is outstanding. It's a software and product that anybody can really pick up and use.

What needs improvement?

I'm not as familiar as I should be to answer how Splunk Enterprise Security can be improved, however, one of the improvement points that Enterprise Security could offer is on-prem training, the availability to have a Splunk representative come out to different sites and actually sit down with the organizations and help them understand.

For how long have I used the solution?

I've been using Splunk Enterprise Security for about a year to a year and a half now.

How are customer service and support?

I handle most things in-house, however, I evaluate Splunk Enterprise Security's technical support and service as outstanding based on the few times we've had to contact them.

How would you rate customer service and support?

Positive

How was the initial setup?

My experience with deploying Splunk Enterprise Security is that the deployment process is pretty straightforward, especially once you have the certifications and you understand how the process works. I'd say it goes back to the training opportunities; some people are unfamiliar with it, so a little bit of support would be appreciated sometimes.

What was our ROI?

Splunk Enterprise Security has definitely reduced the amount of time that it takes us to detect and respond. I would say the percentage lowered by using Splunk Enterprise Security is around 25 to 30%.

What's my experience with pricing, setup cost, and licensing?

I understand how the pricing, the setup costs, and the licensing of Splunk Enterprise Security work, however, I personally don't have knowledge of the numerical values.

What other advice do I have?

I'd give Splunk Enterprise Security a rating of ten out of ten. 

My advice to other companies considering Splunk Enterprise Security is to just do it. Don't look at any of the competitors; Splunk, hands down, is the product that I would recommend to other companies.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2711313 - PeerSpot reviewer
Director, Enterprise Insider Threat at a legal firm with 1,001-5,000 employees
Real User
Top 10
Sep 13, 2025
Unified event correlation and intelligence dashboards to strengthen business resilience
Pros and Cons
  • "I would assess the stability and reliability of Splunk Enterprise Security as good, as I have not had any issues with it."
  • "The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include not having enough time to be in it, the resources and people to also be in there, and trying to configure it and teach people how to use it. A lack of resources prevents us from giving it the attention it needs."

What is our primary use case?

My main use cases for Splunk Enterprise Security are event correlation and risk-based alerting.

What is most valuable?

The features I appreciate most about Splunk Enterprise Security are the different domains they have and the intelligence that comes along with each of those dashboards, being that single pane of glass for analysts to go in and look at. Splunk Enterprise Security has helped improve my organization's business resilience.

We use Cribl to pull data in and get it optimized before it hits Splunk Enterprise Security as far as collection. I have not done much customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security yet; we started off with just getting data in, and now we are at the point where we are starting to look at detections.

In Splunk Enterprise Security, I do not use risk-based alerting as much as we should. That goes back to the whole time issue, as we need to teach people what to do with it and how to tune them, and we do not have enough time in the day.

What needs improvement?

As for improvements to Splunk Enterprise Security, we will see how ES 8.2 looks. It is hard to say. We just found out about a bunch of changes, so it is difficult to make specific recommendations at this point.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include not having enough time to be in it, the resources and people to also be in there, and trying to configure it and teach people how to use it. A lack of resources prevents us from giving it the attention it needs.

For how long have I used the solution?

I have been using Splunk Enterprise Security for two years.

What do I think about the stability of the solution?

I would assess the stability and reliability of Splunk Enterprise Security as good, as I have not had any issues with it. I have experienced downtime, crashes, or performance issues with Splunk Enterprise Security only once or twice when we have had to restart our Splunk instance, and it has taken three minutes and come right back, so nothing major.

What do I think about the scalability of the solution?

Splunk Enterprise Security has not hit the point yet where we need to scale; we are still at the initial ingestion phase. We are in the process of expanding usage for Splunk Enterprise Security; we have not actually done it yet, as we are still planning and trying to get other teams involved while meeting their use cases, so we are probably a month away from that.

How are customer service and support?

I would evaluate customer service and technical support for Splunk Enterprise Security as far better than anything else, giving it an eight out of ten, thanks to the response times they meet. When going to our account representatives, if we need something, they are always responsive and we get whatever we need.

How would you rate customer service and support?

Positive

How was the initial setup?

The deployment was easy since we're cloud-based. We didn't really didn't have to do anything.

What was our ROI?

I have seen ROI with Splunk Enterprise Security. Just getting data in and being able to use the data and making sure it is compliant and mapping it to data models is far more efficient than any other SIM I have had experience with.

What's my experience with pricing, setup cost, and licensing?

My experience with pricing, setup costs, and licensing for Splunk Enterprise Security is straightforward and self-explanatory. We are ingest-based, so we are not compute-based, making it pretty simple to get everything in without worrying about pricing.

Which other solutions did I evaluate?

Factors that led me to consider the change include shifting to a cloud-based solution at an affordable price and moving to something that is going to help reduce time spent on alerts and maintaining the system, with maintaining the system being probably the biggest reason since shifting to the cloud.

What other advice do I have?

For the future of Splunk Enterprise Security, I would want the Edge Processor to be able to send to multiple destinations rather than just Splunk, though that is more about Observability.

The advice I would give to other organizations considering Splunk Enterprise Security is that everybody wants to drive a Ferrari, so get the Ferrari of SIMs.

I rate Splunk Enterprise Security ten out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2701950 - PeerSpot reviewer
Splunk System Engineer at a non-tech company with 11-50 employees
Real User
Top 20
May 10, 2025
Correlation engine and alert features significantly reduce alert volume
Pros and Cons
  • "It's great for finding anonymous threats."
  • "The stability of Splunk Enterprise Security is very impressive; it is a very stable product."
  • "Splunk Enterprise Security can be improved mainly from the user interface regarding the visualizations. They are working on it, yet there are only five to ten very basic visualizations."

What is our primary use case?

The typical use case for Splunk Enterprise Security is to meet regulations and requirements for critical infrastructure. It is used to audit changes and authentication logs. The second purpose is for security operation center management and security management.

What is most valuable?

The most valuable features of Splunk Enterprise Security are the main component, which is the correlation engine that can specify detailed conditions such as how many events there need to be, what notification I will get, and if I get it per event or one per batch. 

There is also throttling; in basic Splunk, there is no throttling at all. In Splunk Enterprise Security, there is an additional layer of control of these alerts. I appreciate the correlations and the alerts in that product.

The asset management is particularly useful. We can enable asset lookups to show in every event. We define one, and it will translate to all events, allowing asset management to be easy. 

Splunk Enterprise Security helps to reduce alert volume because the language is similar to SQL with Google-style functionality above it. We can use these terms to specify what is in the allow list. We can specify what's in lookups, what should be there, and what's not. It definitely helps to reduce the numbers of full score.

Splunk Enterprise Security helps to speed up security investigations. When the finding is created, there are many correlations. You can quickly see what asset it is, what identity is involved, and you see the historical progress of what happened. Right from the findings, you can call VirusTotal and other resources, which is definitely helping.

I assess Splunk Enterprise Security's insider threat detection capabilities for helping to find unknown threats and anomalous user behavior as great. It regularly checks new events through the correlation search and compares them with threat intelligence. The threat intelligence is refreshed regularly, downloading new threat information. Splunk has a special research team for security content and intelligence, which distributes its own threat list to Splunk Enterprise Security.

It's great for finding anonymous threats. It checks new events and also works with the latest threat intelligence. At least once a day, it develops new threat information. In Splunk, there is a special research team. They are also distributing their own threat lists. The solution is capable of very good threat detection.

In basic SPL, with the Splunk query language, we can detect brute force without threats. It scans every event, and if it finds patterns, IOCs, it can trigger notable events, which are now called findings. The new version includes an internal Git repository, so when the SOC team makes improvements to the correlation search and makes changes, it automatically keeps a history of that correlation search, what was changed, when, by whom, and you can revert if it breaks.

The value that Splunk Enterprise Security offers in resilience is vital. It helps customers distributing gas across the Slovak Republic, ensuring that critical infrastructure, such as operational pipelines, are running. If there were an outage that delayed recovery, the economic impact could be significant. 

It's good for analyzing malicious activities and detecting breaches. The interface sometimes can be very essential.  

Splunk has helped us reduce alert volume. We can use terms to specify what is whitelisted and we can search like we would on Google. 

We've been able to speed up security investigations. We a finding is created, there are many correlations. You can quickly see the asset, the identity involved, the history, et cetera. 

What needs improvement?

Splunk Enterprise Security can be improved mainly from the user interface regarding the visualizations. They are working on it, yet there are only five to ten very basic visualizations. When you have your data all set and the customer wants some new dashboards that would help them, it is pretty complicated to build them from the built-in visualizations. 

This is one of the blocking points in Splunk, however, they're working on a new layer called Dashboard Studio. It is still limited. An older version of Splunk allowed implementation of JavaScript to capture events when a user clicked by mouse, which enabled great features. In the improved Dashboard Studio, this is not possible. They have improved one part and have made the other part worse, so it still lacks a premium feeling. Cisco will improve it, however, it seems they are focusing on what the big companies want. They will implement it if it's usable for these big players that pay, but for small companies, it's too pricey to use this solution.

For how long have I used the solution?

I've been working with this solution for seven years.

What do I think about the stability of the solution?

The stability of Splunk Enterprise Security is very impressive; it is a very stable product. They handle these things perfectly and conduct internal testing thoroughly. 

They test it very thoroughly before release, and our customers have Splunk running for months without issues. 

When I observe how customers work with Splunk in the cloud, it is also very good. They manage maintenance windows and inform customers, resulting in little to no interruptions to workflow. In terms of stability, I would give it a full score.

What do I think about the scalability of the solution?

We work with medium to large organizations. Our typical environment has 500 servers. In volume, we're looking at 100GB in storage. From Splunk's view, we're doing rather small volumes. It's big in a Central European context, and small from a Splunk North American context. It can be pricey for small companies. 

How are customer service and support?

I would rate technical support from Splunk Enterprise Security as a six out of ten. 

It's average, considering it's a very big product, and they handle several hundred tickets a day. I have opened 20 to 30 cases, and they helped me with only three to five of them. They try to close issues as soon as possible, often just offering documentation links. 

Even when I provide them with the core problem, they do not help much. The customer often has to rely on workarounds, custom scripts, and solutions which are somewhat lacking.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

Before Splunk Enterprise Security, I didn't use a different solution; this was my first job, and I started working full-time with Splunk about eight years ago. 

In the beginning, when they were testing, I was shown the OP5 and Nagios operating monitoring; we used tried them out, however, they were not really security-related.

How was the initial setup?

You can quickly set up Splunk by downloading the package, unpacking it, and starting to work. It's straightforward to get a quick view of your data, and you do not have to worry about connections to databases; it will start parsing the data as soon as you hand it over. For bigger environments with several hundred servers, Splunk Enterprise Security is the best solution.

What was our ROI?

Customers see the value in investing in this solution, particularly when it helps resolve issues quickly, turning a potential 20-hour response into one hour.

What's my experience with pricing, setup cost, and licensing?

It's still pretty pricey. It's an expensive solution for smaller companies. 

That said, if someone evaluating SIEM solutions wants to go with the cheapest solution, Splunk Enterprise Security is a very good option. It has difficulties in administration and setup, however, in comparison with other products, it's still a great platform.

What other advice do I have?

My relationship with Splunk is that we are a partner and reseller partner. My organization does not monitor multiple cloud environments; we primarily monitor M365 and Azure environments from cloud products. We use the Microsoft Add-on for Splunk to read Exchange and Microsoft audit logs from the cloud. However, we still prefer on-premise solutions in our country.

We use the Mission Control feature. It's replaced another component. I don't use it too much myself. It's like a connector for SOAR. We're investigating its capabilities and have not implemented it fully.

Overall, I would rate Splunk Enterprise Security a nine out of ten. If you want to see your data quickly and in full view, it's very good - specifically for bigger environments.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Solutions Diretor at a computer software company with 51-200 employees
Real User
Top 10
Sep 13, 2025
Risk-based alerting has improved detection efficiency and supports faster remediation
Pros and Cons
  • "On average, my security ops team takes fairly quickly to remediate security incidents with Splunk Enterprise Security, depending on the use case, minutes versus hours, compared to my previous solution, which was ArcSight."
  • "Splunk Enterprise Security could be cheaper."

What is our primary use case?

My main use cases for Splunk Enterprise Security are security, general security, and SIM.

What is most valuable?

The feature I appreciate the most in Splunk Enterprise Security is RBA. These features in Splunk Enterprise Security help my organization contextualize security alerts and put them in a framework that makes sense for our customers.

My organization uses risk-based alerting in Splunk Enterprise Security. Risk-based alerting in Splunk Enterprise Security supports my SOC by giving me a holistic view of what's happening and prioritizing alerts based on various risk factors that are important to me.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are zero-day events. I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations by giving me a holistic view of what's happening in my environment. I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security easier than other platforms.

On average, my security ops team takes fairly quickly to remediate security incidents with Splunk Enterprise Security, depending on the use case, minutes versus hours, compared to my previous solution, which was ArcSight.

Splunk Enterprise Security has helped improve my organization's business resilience.

My impressions of Splunk Enterprise Security's ability to predict, identify, and solve problems are good. I would say to other organizations considering Splunk Enterprise Security to solve your data challenges first and focus on data quality, and then everything else will work with your infrastructure.

What needs improvement?

Splunk Enterprise Security could be cheaper. More artificial intelligence implementation for features should be included in the next release of Splunk Enterprise Security.

For how long have I used the solution?

I have been using Splunk Enterprise Security for nine years.

What do I think about the stability of the solution?

Splunk Enterprise Security is very reliable. I have not experienced any downtime, crashes, or glitches with Splunk Enterprise Security.

What do I think about the scalability of the solution?

Splunk Enterprise Security scales efficiently with the growing needs of my organization. I have expanded usage, and the process was very smooth.

How are customer service and support?

I would evaluate customer service and technical support as pretty good. There is a good community.

On a scale of one to ten, I would rate customer service an eight.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Prior to adopting Splunk Enterprise Security, I was using ArcSight to address similar needs.

How was the initial setup?

I would describe my experience with deploying Splunk Enterprise Security as easy. I deploy it all the time, so it's easy for me.

What was our ROI?

I have seen a return on investment with Splunk Enterprise Security.

What's my experience with pricing, setup cost, and licensing?

I don't deal with pricing, setup cost, and licensing mainly; however, everyone says it's pricey.

Which other solutions did I evaluate?

I was using ArcSight, and the factor to change was that it could not accept all the data.

What other advice do I have?

On a scale of one to ten, I would rate Splunk Enterprise Security an eight.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company has a business relationship with this vendor other than being a customer. Partnrr
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2026
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.