No more typing reviews! Try our Samantha, our new voice AI agent.
AmanThakkar - PeerSpot reviewer
Software Engineer at Titanslab Inc.
Real User
Top 5Leaderboard
Jun 19, 2026
Centralized logging has simplified root-cause analysis and improves productivity across apps
Pros and Cons
  • "Managing logs is very easy with Splunk Enterprise Security."
  • "One thing I would like to see improved in Splunk Enterprise Security is a better user manual."

What is our primary use case?

Our main use cases for Splunk Enterprise Security are to find the root cause of any applications, to see the dashboards, to see the logs, and to centralize some logging systems.

What is most valuable?

Managing logs is very easy with Splunk Enterprise Security. Earlier, we were using DataDog and before that, we were also using our own tool, 24/7, to maintain logs and everything. In that, we faced many issues maintaining logs from many applications because we are managing many applications right now. So it was very tough, and when we were introduced to Splunk Enterprise Security, we used it, and it became very easy to maintain. It is easy to have control over it.

The main benefits I have seen from using Splunk Enterprise Security are mainly two things: the pricing and the manpower. Right now, we do not have to worry about the time if we encounter any issues. Recently, one of our customers raised an issue that the application was running very slow. Earlier, we had issues like that, but at that time we had to do so much manual checking everywhere to find the issue. Right now, if we get an issue regarding this, it is very easy to understand the root cause.

What needs improvement?

One thing I would like to see improved in Splunk Enterprise Security is a better user manual. Right now, it is pretty tough for any newcomer or new user to understand everything because there are no specific areas for them to learn from.

From a features perspective, an enhancement I would like to see is a better learning aspect. The AI feature is great, but I believe enhancing the learning part for any new user would be beneficial.

For how long have I used the solution?

We have been using Splunk Enterprise Security products for the last eight to nine months, but I have been onboarded on this in the last six months.

Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,680 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability, reliability, and performance of Splunk Enterprise Security are pretty good. Now we are very stable with many production systems, and Splunk Enterprise Security is also scalable if we want to expand further.

How are customer service and support?

I would evaluate the tech support team as good.

Which solution did I use previously and why did I switch?

I previously used different products and solutions like in-house technologies and DataDog.

How was the initial setup?

The initial setup process for Splunk Enterprise Security was somewhat challenging. As I mentioned, it lacks a specific user manual, making the initial setup tough, but now we are hands-on and comfortable with it.

What was our ROI?

Regarding ROI, while I cannot speak specifically about the investment, I can say that the returns are good. We achieve one hundred percent productivity utilizing Splunk Enterprise Security to create multiple dashboards and find various issues.

What's my experience with pricing, setup cost, and licensing?

On the pricing aspect, I find the setup cost and licensing of Splunk Enterprise Security to be relatively cheaper compared to what we used earlier. I can say that what we are paying is worth it based on the value we receive.

Which other solutions did I evaluate?

We decided to switch to Splunk Enterprise Security because of the ecosystem. We are also using Splunk Cloud, and we have a good relationship with Splunk. The pricing compared to what we were using earlier is worth it.

The key differences, apart from pricing, are the visibility and observability. We did not get good visibility with the previous tools, but now we have a very clear view, which is why we switched to Splunk Enterprise Security.

What other advice do I have?

My advice for anyone considering Splunk Enterprise Security is to understand the basics of logging systems first and determine your use cases before building specific functionalities in Splunk Enterprise Security.

We have recently upgraded to Splunk Enterprise Security 8.0, and we are evolving everything now. We are evolving frameworks and many other things within it. I would rate this review an 8.5 overall.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Last updated: Jun 19, 2026
Flag as inappropriate
PeerSpot user
Mohan Janarthanan - PeerSpot reviewer
Associate Vice President at Novac Technology Solutions
Real User
Top 5Leaderboard
Jun 3, 2026
Unified analytics and AI-driven risk-based alerting have transformed our security operations
Pros and Cons
    • "The NLP-based thing will give risk-based alerting which will reduce more than 50%, but I could see only 30%."

    What is our primary use case?

    My use cases include continuous security monitoring on our log management, forensic activity, and threat detection piece and analytics of Splunk Enterprise Security. We are using Cisco and Splunk all-in-one console, where I can get the indexes, forwarders, and logs to consolidate my data center security and cloud portions. All logs will move to Splunk Enterprise Security.

    What is most valuable?

    They are good at the detection piece and the analytics piece. I do not want to create a customized rule. The rules which they have on the analytics piece cover part of my use cases. For example, if I want to create a manual use case in my other product, Splunk Enterprise Security, QRadar, or FortiSIEM, I have to create a manual use case. Here, I do not want to create anything. The analytics plays a major role. They have 2,000 analytics use cases where I can deploy based on my use case and environment.

    The only advantage I can communicate is that in threat detection, triaging, investigation, and response, I will get in a single platform. I do not want to go to multiple platforms. If I am using a SIEM product in one solution and a SOAR product in a different solution, I do not want to go to multiple management consoles. I want a unified console that I can use. That is Splunk all-in-one console.

    SecOps only the product does. Most of my unified governance will be taken care of by SentinelOne Enterprise Security. It has artificial intelligence, it has a SOAR, it has a SIEM. They have agentic artificial intelligence where we can integrate in SecOps platform.

    Triaging is part of risk-based solution. Risk-based alerting will reduce the alert volumes around 30% to 40%. They committed something, but at least I could see the risk-based alerting. From 30%, alert volumes are off now. Basically, it is reducing my manual L1 work.

    Normally on traditional SIEM, they will pull all the logs and send all the 100% volumes. All alerts will go to my SIEM console and manually we have to find the alerting. We have to create a use case and offense and see that. But they have an artificial intelligence piece. The NLP-based thing will give risk-based alerting which will reduce more than 50%, but I could see only 30%. They committed something. Probably it is only a matter of time. We can also leverage their threat intel platform. That is one of the major use cases and a decision factor while we are going with that product.

    What needs improvement?

    I have recently adopted the product. Six months ago I did the testing. Three months ago I started implementing the product.

    I have faced issues only while I was doing my UAT environment, not the production piece. While I was testing, I could see something.

    I have recently implemented the product. I do not want to give wrong commitment or wrong information. As of now, I have not come across any negative feedback or lack of services. I am not able to see anything. Because I am using it for last three months, if you are calling me after two months, probably I can explain better.

    For how long have I used the solution?

    I have been using the solution for three months only.

    What do I think about the stability of the solution?

    There has been no downtime so far, but I am using it for the last 90 days only. I have not faced any issues.

    How are customer service and support?

    The customer service has been excellent.

    Which solution did I use previously and why did I switch?

    We have not done Cloud Security Posture Management.

    It is a great solution for risk-based alerting. It is reducing my 30% workload currently.

    What was our ROI?

    For me, time is the most important factor. If you are saving time, definitely you are saving money also.

    What other advice do I have?

    Splunk Enterprise Security is what I am currently using. We discussed Distributed Services only, but not other products from F5. Regarding Zscaler Internet Access, I am not using that product. Regarding Unified Vulnerability Management, I told you no and I am not using that product. I am using Splunk Enterprise Security, which is a SIEM solution. SentinelOne is another product I have integrated. I integrated firewall logs, app gateway logs, and EDR logs. Threat detection capability is a unified threat detection, which is a basic one we are having. That is part of my SOAR platform. The artificial intelligence-powered security options gives a more fine-tuning alert mechanism where I can get the threat detections. I can do alerting and triaging. My whole incident response is based on that. Definitely it is a leading product. I would say analytics is the most valuable currently. I am comparing it with my Microsoft Sentinel. The proof of concept validations and concepts do take time while you are doing them. I have tested FortiCNAP, but I am not using it. I have tested the product but did not buy it. I am using FortiGate, which is a next-generation firewall. I am also using FortiRecon, FortiManager, FortiAnalyzer, and FortiSIM, and I am using FortiGate firewall on cloud. I am using eight to nine products from Fortinet. My review rating for this product is 9 out of 10.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    Last updated: Jun 3, 2026
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Splunk Enterprise Security
    June 2026
    Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
    904,680 professionals have used our research since 2012.
    Manager cybersecurity at Hexion Inc.
    Real User
    Top 5
    Aug 4, 2025
    Effectively monitors cybersecurity risks and improves IT landscape visibility
    Pros and Cons
    • "From a visibility perspective, the solution has significantly improved our organization by providing a single platform to visualize our entire IT landscape."
    • "The best features I've experienced over the past six years with Splunk Enterprise Security are the ability to create use cases and the flexibility to customize searches and use cases based on our specific requirements."
    • "Regarding room for improvement, I expect Splunk to provide information about new features on a regular basis, such as notifications about enhancements that may improve security posture."

    What is our primary use case?

    We use Splunk Enterprise Security for security monitoring purposes, and we have many security use cases configured to detect cybersecurity-related risks. We have 100+ use cases related to brute force attacks, ransomware, credential access attacks, et cetera.

    We use it for the extra security layer since we want to be very proactive and monitor our infrastructure fully end-to-end.

    How has it helped my organization?

    We now have a single platform where we can visualize our entire landscape. It's improved our security posture. We can see all the logs getting ingested, and if there are any anomalies, we're able to visualize that as well. The alerts help us be very proactive. We used to miss a few things happening in our organization. Now we get alerts on time. 

    What is most valuable?

    The best features I've experienced over the past six years with Splunk Enterprise Security are the ability to create use cases and the flexibility to customize searches and use cases based on our specific requirements. 

    It's user-friendly. You don't need to be an expert to create a use case. Even a basic understanding will allow you to do the work. There are lots of knowledge articles as well. 

    From a visibility perspective, the solution has significantly improved our organization by providing a single platform to visualize our entire IT landscape. This has also enhanced our security posture by enabling us to view all logs.

    We do connect with a Splunk representative on a monthly basis. They can proactively provide us with solutions. 

    What needs improvement?

    Regarding room for improvement, I expect Splunk to provide information about new features on a regular basis, such as notifications about enhancements that may improve security posture. I want these notifications to come to us quite regularly, as we always want to improve our security posture. 

    I'm interested in the notifications and alerts aspect, particularly since Splunk Enterprise Security's Mission Control feature was very proactive when it was rolled out.

    For how long have I used the solution?

    I have been using Splunk Enterprise Security for the last six years.

    What do I think about the stability of the solution?

    I would rate the stability at eight out of ten; we never had any gap in monitoring. That said, there were instances of backend issues that did not impact our monitoring.

    What do I think about the scalability of the solution?

    It is a scalable solution for our business, and I would rate it nine out of ten, as we have recently scaled it to monitor operational use cases.

    How are customer service and support?

    I would rate the technical support as nine out of ten. They are always on top of resolving issues, providing technical account manager details for further assistance. 

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We had tried IBM QRadar and Azure Sentinel previously.

    How was the initial setup?

    If I need to set up Splunk from scratch, I don't have to do a lot of planning. It's pretty straightforward. 

    It took about a month to deploy Splunk Enterprise Security, as we took many days to plan how to set up the architecture.

    There is some maintenance required once it is set up.

    What about the implementation team?

    The IT team exclusively uses Splunk Enterprise Security for assistance. The team is always there to assist.

    What's my experience with pricing, setup cost, and licensing?

    I don't deal with pricing. I have a fair understanding based on the market research; from what I've witnessed, the pricing is competitive.

    What other advice do I have?

    I rate Splunk Enterprise Security higher due to its user-friendliness. That is something on top of my list. 

    Splunk Enterprise Security is on top in terms of how users or administrators can manage it. Everything else looks pretty fine regarding the support we get from Splunk Enterprise Security. 

    I would rate Splunk Enterprise Security overall as eight out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    reviewer2755827 - PeerSpot reviewer
    Cyber Security Specialist at a financial services firm with 201-500 employees
    Real User
    Top 10
    Sep 11, 2025
    Has supported advanced security investigations and improved incident response through enriched data and valuable tools
    Pros and Cons
    • "The features I find most valuable in Splunk Enterprise Security are Incident Review, Security Essentials, Asset and Identity Management, and Machine Learning Toolkit."
    • "Splunk Enterprise Security can be improved with more AI in the commands and more help in the commands, as not all people know how to write code in SPL, and we need more help in this area."
    • "My security ops team takes 60 or 70% longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution."

    What is our primary use case?

    My main use cases for Splunk Enterprise Security include cybersecurity threat, incident response, and security events.

    What is most valuable?

    The features I find most valuable in Splunk Enterprise Security are Incident Review, Security Essentials, Asset and Identity Management, and Machine Learning Toolkit. 

    We are enriching data from Asset and Identity Management, and we have more data for our incident response and investigation with Splunk Enterprise Security when we need more data to investigate.

    I use disparate security solutions that integrate or import data into Splunk Enterprise Security. The integration currently supports my security operations as it's now on a POC, however, it's not in production right now. 

    I have expanded usage, and that process was very smooth. I assess the stability and reliability of Splunk Enterprise Security as very good.

    What needs improvement?

    Splunk Enterprise Security can be improved with more AI in the commands and more help in the commands, as not all people know how to write code in SPL, and we need more help in this area. 

    That additional features such as AI command help and more flexibility in the search should be included in the next release to make it more simple.

    The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection involve correlating data from multiple assets and networks simultaneously, as our network is very complex and we have not yet properly collected all the data from our various data centers within my environment.

    For how long have I used the solution?

    I have been using Splunk Enterprise Security for five years.

    What do I think about the stability of the solution?

    I have not experienced any downtime, crashes, or performance issues; it is very redundant.

    What do I think about the scalability of the solution?

    Splunk Enterprise Security scales very well with the growing needs of my organization.

    How are customer service and support?

    I evaluate customer service and technical support as very good.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

    How was the initial setup?

    I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security very simple and straightforward.

    What was our ROI?

    I have yet to see an ROI.

    What's my experience with pricing, setup cost, and licensing?

    I'm not famiiar with the pricing. 

    What other advice do I have?

    My organization does not use risk-based alerting yet. My security ops team takes 60 or 70% longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

    The advice I would give to other organizations considering Splunk Enterprise Security is to design, design, design, and design. Expanding on what that means, you need to be very organized with what you want and what you want to achieve from the product because the deployment is very crucial; once you install it, it's very hard to change the topology and to add more tenants or search heads, which is very complex. The vendor can contact me with any questions or comments about my review. 

    On a scale of one to ten, I would rate Splunk Enterprise Security overall an eight.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    ROBERT-CHRISTIAN - PeerSpot reviewer
    CTO at a tech vendor with 10,001+ employees
    Real User
    Top 5
    Dec 22, 2024
    Has many predefined correlation rules and is brilliant for investigation and log analysis
    Pros and Cons
    • "They have approximately 50,000 predefined correlation rules, which is quite a lot, and I find that good."
    • "Overall, Splunk is among the top three SIEM tools due to its capabilities and agility in bridging business analytics with security needs."
    • "It is very complicated to write your own correlation rules without the help of Splunk support."
    • "Most importantly, Splunk can be outrageously expensive. That is the problem with both Splunk and Sentinel. Their pricing literally explodes based on the amount of data you feed in."

    What is our primary use case?

    We are an MSSP, and some of our customers have Splunk Enterprise Security, and we run it for them.

    How has it helped my organization?

    Splunk Enterprise Security is very good for helping us find any security event across multi-cloud environments.

    Splunk's unified platform works very nicely to help consolidate networking, security, and IT observability tools.

    It helps speed up security investigations. There is a 25% to 30% improvement. There is also a 25% reduction in the mean time to resolve, but we are also using a SOAR tool, which reduces that by 70% to 80%. 

    What is most valuable?

    They have approximately 50,000 predefined correlation rules, which is quite a lot, and I find that good.

    What needs improvement?

    It is very complicated to write your own correlation rules without the help of Splunk support.

    What Splunk could do better is to create an API to the standard SIEM tools, such as Microsoft Sentinel. The idea would be to make it less painful. In ELK Stack, Kibana is the query language with which you can search log files. I believe Splunk has also a query language in which they search their log files, but once you have identified the log file that you want to use for further security correlation, you want to very quickly transport that into your SIEM tool, such as Microsoft Sentinel. That is something that Splunk could make a little bit less painful because it is a lot of effort to find that log file and forward it. An API with Microsoft Sentinel or a similar SIEM tool would be a good idea.

    For how long have I used the solution?

    I have used the solution for about five years.

    What do I think about the stability of the solution?

    It is very stable. Sometimes it can be sluggish, especially in completely virtualized environments, but overall, it is good.

    What do I think about the scalability of the solution?

    I would rate it a nine out of ten for scalability. They struggle a bit with pure virtual environments, but in terms of how much they can handle, it is pretty good.

    How are customer service and support?

    Based on what customers tell me, it has been good. If you want to write your own correlation rules, it is very difficult to do, and you need Splunk's support to write new correlation rules for the SIEM tool.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    In our organization, we use our own tools such as Kyndryl Bridge and Elastic. We use Kyndryl Bridge which essentially has a similar function. It is based on Elastic. It indexes log files and flags log files. It helps you to very quickly search log files similar to the Splunk algorithm.

    Our clients use Splunk Enterprise Security. If somebody already has Splunk as a business intelligence tool, then very often, it makes sense to expand the Splunk subscription they have to include Enterprise Security as well. We base our decisions on customer requirements, not on anything else. If a customer comes to us looking for a SIEM solution, we advise them based on their infrastructure and objectives. If we deliver the service for them and they want us to do that, we mostly go with Microsoft Sentinel when they already do not have Splunk. Otherwise, we go with Splunk Enterprise Security. We have about 30 customers in Germany who have Splunk, and we run it for them.

    Monitoring multiple clouds with Splunk Enterprise Security is no more difficult than it is with Sentinel. I find Sentinel a bit easier. Splunk, of course, is very useful if you have AWS. Generically, because Splunk is not a cloud provider itself, it fits with anything. However, integration can be challenging at times, especially in virtualized environments. Splunk struggles a bit with speed in virtualized environments. Most importantly, Splunk can be outrageously expensive. That is the problem with both Splunk and Sentinel. Their pricing literally explodes based on the amount of data you feed in.

    I like Elastic SIEM. It is a tool that allows you to determine the price. It is based on the computing power you require and not on the amount of data you put in, so it is a lot more flexible than Splunk or Sentinel. If there is a cost concern, Elastic SIEM is a good idea. Elastic is also pretty good at creating on-premises data lakes to control the amount of information you put into the same tool. That is something that neither Splunk nor Sentinel offers. 

    In our operations, we use a separate threat intelligence vendor. To the SIEM tool, we added a SOAR tool for security orchestration, automation, and response, which is very critical these days. We get threat intelligence from a third-party provider because neither Splunk nor Microsoft gives the coverage that our customers need. Splunk does not have a SOAR capability, so we add that on top. We could add that on top of any tool, so it is not specific to Splunk, but Splunk helps because going through the log files is very fast. It does help when you do the incident analysis. Elastic also provides that, and Sentinel has that to some degree, but Splunk is still the Google for log files.

    MITRE ATT&CK framework is integrated pretty much into any SIEM tool. It is not unique to Splunk. It is there in QRadar and other solutions. MITRE ATT&CK framework is helpful when designing incident response plans or playbooks. It is nice that they have it, but that is nothing unique to Splunk.

    How was the initial setup?

    It is mostly a cloud solution.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is based on the volume of data fed into it, which can lead to substantial costs. This pricing model is complex and unpredictable, making cost management difficult.

    Many parts of the IT world price based on IP addresses, nodes, or the number of devices. Splunk, of course, prices its services based on the volume of data submitted into the Splunk system. From a security perspective, it is very hard for clients to figure out how many security events per second their SIEM tool needs to work with. With Splunk, it is not just the events per second. They also need to know how much data per event per second the Splunk SIEM tool needs to work with. That is almost impossible to indicate.

    Microsoft Sentinel is just as weird as Splunk. They also base the price on the amount of data you feed, whereas Elastic has a very interesting approach. It is not the amount of data you feed in; it is the amount of processing power you want to use. If you have a very large amount of data and want to correlate that very quickly, you need a lot more processing power. They base the pricing on processing power rather than on the amount of data. That is not a bad approach because that is scalable up and down depending on the needs of the organization, so the pricing from Splunk is a bit weird. That is what most people that I speak to are unhappy about because the cost can literally explode. I saw clients spend two million dollars a year just feeding data into the Splunk solution. You might have spent two million in feeding data into the SIEM tool a year, but the next year, it could be half of that. You find yourself frequently in an unpredictable situation of how much cost you are going to generate with your SIEM tool, so Splunk or Cisco needs to come up with a better and more scalable way of pricing their SIEM tool.

    What other advice do I have?

    Overall, Splunk is among the top three SIEM tools due to its capabilities and agility in bridging business analytics with security needs. They very much deserve where they stand on the Gartner Magic Quadrant. I like it a lot better than ArcSight, which was owned by HP at one point or another. In comparison to that, Splunk is much more agile and quick. It comes from a business analytics perspective. It is a lot easier to build the bridge between the business and security based on that platform. As far as stability and scalability are concerned, it is a brilliant solution.

    I would rate Splunk Enterprise Security a nine out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer. MSP
    PeerSpot user
    reviewer2756172 - PeerSpot reviewer
    Incident Response Engineer at a international affairs institute with 1,001-5,000 employees
    Real User
    Top 20
    Sep 13, 2025
    Improves threat detection and streamlines investigations with integrated threat intelligence
    Pros and Cons
    • "I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security."
    • "Some additional features that should be included in the next release of Splunk Enterprise Security are an integrated Attack Range, not as a separate solution, providing a way to test the rules in the production environment."

    What is our primary use case?

    My main use cases for Splunk Enterprise Security include insider threat hunting, supporting operations, and Threat Intel integration for security; I have a lot of use cases.

    How has it helped my organization?

    The features of Splunk Enterprise Security benefit my organization by providing a faster response and making it easier for the analyst to investigate.

    What is most valuable?

    The features I appreciate the most about Splunk Enterprise Security are the Enterprise Security features, the threat intelligence of Enterprise Security, the onboarded ones, and the versioning of the rules introduced on Enterprise Security; these are the top ones.

    My organization uses risk-based alerting in Splunk Enterprise Security. Splunk Enterprise Security has supported my SOC a lot, however, we have some challenges due to the architecture of our network, so there is some custom work to be done by Splunk engineers to help us maximize the benefits.

    I am using new threat detection features in Splunk Enterprise Security, including the onboard ones and Mandiant. These new features have highly improved our threat detection capabilities.

    Splunk Enterprise Security has helped improve my organization's business resilience.

    I'm not dealing with pricing, setup costs, or licensing for Splunk Enterprise Security; I'm focused on the technical part. What works with Splunk Enterprise Security is that it does work in general; I haven't faced any challenges; it's great.

    What needs improvement?

    Improving Splunk Enterprise Security is a challenging task; I have already reported several technical issues to the relevant teams and received solutions from them.

    One favor I ask for them is just to keep maintaining the on-prem version of Enterprise Security and not move everything to the cloud since we operate mostly in an air-gapped environment, so we only use some of the features of it.

    Some additional features that should be included in the next release of Splunk Enterprise Security are an integrated Attack Range, not as a separate solution, and providing a way to test the rules in the production environment.

    For how long have I used the solution?

    I've been using the solution for 11 years.

    What do I think about the stability of the solution?

    I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security.

    What do I think about the scalability of the solution?

    Splunk Enterprise Security scales pretty well with the growing needs of my organization; we don't have issues. I have expanded the usage of Splunk Enterprise Security a lot. The process of expanding usage has been smooth; I have no problems so far, and it scales very easily.

    How are customer service and support?

    I would evaluate customer service and technical support for Splunk Enterprise Security as fast.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    I would describe my experience with deploying Splunk Enterprise Security as straightforward.

    What was our ROI?

    I have seen a return on investment with Splunk Enterprise Security, definitely, however, I don't have the specific metrics to back that up.

    What other advice do I have?

    The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is alert fatigue. Although there are ways to mitigate it, it remains a persistent issue, as evidenced by complaints from analysts. While alert fatigue is alleviated to some extent, it still persists.

    My advice to other organizations considering Splunk Enterprise Security is to at least give it a try; I know there are other solutions in the market, some of which may even be better than Enterprise Security, however, you have everything on a single pane of glass, so I think it's definitely something that enterprises should test.

    On a scale of one to ten, I rate Splunk Enterprise Security an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    Ahmed Al-Nabhani - PeerSpot reviewer
    Systems Engineer at Dell Technologies
    Real User
    Top 20
    Aug 3, 2025
    Provides threat intelligence, good visibility, and detects threats faster
    Pros and Cons
    • "Splunk has been recognized by Gartner as a leader in providing visibility for observability and monitoring across various platforms, including physical, virtual, and container environments, for several years."
    • "Splunk goes beyond collecting basic metrics like CPU or memory utilization; it comprehensively gathers data from various sources, including networks, applications, and virtualization, eliminating the need for siloed solutions and enhancing the capabilities of existing engineering software."
    • "I'd like a dashboard that allows me to connect elements through drag-and-drop functionality."

    What is our primary use case?

    Typically, the standard approach for Splunk sizing involves gathering data from the entire IT environment, regardless of whether it's hardware, virtualized, or application-based. This data is then collected and monitored through Splunk as a comprehensive security solution. We also work with Splunk-related platforms like Application Performance Monitoring to provide a holistic view of system performance. Recently, we implemented this solution for a bank in Jetar. Splunk excels at collecting high-volume data from networks, making it ideal for performance monitoring and scaling. During the sizing process, it's crucial to calculate the daily data ingestion rate, which determines the amount of data Splunk Enterprise needs to process and visualize for security purposes. Several factors need consideration when sizing Splunk: tier structure hot and cold buckets, customer use cases for free quota access, and storage choices based on data access frequency. Hot buckets typically utilize all-flash storage for optimal performance and low latency, while less frequently accessed data resides in cold or frozen buckets for archival purposes. In essence, the goal is to tailor the Splunk solution to meet the specific needs and usage patterns of each customer.

    One challenge that our customers face is slow data retrieval. Customers may experience delays in retrieving call data due to complex search queries within Splunk Enterprise Security. These queries can sometimes take up to an hour and a half to execute. Our architecture incorporates optimized query strategies and customization options to significantly reduce data retrieval times. This enables faster access to both hot and cold data. 

    Another challenge is scalability constraints. Traditional solutions may have limitations in scaling to accommodate increasing data volumes. This can be a significant concern for customers who anticipate future growth. Our certified architecture is designed for easy and flexible scalability. It allows customers to seamlessly scale their infrastructure based on their evolving needs, without encountering the limitations often faced with other vendors' solutions.

    The final challenge is complex sizing and management. Traditional solutions often require extensive hardware configuration and sizing expertise, which can be a challenge for many organizations. This reliance on hardware expertise can hinder scalability and adaptability. Our architecture focuses on software and application administration, minimizing the dependence on specific hardware configurations. This simplifies deployment and ongoing management, making it more accessible to organizations with varying levels of technical expertise.

    Our architecture leverages Splunk's native deployment features, including: 
    Index and bucket configuration. Data is categorized into hot, warm, and cold buckets for efficient storage and retrieval. Active/passive or active/active clustering. This ensures high availability and redundancy for critical data. Resource allocation. Data, compute, and memory resources are distributed evenly across clusters for optimal performance.

    For high-volume data ingestion exceeding 8 terabytes per day, we recommend deploying critical components on dedicated physical hardware rather than virtual machines. Virtualization can introduce overhead and latency, potentially impacting performance. Utilizing physical hardware for these components can help mitigate these bottlenecks and ensure optimal performance for large data volumes.

    How has it helped my organization?

    Splunk Enterprise Security provides visibility across multiple environments. IT leaders and management directors often seek a simplified monitoring tool that can handle everything. However, using a third-party tool or a monitoring tool for multiple environments comes with certain considerations. These may include software version upgrades, connector updates, or API integrations for collecting specific metrics beyond the usual ten. Therefore, the key factors for a customer choosing a monitoring solution are, how easily can the tool integrate with existing physical, virtual, microservices, or hyper-scaler environments, whether it can provide a centralized view of monitoring data across multiple environments, and whether it can integrate with existing data analytics tools like Cloudera, Starburst, or Teradata. Integrating a monitoring solution with data analytics is crucial for a complete picture. While a standalone monitoring solution can help with capacity planning, data analytics provides insights for code analysis and historical data. This allows management to plan budgets, reduce costs, and make informed decisions for the future. Combining a monitoring tool like Splunk Enterprise Security with a data analytics engine like Cloudera or Teradata maximizes the value of data and empowers better decision-making.

    Our monitoring tools offer various functionalities, including detection and third-party integration. For example, we have an integration with TigerGuard, a platform for threat detection. Additionally, we provide robust auditing capabilities to track changes within the environment. This helps identify potential intrusions and suspicious activity, whether from internal or external actors. To ensure the security of our monitoring tools, we implement several prevention and protection mechanisms. This includes continuous monitoring of logs and audits, even in case of tool failure. Leading enterprise monitoring solutions often connect to dedicated audit servers via SNMP traps, providing a centralized view of all infrastructure changes. This allows administrators, like Splunk users, to easily track modifications and identify potential security risks. Furthermore, individual software products within our monitoring suite have their access control lists and security measures. These may include features like certificates, user authentication, and security manager integration. Additionally, some products offer optional plugins or add-on licenses to enhance their auditing capabilities and meet specific organizational security requirements. Security is a complex and multifaceted topic, encompassing various aspects. This includes data location, user activity monitoring, intrusion prevention, and incident recovery procedures. Addressing these concerns effectively requires a comprehensive security platform assessment that evaluates the entire system, from hardware to applications, ensuring data integrity, encryption, and overall security at every layer.

    Threat intelligence management utilizes dedicated tools for both threat and incident management. These tools help organizations define their response plan in case of an event, including how to recover, what the RTO and RPO are, and how to achieve them. This ensures the organization can recover quickly and efficiently in the event of a failure, unauthorized access, or data deletion. While threat incident management strategies may vary depending on the customer, the banking sector typically undergoes rigorous threat management inspections. While I may not be a threat management expert, there are crucial security measures to consider, encompassing personnel training, hardware security, and application controls. These elements, when orchestrated harmoniously, contribute to a secure environment that minimizes the risk of breaches, facilitates successful audits, and ensures data integrity.

    The effectiveness of the threat intelligence management feature depends on how the customer responds to various threats, such as ransomware or network intrusions. While the tool provides recommendations, it requires customization to align with each organization's unique categorization criteria like high, medium, low, and specific security objectives. Ultimately, the goal is to protect data, enhance security, and ensure effective incident response procedures. Deploying the threat intelligence tool necessitates customization for each customer. Default settings may not be optimal, as human intervention might be necessary to address potential software errors or inaccurate recommendations. In such cases, manual intervention might be more effective. Therefore, the tool's usefulness depends on the specific threat, its recommendations, and the organization's response approach.

    Splunk Enterprise Security is a powerful tool for analyzing malicious activity and detecting breaches. However, its effectiveness depends heavily on proper configuration and skilled administration. They must be able to connect Splunk with the necessary parameters, collect logs daily, and analyze them effectively. They must also have the ability to query Splunk efficiently to gather relevant data, an understanding of use cases and how to integrate with other systems securely, customization of the environment to meet specific needs, including adding connectors and add-ons, and visualization of data in a way that is clear and actionable for both analysts and management. While Splunk is a valuable platform, it requires careful management and expertise to unlock its full potential. Companies deploying Splunk should invest in skilled administrators to ensure its effectiveness in securing their environment.

    Splunk helps us detect threats faster. As a Splunk administrator, I can monitor for suspicious activity, such as sudden changes in behavior, high resource utilization on specific file shares, or unusual data transfers. These events can trigger questions, like, Why is the system experiencing high utilization, is data leaking and being transferred elsewhere, why is this application consuming excessive resources, why has data suddenly disappeared from the system? Splunk Enterprise Security provides valuable insights and helps identify potential security issues. However, integrating threat intelligence management with Splunk can further automate this process. When suspicious activity is detected, the system can automatically take predefined actions. However, these actions require customization and testing before implementation. This may involve, customer review and approval of the automated response, POC testing to validate the effectiveness of the response, regular monitoring of the system's behavior and response to threat intelligence, and fine-tuning or customization of Splunk Enterprise Security settings to optimize threat detection and response.

    Splunk has been beneficial to our organization from a partnership perspective. Even after Dell's acquisition of Cisco, our strong collaboration and certified solutions continue. This partnership strengthens our position with customers seeking the best solutions on the right platform. For example, if a customer requires a Splunk solution and a competitor lacks certified solutions, it could hinder their trust and purchasing decision. In contrast, our close collaboration with Splunk and certified add-ons for Splunk Enterprise Security adds value. We possess expertise in various Splunk architectures. I've worked with over four banks in Saudi Arabia alone that utilize Splunk and Dell hardware. Globally, we cater to diverse Splunk architectures and platforms, ensuring customer satisfaction with our diverse technology expertise. While we acknowledge competition, the focus here is on how our partnership with Splunk enhances the integration experience, offering both tightly coupled and loosely coupled architectures.

    Since implementing Splunk Enterprise Security, we've observed improvements in both stability and the accuracy of data visualization. The low latency allows us to efficiently query the extensive data it provides. Splunk goes beyond collecting basic metrics like CPU or memory utilization; it comprehensively gathers data from various sources, including networks, applications, and virtualization. This unified platform eliminates the need for siloed solutions and enhances the capabilities of existing engineering software. While Splunk is a popular choice for data analysis due to its powerful features, its pricing structure based on daily data ingestion can be expensive. This pricing model, however, allows them to accurately charge based on resource usage. It's important to consider your data collection and visualization needs to determine the appropriate licensing tier. While other monitoring tools might share similar pricing models, Splunk distinguishes itself through its data segregation across various components. This simplifies communication between indexes, forwarders, and searches, allowing for efficient data processing within a single platform. Additionally, Splunk excels in data visualization and analytics, making it a leading choice for security and observability solutions. Their recent top ranking in Gartner's observability category further emphasizes their strengths. This recognition stems from their platform's compatibility with diverse hardware vendors, exceptional data visualization capabilities, and innovative data segregation strategies. Splunk's tiered access control and efficient cold/frozen data storage further enhance its value proposition. Ultimately, Splunk empowers users to interact with their data effectively. This valuable asset, when properly understood and visualized, can provide actionable insights without impacting network or application performance. Moreover, Splunk's customization and implementation potential extend beyond data analysis, offering recommendations and threat intelligence for proactive security measures. In conclusion, while Splunk's pricing might initially appear expensive, its comprehensive features and capabilities justify its cost for organizations seeking advanced data analysis and security solutions.

    Realizing the full benefits of Splunk Enterprise Security takes time. While the software itself can be deployed quickly, it requires historical data to function effectively. This means collecting data for some time before you can rely on it for accurate insights. Several factors contribute to the time it takes to see value. First, there is deployment and customization. Setting up Splunk involves hardware, software, and integration, which can be time-consuming, especially during the first year. The second is data collection. Building a historical data set takes time, and the initial period may not provide significant value. There is also customization and training. Tailoring reports and training users requires additional investment, potentially involving workshops and professional services. To expedite the process, Splunk offers various resources including, proof of concept which allows testing Splunk with a limited data set for a specific period. Splunk may offer temporary free licenses for small workloads to facilitate initial evaluation. Splunk provides educational resources to help customers understand and utilize the platform effectively. Additionally, some partners leverage their Splunk expertise to help customers. Partners can educate and guide customers through the process, streamlining their experience, and assist with customizing reports and training users, accelerating the value realization process. By understanding these factors and leveraging available resources, organizations can optimize their Splunk implementation and achieve its full potential within a reasonable timeframe.

    What is most valuable?

    Splunk has been recognized by Gartner as a leader in providing visibility for observability and monitoring across various platforms, including physical, virtual, and container environments, for several years. This has made it a popular choice for many organizations, including those in the banking industry. Currently, only one of our banks utilizes QRadar. This may be due to the cost associated with switching from Splunk, which can be expensive. As a result, the customer might be prioritizing financial considerations over functionality at this time. It's important to note that while Splunk is recognized as a leader in platform capabilities, the decision to use a specific solution should ultimately be based on both functionality and cost considerations. This is why we have established a joint engineering team with Splunk to develop a platform that meets the needs of our customers.

    What needs improvement?

    I'd like a dashboard that allows me to connect elements through drag-and-drop functionality. Additionally, I want the ability to view the automatically generated queries behind the scenes, including recommendations for optimization. This is just a preliminary idea, but I envision the possibility of using intelligent software to further customize my queries. For example, imagine I could train my queries to be more specific through an AI-powered interface. This would allow me to perform complex searches efficiently. For instance, an initial search might take an hour and a half, but by refining the parameters through drag-and-drop and AI suggestions, I could achieve the same result in just five minutes. Overall, I'm interested in exploring ways to customize queries for faster and more efficient data retrieval. Ideally, the dashboard would provide additional guidance and suggestions to further enhance my workflow through customization and optimization.

    For how long have I used the solution?

    I have been using Splunk APM for four years.

    What do I think about the stability of the solution?

    The stability of Splunk Enterprise Security depends on how data is tiered. Splunk recommends different storage options based on data access frequency and volume. Hot and warm data: This data is accessed frequently and requires fast storage like SSD or NVMe. Cold and frozen data: This data is accessed less often and can be stored on cheaper options like Nearline, SaaS, NAS, or object storage.

    Splunk prioritizes cost-effectiveness and recommends low-tier storage for cold and frozen data, which typically makes up the majority of customer data. This reduces costs compared to expensive SAN storage. However, the decision ultimately depends on the customer's budget and specific needs. Customers with limited budgets or small use cases might choose to store all data on a single platform initially and expand to dedicated cold and frozen storage later. This approach requires manual configuration changes e.g., modifying index.conf and forwarder configurations to redirect data to the new tier.

    While Splunk recommends optimal tier configurations for hot, warm, cold, and frozen data, the final decision rests with the customer based on their budget and specific requirements.

    Changes to storage tiers can be implemented later through configuration adjustments, but this process might be more complex than using dedicated storage from the beginning.

    Overall, Splunk guides the best tier options for different data access patterns while acknowledging the customer's autonomy in making the final storage decision.

    What do I think about the scalability of the solution?

    We have ambitious expansion plans. As our customer base grows, we see significant increases in data ingestion. For example, one of our largest Splunk customers has increased its daily data ingestion from two terabytes to eight terabytes in just three years. This expansion benefits both the customer and Splunk. The customer gains valuable insights from the additional data, while Splunk increases its revenue through additional license sales. However, it's important to note that expanding data ingestion requires careful consideration of hardware limitations. Increasing data volume necessitates adding more forwarders, indexes, and searches, which can impact Splunk licensing requirements. This highlights the crucial need for comprehensive planning and resource allocation during expansion initiatives. Furthermore, we have observed instances where customers unintentionally exceed their licensed data ingestion capacity. For example, one bank was ingesting six terabytes of data per day while only holding a four-terabyte license. This underscores the importance of close monitoring and proactive license management to ensure compliance and avoid potential licensing issues.

    Which solution did I use previously and why did I switch?

    Our expertise extends beyond Splunk. We offer certified architectures for other SIEM solutions like IBM QRadar, catering to diverse customer requirements. However, IBM QRadar does not have as wide of a platform as Splunk Enterprise Security.

    What's my experience with pricing, setup cost, and licensing?

    Splunk can be expensive, as its licensing is based on the daily data ingestion volume. While we've observed numerous implementations, most are executed remotely by Splunk itself. However, if on-site assistance from a Splunk engineer is desired, it can be costly due to travel expenses from either the Dubai office or Europe. To address this, Splunk is exploring partnerships to offer implementation services at more accessible price points.

    For someone evaluating SIEM solutions and prioritizing cost, traditional marketing materials may not be the most effective approach. Customers in Saudi Arabia, like many others, often appreciate tangible demonstrations of value. Therefore, consider offering a POC to showcase Splunk's capabilities in their specific environment. Investing in the customer through various strategies can demonstrate your commitment and build trust. Granting temporary access allows them to experiment with Splunk firsthand. Provide resources and support to help them learn and utilize the platform effectively. Leverage your partner network to offer additional training and expertise. Invite key decision-makers to exclusive events or meetings with Splunk leadership, fostering a deeper connection and understanding. Remember, success often hinges on addressing specific needs. While POCs and business cases are crucial, consider potential customization requirements and existing workflows. If they've used a different tool for years, transitioning may require additional support and training due to established user familiarity. Splunk's investment in the customer journey goes beyond initial acquisition. By offering POCs, temporary licenses, training, and even exclusive experiences, you demonstrate value and commitment, ultimately fostering long-term success. Demand generation, in essence, boils down to two key aspects, Identifying their specific requirements and desired outcomes, and recognizing that different customers have varying budgets, experience levels, learning curves, expectations, and decision-making processes. While some customers may be more challenging to persuade, others readily embrace the extra mile. Enterprise clients often fall into the latter category due to their greater flexibility in resource allocation, dedicated security operations teams, and ability to invest in necessary hardware. Remember, SIEM solutions often involve hardware considerations beyond just software, so understanding these additional costs is crucial for accurate solution sizing and customer budgeting.

    Which other solutions did I evaluate?

    Several competitors to Splunk exist in the market, including IBM QRadar, AppDynamics which is used by some customers for monitoring and security, and Micro Focus used for enterprise monitoring, incident reporting, and capacity planning. While Dynatrace is a leader in the field, its presence in the banking sector, particularly in Saudi Arabia, seems limited, perhaps due to having only one certified partner acting as its distributor. In contrast, Splunk boasts a wider network of partners who actively implement and enable customers, leading to its increased market prevalence.

    What other advice do I have?

    I would rate Splunk APM a nine out of ten.

    Monitoring multiple hyperscalers with a single tool can be challenging. While some tools like VMware CloudHealth offer limited cross-platform capabilities, they often focus on specific aspects like virtual instances and storage. For comprehensive cloud monitoring across different hyperscalers like Azure and AWS, third-party solutions are typically necessary. Here at Dell, for example, we focus on monitoring tools for our own workloads and installed base, allowing integration with third-party solutions for cloud environments. This enables customers with workloads across multiple hyperscalers to leverage established enterprise monitoring tools like New Relic, AppDynamics (Cisco), Micro Focus (HP), and Splunk for unified visibility. Ultimately, choosing a solution often involves balancing operational and capital expenditures. By employing third-party tools, organizations can achieve comprehensive monitoring across various cloud environments while potentially reducing overall costs.

    We offer various deployment options for Splunk to cater to diverse customer needs and regulations. We can deploy Splunk on various infrastructures, including hyper-converged, bare-metal, two-tier, and three-tier architectures. While cloud deployment is an option, regulations from the Saudi Central Bank restrict customer data storage outside the kingdom. Therefore, most of our customers in the financial sector opt for private or local cloud solutions. While a dedicated private cloud experience for Splunk isn't currently available, customers are seeking access to features like the SmartStore, a caching tier that is now bundled with the Enterprise Security license previously offered separately from version 7X onwards. The chosen deployment approach depends on factors like budget, customer expectations, performance requirements, and compatibility with Splunk's recommended sizing solutions. We utilize both internal sizing tools and Splunk's official tools to ensure proper resource allocation for indexers, search heads, and forwarders based on specific customer needs. We have deployed our Dell servers, storage, and data protection solutions. Additionally, we have implemented a reference architecture. From a hardware perspective, we have everything in place to support Splunk as a reference architecture. This is indisputable, as it reflects our current infrastructure.

    I have one customer who uses Splunk on a single site. In contrast, other customers have deployed Splunk in an active-active cluster configuration across two sites, effectively segregating the data across the environments with two-factor authentication. For these other environments, I have observed that each customer has a unique monitoring perspective or performance requirement, reflected in their individual subscriptions.

    Splunk is responsible for software maintenance, while we handle the hardware aspects.

    Splunk Enterprise Security is one of the most mature security solutions available. While it is expensive, it offers good value by providing the necessary security measurements, monitoring, and auditing capabilities required for running an enterprise environment. 

    The combined forces of Splunk and Dell create significant resilience for us. Our joint architecture, strong alignment between the Dell account team and Splunk sales and presales, and collaborative efforts have been instrumental in addressing specific customer needs, such as sizing. This collaboration is mutually beneficial: Splunk focuses on selling licenses, while Dell prioritizes hardware sales. Unlike Cloudera, which optimizes licenses for its platform, Splunk bases licensing on the ingestion rate, demonstrating its alignment with our advanced architecture. This creates a win-win situation for both companies.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company does not have a business relationship with this vendor other than being a customer.
    PeerSpot user
    reviewer2755854 - PeerSpot reviewer
    Senior Cyber Architect at a tech vendor with 10,001+ employees
    Real User
    Top 10
    Sep 11, 2025
    Improves threat detection through integrations and provides valuable support for meeting compliance objectives
    Pros and Cons
    • "I appreciate the integrations with the SOAR architectures and the expandability that can be used throughout the entire ecosystem of Splunk Enterprise Security."
    • "The system can be intimidating, and sometimes the concepts conveyed in the documentation require adjustment."

    What is our primary use case?

    My main use case for Splunk Enterprise Security is getting observability and insights in order to meet compliance objectives.

    What is most valuable?

    I appreciate the integrations with the SOAR architectures and the expandability that can be used throughout the entire ecosystem of Splunk Enterprise Security. They've improved my threat detection capabilities.

    What needs improvement?

    The system can be intimidating, and sometimes the concepts conveyed in the documentation require adjustment. The product is mature and continuing to mature. There could be a better opportunity to let larger groups outside of the community know about the ease of deploying the product.

    I'm finding that newer generations, including my own, don't respond well to TL; DRs that often come from third parties and are often incorrect. If there was more of a quick answer, perhaps with Splunk AI, they could start implementing that on the documentation page to let people who have trust in that get a quicker answer.

    For how long have I used the solution?

    Professionally, I have been using Splunk Enterprise Security in the last one to two years. Personally, I've used it several times as a hobby product and competitively in cyber games.

    What do I think about the stability of the solution?

    The product is mature. 

    How are customer service and support?

    I don't directly deal with technical support.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs, however, I can't go into details.

    How was the initial setup?

    I would describe my experience with deploying Splunk Enterprise Security as one that needs some more hand-holding. Some aspects of the language and understanding can be challenging for individuals unfamiliar with Splunk. There are opportunities to improve that dissemination.

    With training, I find deployment relatively easy. There's some self-service that has to be done as a user in terms of learning and understanding the product. Once you understand those workflows, it presents as a relatively easy and intuitive product to expand and grow into.

    What was our ROI?

    I have seen a return on investment with Splunk Enterprise Security. It's a useful system, and I would highly advocate it with any Splunk deployment.

    What's my experience with pricing, setup cost, and licensing?

    I'm not involved on the licensing side. 

    What other advice do I have?

    The features that have been demoed and debuted in Splunk Enterprise Security are of particular interest, and I'm interested to see where that journey continues. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security relatively easy with training.

    My advice to other organizations considering Splunk Enterprise Security is to try it. I would suggest getting a demo from Splunk as that's the worthwhile approach. It's better to see all the powers that this tool can bring in terms of those capacities rather than trying to figure it out on your own journey.

    I would rate Splunk Enterprise Security an eight out of ten. The only reason for this rating is, from an outside-in perspective, as someone who hasn't spent time either deploying it themselves or learning more of the nuances of how clustered designs work, it can be an intimidating experience and requires a lot of hand-holding. This creates a barrier to adoption.

    Which deployment model are you using for this solution?

    On-premises

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
    PeerSpot user
    Splunk Engineer at a consultancy with 11-50 employees
    Real User
    Jul 13, 2026
    Automated risk-based alerts have reduced incident response time and support faster remediation
    Pros and Cons
    • "The time it takes my SecOps team to remediate security incidents is very reduced compared to before."
    • "Currently, in my opinion, Splunk Enterprise Security is good. However, Splunk has an ingest processor that could be improved."

    What is our primary use case?

    My use case for Splunk Enterprise Security involves onboarding data and then CIM complying and normalizing fields. We are also using the data models mapping and the add-on configuration. We also have some correlation searches which are running using the data models. Using that, we have some dashboards that give us useful information and ideas of what we can do.

    How has it helped my organization?

    The time it takes my SecOps team to remediate security incidents is very reduced compared to before. Our security team gets notified very urgently and very fast, and we take action as per the alerts. This has reduced the time for us by a lot.

    It helps our customers.

    What is most valuable?

    The dashboard is the feature in Splunk Enterprise Security that I find most valuable because in the dashboard we have background searches, and the background search runs in the dashboard and gives us useful information. We also have alert automation, such as if someone is logging in to our system like a firewall. If the IP is malicious, then we get the alert at that time and we can block that IP.

    We are working with the risk-based alerting feature in Splunk Enterprise Security. We are using risk-based alerts called RBA. That assigns the risk to the user, the system, and the other entities instead of generating a notable event for every individual detection. Multiple low and medium confidence detections accumulate over time, and when the combined risk exceeds the defined threshold, a high-confidence alert is generated using that risk-based alert.

    We are working with a new threat detection feature in Splunk Enterprise Security. That helps the security teams to identify, investigate, and respond to malicious activities across the environment. We have some correlation searches that detect suspicious behavior using predefined or custom rules. We also have some notable events that run as very high-frequency alerts created by the correlation searches or the risk thresholds.

    What needs improvement?

    Currently, in my opinion, Splunk Enterprise Security is good. However, Splunk has an ingest processor that could be improved.

    For how long have I used the solution?

    I have been using Splunk Enterprise Security for two years.

    What other advice do I have?

    I am working with Splunk Enterprise Security.

    I use some third-party solutions for integration or to import data into Splunk. We are creating some custom add-ons. We are also using ServiceNow. When some alerts are triggered, then the incidents will automatically trigger and be assigned to the necessary team. That type of customization we are using for the data collection. If you have some API integration, then you can create your own add-ons using those APIs and the credentials, and you can directly pull the logs from the APIs into Splunk.

    It is easy to customize Splunk Enterprise Security for our needs. We can customize as per our requirement. If you want to create some dynamic dashboards, then you can also create them as per your use case. It is also the same for the saved search and for the extraction. We can customize things as per our use cases and ideas.

    I gave this product a rating of eight.

    Which deployment model are you using for this solution?

    Private Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
    Last updated: Jul 13, 2026
    Flag as inappropriate
    PeerSpot user
    reviewer2123547 - PeerSpot reviewer
    Security Analyst at a tech vendor with 10,001+ employees
    Real User
    Top 20
    Jun 16, 2026
    Unified security monitoring has improved incident response and supported flexible threat detection
    Pros and Cons
    • "Splunk Enterprise Security is a wide tool that we can use for different purposes, as it can be configured in many ways, not just as a SIEM, and we can leverage it in various ways."
    • "Whenever an upgrade happens from a lower version to the latest version, some things get complicated, particularly compatibility issues, which we usually see in Splunk Enterprise Security."

    What is our primary use case?

    During the initial two years, I was an incident response analyst who used Splunk Enterprise Security as a SIEM tool, and in the recent two years, I work as an admin who handles the integration part, content management part, and the detection response engineering.

    We use disparate security solutions with additional IDS, IPS, and EDR tools integrated into Splunk Enterprise Security for single-handled monitoring for the analyst's ease. We do not need to go to each tool separately; instead, we integrate all of them into the Splunk Enterprise Security interface, allowing us to monitor them via Splunk Enterprise Security.

    Regarding Risk-Based Alerting in Splunk Enterprise Security, we used to tag alerts while creating correlation searches in Splunk Enterprise Security.

    I work with both on-premise and cloud-based setups.

    How has it helped my organization?

    Splunk Enterprise Security really helps improve business resiliency as we frequently capture real attacks.

    What is most valuable?

    In terms of customization ability and development capability inside Splunk Enterprise Security, it is very easy. Splunk Enterprise Security is a wide tool that we can use for different purposes. Splunk Enterprise Security can be configured in many ways, not just as a SIEM, but we can leverage it in various ways. The application add-on support from Splunk is very wide, making it very easy for configuration and customization.

    The functions in Splunk Enterprise Security that I find most valuable are its ability to integrate any type of logs into the system. It is very user-friendly to read logs in any languages, which we can convert into a human-readable format in Splunk Enterprise Security, making log analysis and monitoring very useful compared to competitive SIEM tools.

    The main benefits Splunk Enterprise Security provides to end users include a wide view, allowing us to have different kinds of views for the logs, and we can search according to the retention period we set in Splunk Enterprise Security. This capability and storage are good enough to retrieve older data for evaluation and analysis.

    I find that threat detection in Splunk Enterprise Security is a wide case; we have the opportunity to create correlation searches, dashboards, and even integrate threat intel solutions in multiple ways into Splunk Enterprise Security. We can leverage these opportunities to get alerts based on these searches.

    What needs improvement?

    Whenever an upgrade happens from a lower version to the latest version, some things get complicated, particularly compatibility issues, which we usually see in Splunk Enterprise Security. In those cases, it sometimes definitely requires Splunk Enterprise Security's support or vendor support to resolve those issues. Compatibility issues during upgrades are a major concern.

    I am generally satisfied with the functionality of Splunk Enterprise Security, and my only concern is the compatibility issue during upgrades.

    For how long have I used the solution?

    I have been working with the product for four years.

    What do I think about the stability of the solution?

    I rate Splunk Enterprise Security's stability as a nine.

    What do I think about the scalability of the solution?

    I consider its scalability, ability to scale, and ability to expand to be a ten.

    How are customer service and support?

    I would rate vendor support as a nine.

    How was the initial setup?

    The initial setup for Splunk Enterprise Security is simple, and guides from Splunk Enterprise Security support are available on the internet, making it very basic. We can read and understand the next steps from there.

    What other advice do I have?

    On average, the time a SecOps team takes to remediate security incidents with Splunk Enterprise Security depends on projects. If the team is working as a threat hunt team, they do not have a proper SLA, but for incident handling, some projects have 15 minutes, others 30 minutes, one hour, or in some cases, up to four hours. It varies according to the project and client requirement; incident handling is different from incident response, which usually requires more time for detailed analysis.

    I am totally satisfied with Risk-Based Alerting because it works well; it works on intermediate findings. If multiple detections occur for the same host or IP, it looks for behavioral analysis and generates alerts for the analyst based on that risk, so it is actually working well in Splunk Enterprise Security.

    I can recommend Splunk Enterprise Security to other users. My overall rating for this product is eight out of ten.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: My company has a business relationship with this vendor other than being a customer. partner
    Last updated: Jun 16, 2026
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
    Updated: June 2026
    Buyer's Guide
    Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.