Splunk ITSI (IT Service Intelligence) Reviews

We have medical use cases. We monitor batch processes for our medical system. We batch-process data ingestion from our data warehouses just to make sure they're performing appropriately. If there's an outlier we'll report it or create an incident.

Splunk has just started to improve my organization. It's still in its infancy. We still have some kinks to work out, but it's actually giving us much better visibility than creating a normal Splunk dashboard. It's an easier process in that regard.

It has 100% improved my organization's business resilience. We're able to get better metrics. We have a project where we've actually saved the organization millions of dollars in regards to lost revenue. We were using Splunk Dashboards to determine a situation where billing wasn't being done correctly. Billing was never actually sent out to insurance companies, then that's where we found things that were falling between the cracks.

In terms of cost efficiencies, we're able to find situations where patient care is falling below the thresholds. We have other projects that are coming into play that are going to be huge for the organization that will be reporting back to the state. 

The most valuable feature is the Glass Tables. It gives you a nice, good overview of your KPIs. It's really slick and clean. 

Splunk's ability to predict, identify and solve problems in real time is excellent. We were able to see things we haven't been able to see before just because the data from multiple systems is so helpful.

Its ability to provide business resilience by empowering staff is excellent. Everybody wants to use it.

It could be a little easier to use with the thresholding. We've struggled a little bit with thresholding.

We have been using Splunk ITSI for one and a half to two years. 

Their stability is excellent. It's not a Windows product. I don't have to restart it. It's a ten out of ten.

We can scale horizontally. It's a nine out of ten.

Their support is good. During the time of COVID, it took a while to get somebody to get back to us, but that was expected. Overall, the support has been good. We haven't had many issues. We'll dig deep into the weeds before we even bother calling Splunk. 

I would rate support a seven out of ten. I wish their response time was better.

Neutral

Before ITSI, we had Datadog and there was one other product we were managing. We didn't have any visibility into it, and Splunk is a very visible product versus other ones where it's a little more locked down from the access respective.

We switched to Splunk because of the ease of use and the ability to ingest logs from pretty much everywhere. 

We had some in-house solutions, which weren't great because we were building in .NET versus something that's like Splunk, which we can pull data from everywhere, including from a .NET solution.

I was the first one to deploy it at the organization. We started with me and one manager, and then it turned into a team of five engineers, we had a riff, and we were down to three.

We made the mistake of initially deploying it on Windows. We learned very quickly that that was a big mistake and then we switched over to a Linux environment. In general, the deployment wasn't that bad. The documentation that Splunk offers has always been great. If we had any questions, we always went to support with those questions. It was pretty simple.

Other departments have seen ROI through being able to offer better and more efficient patient care. 

We like the old perpetual licensing model but everybody's going more towards the two-year. I think the professional services hours thrown in there is actually a pretty good benefit.

I would rate Splunk ITSI a nine out of ten. Not a ten because the learning curve makes it tricky.

We used Splunk ITSI to monitor service health and key performance indicators across various servers, such as CPU, memory, and disk utilization—advanced detection capabilities based on defined thresholds and triggered alerts. Splunk ITSI, integrated with ServiceNow, facilitated alert generation and management. Additionally, we leveraged ITSI for event analytics and created glass tables based on configuration items. We monitored specific KPIs and generated alerts via ServiceNow based on established thresholds to meet customer requirements.

Some clients have Splunk ITSI deployed in the cloud, and others are on-premises.

Using a client example, I'll explain the end-to-end visibility provided by Splunk ITSI. We have over a hundred clients in our environment. Once we onboard client data, such as cloud data, we subscribe to that cloud service and integrate the data into our Splunk environment. We then create data models and correlations integrated with the ITSI service. Within ITSI, we create correlation searches and schedule them to run regularly. Each time the Splunk schedule runs, it generates notable events and checks policies to determine if an event qualifies for a ticket. If it qualifies, an episode is created in ITSI, and a ticket is automatically generated in ServiceNow. This is the complete end-to-end process within Splunk ITSI.

We use predictive analytics based on the threshold values to help prevent incidents before they occur.

It does not take long after deployment for our clients to realize the benefits of Splunk ITSI because it immediately reduces alert noise.

Both Splunk ITSI and Splunk Enterprise Security handle incident management, but Enterprise Security utilizes common data models for improved detection. ITSI employs an "episode review" concept to analyze incidents, examining their generation, root cause, trigger alert, and any alerting failures. This provides comprehensive observability of each episode. Similarly, when integrating Enterprise Security with customer systems, pre-built common data models generate alerts that require monitoring to determine their cause, priority, and severity.

Splunk ITSI, using the correlation through event management, can reduce our alert noise.

We can correlate information to receive only relevant alerts, allowing us to quickly respond to issues.

The most valuable feature is event correlation, which ensures that only one ticket is generated per issue, eliminating duplicates and reducing noise from multiple alerts. This significantly streamlines issue tracking and resolution. Additionally, the system analyzes service performance by identifying areas of impact and tracking key performance indicators. This deep-dive analysis allows for the precise identification of issues and facilitates data-driven improvements.

While integrating services and KPIs in ITSI is straightforward, I found it challenging to analyze them with the service analyzers; specifically, using the deep dive feature to pinpoint the exact source and time of an issue proved difficult. Although I'm proficient in service analytics management, the deep dive aspect requires further development.

I have been using Splunk ITSI for two years.

Splunk ITSI is stable.

Splunk ITSI is scalable. It is easy to scale on the cloud platform.

The Splunk support team is adequate, but their response time is slow.

Positive

The deployment is straightforward. We acquired a license and integrated it into our current Splunk environment.

Splunk ITSI is a premium application and comes with a premium price tag.

I would rate Splunk ITSI nine out of ten. Splunk ITSI is a valuable tool for IT and operations teams.

I recommend Splunk ITSI. It's an excellent tool for infrastructure monitoring, direct management, and service analytics, providing a clear, consolidated view of your IT environment.

Splunk ITSI is a product for operations. I use it for detecting issues in the operations and generating alerts for them.

It is an intelligence platform for operational excellence.

The end-to-end visibility is a great thing about Splunk ITSI. It provides an end-to-end view to any user, from a normal engineer to a high-level manager.

We were able to realize the benefits of Splunk ITSI immediately.

Splunk ITSI helps to right-size resources to match the demand. It improves the quality. It is more organized. It can definitely help in rightsizing.

It helps to avoid duplicated alerts. If rightly implemented, it can reduce the duplication of alerts and provide more specific and accurate context.

Splunk ITSI has helped reduce incident volume. The reduction is implementation-dependent. If it is rightly implemented, we can reduce it to a very low percentage. Out of 100, we get only 10 alerts. If the context is correct, we only need one alert. This can be achieved with ITSI.

Splunk ITSI has helped reduce our alert noise, but I do not have the numbers because the initial implementation was not right. There were so many alerts, but when we corrected the implementation, it reduced them by a lot. I do not have the numbers, but thousands have become hundreds.

Splunk ITSI has helped reduce our mean time to detect (MTTD). It is at least five minutes. The mean time to resolve is dependent on the team. I do not have control over that because, in Splunk ITSI, we generate alerts for multiple teams, not just one team. It all depends on their SLAs.

Splunk ITSI helps us to automate alerting and automatically generate alerts or create incidents. It is not an automation tool to reduce mundane tasks.

Splunk ITSI helped us save costs by reducing downtime and manpower costs or avoiding SLA penalties.

The service analyzer view and automatic creation of incidents are valuable.

Better documentation would definitely help. Many people do not know about it, so better documentation and use case explanations would be helpful. There should be more YouTube videos about how to implement ITSI

The biggest improvement area is making it open to developers. Right now, it is very closed. It can only be downloaded by people who have a license to and not everyone. If it is open to everybody, more people will use it.

It has been quite a long time. It has been more than four or five years.

It is pretty stable. If we have the proper infrastructure, this tool is very stable. It does not crash.

Its scalability is high. It can scale very well. You can increase the size of the cluster. You can increase the capacity vertically and horizontally. It is very scalable.

They are good. They respond based on the SLAs. The quality of service depends on how informative you are when you provide the case details to them, but they have the ability to escalate it to higher levels and get help. They have the skills, but sometimes, the support is not in the UK. It sometimes comes from the US, so there may be time constraints when you set up a call. Otherwise, they are good.

Neutral

I have used other solutions. In the old days, I used a BMC system. Splunk ITSI is a completely different type of alerting system.

The BMC solution is more monotonic. It does not have the intelligence like Splunk ITSI to reduce the noise. It just picks up a metric and alerts based on that threshold, whereas, in ITSI, we have the control to reduce the number of alerts generated on the same threshold by adding some intelligence to it. It has the ability to do that Intelligence part. That is why it is called ITSI.

We have both on-premises and cloud deployment models. Its deployment is difficult for a beginner user. You need a consultant or somebody experienced in Splunk ITSI to implement it properly. Splunk ITSI is a premium product. You need very good Splunk infrastructure initially to run this on top. To run it properly, you should have good knowledge. You should at least have Splunk Architect-level certification. Otherwise, you can implement it, but it will not work properly or as you expect.

It is mostly a clustered solution. It is not normally done on a single server. We need to build the entire cluster. The initial build probably can take two weeks. Configuring everything can take a long time. Six months can be considered a good time to make it run properly for enterprise usage.

It needs regular upgrades, backups, and time-to-time updates to the system configurations. It requires a dedicated team. Once it is properly set up, less than ten people can manage it.

I am an ITSI consultant, so I am not a user. I set it up for customers.

The number of people required depends on how much data we need to bring in. If we have a lot of data and a variety of systems, more people are required. If we are just focusing on a singular system, one person can do the job.

In an enterprise environment, there are a multitude of systems and monitoring requirements. Usually, there is a team onboarding data and setting it up. 10-15 people are a good choice for a big enterprise, like a banking client.

It is more of a premium product. I do not have much visibility into pricing because it is taken care of by high-level enterprise customers. I just ask for the license that I need and they negotiate. It all happens between Splunk and the company. I know that it is expensive, but I do not think there is another solution that can do similar things for that price.

To someone who already has an IT alerting and incident management solution but is considering switching to Splunk ITSI, I would say that it will add value to their organization. It can reduce a lot of noise. I would suggest going for it, but it should be the right implementation. You should have knowledgeable people to implement it from the beginning.

It is not something that you just buy and switch on and will start working. It needs a lot of configuration and proper configuration to make it run properly. That is an important part for Splunk ITSI. It is not just the product. The person who is implementing it should be very good. Then only its value can be seen. Otherwise, you have the application but may not get the right value out of it.

Overall, from my experience, I would rate Splunk ITSI an eight out of ten.

We use Splunk ITSI for IT monitoring. It helps us monitor all our servers for things like CPU utilization and other performance metrics. We can integrate complex architectures with the service and connect the core to multiple data sources. Our customers' environments vary. In the last project, they had around eight departments and 75 employees, so I needed a web server for each department.

Before we shifted our customers to Splunk ITSI, they had issues getting insights in some circumstances. Now they have complete visibility from one dashboard. It helps them monitor and develop a proactive response to address the problems before they cause trouble. 

One issue we faced before implementing Splunk was that our customers couldn't predict how long it would take to reach their storage limit. Now we can categorize issues according to severity. 

Splunk ITSI has enabled us to streamline incident management by adopting aggregated policies. Instead of getting rid of incidents, we are placing these into several groups and removing the duplicates to see some insights based on previous incidents. 

We've been able to reduce alert noise using policies. By grouping the policies, we're able to avoid redundant alerts. When we used the other solution, we would sometimes get repeated warnings, but we eliminated that by implementing aggregate policies.

From IPSI, we can see the metrics and drill down. We can build a tool to check the metrics based on severity. Instead of taking every event's logs, we are directly getting the root cause of the issue. From there, we can see that it obviously reduces the rest of the time.

The solution has reduced our mean time to resolve issues. Before implementing it, we typically needed around six to eight hours to close a ticket. When we had an alert, we had to review all the native logs to find the correct server. With ITSI, I can see a score that tells me about potential issues before they arise. I can see if there is a critical problem with a server or application based on the data flows and resolve it. 

I like ITSI's service analyzer. We can integrate and group the service, then create multiple KPIs in the service analyzer we can monitor. We can use multiple connectors to get end-to-end network visibility. Many organizations prefer appliances, and we can completely integrate the appliance with the source to gain complex insights throughout the network.  

We are getting real-time insights from the service and the vendor and doing some projects using security analytics to check the path. We can monitor the behavior of an appliance or the organization and how they are using it. For example, you might see high usage on specific days and low usage on weekends. If we can identify patterns from this, it can help us predict the future.

We're using predictive analytics, and there are three or four algorithms. It would be helpful if this process were more standardized and scalable. 

I have used Splunk ITSI for nearly a year. 

Splunk ITSI is stable. The latest version is more stable than the previous one. 

Splunk ITSI is scalable. We can compare multiple APIs and services, so everything is organized and manageable. We can drill down to the bottom of all the logs on events.

I rate Splunk technical support a nine out of ten. If we work with cloud architecture, we usually need some help from Splunk, so we often need to contact support and ask for changes. We prepare the case, have a conversation with them, and get it done.

Positive

We were using service providers, but we had a log management solution and some other open source tools. We relied on custom builds of open source solutions. 

Splunk ITSI can be deployed in the cloud or on-prem depending on the customer's requirements. For example, if someone is running this in a closed environment, we can go with the on-prem deployment. Otherwise, customers will mostly go for a cloud deployment. We use AWS.

When I started the training, it seemed somewhat complicated, but once you learn a bit, it becomes straightforward. It isn't terribly complex. The deployment strategy depends on the scope of the project, such as whether you have a cluster or a distributed environment. 

You can deploy it with a team of three or four. Someone needs to take care of the prerequisites like clustering and another person might take care of the integration. Another will configure the dashboards. The process takes about five days.

We save substantial time on monitoring tasks because we don't have to search for what we need. Everything is packed, so you can drill down to the end values by just doing the kit. We don't spend a lot of time on this. Splunk ITSI is easy to use and not time-consuming.

The time to value is fast. The implementation takes time, but the customer can see value immediately once everything is configured, permissions are set, and we're ready to move. 

I rate Splunk ITSI a 10 out of 10. We need our website up 24/7, or we'll lose business. Every minute that it's down we lose money. I would recommend this to anyone who runs a business online and needs to monitor their infrastructure.

If you're considering a point monitoring system instead of ITSI, I would say it depends on the information you are using. Generally, Splunk ITSI is the advanced option that gives you multiple features together with service intelligence and analytics. You can make wonderful dashboards. Comparatively, this is enough to monitor the company's infrastructure. 

In ITSI, we can also integrate application and database logs, so the customer might get some research to predict when the database goes down. ITSI can be helpful to manage the customer infrastructure and minimize the impact on their business. 

We have been using Splunk ITSI to detect anomalies in the services and monitor the health and overall performance of IT services.

We have implemented it for a few of our clients where we do monitor the entire IT infrastructure. It could be any server that they are running. It could be a mail server. It could be a web server. It could be any network device that is communicating. We monitor the health of these services and how they are performing. We check for any anomalies or threats associated with them. We create some kind of KPIs or key performance indicators that give insights into the health and services.

We are a Splunk partner. Our company provides solutions not just related to Splunk ITSI but for all the things covered by Splunk. We also provide our consultancy for all of their premium products such as SOAR and Enterprise Security. 

Splunk ITSI has a service-oriented approach to monitor the entire IT infrastructure. From a business perspective, people definitely do not want any downtime. Any downtime leads to a bad reputation for a company. Splunk ITSI is a solution that we can use to monitor every single service running within an organization. With the help of KPIs, we define the service needs. A person implementing ITSI needs to be aware of all of the services running so that they do not miss out on anything. With the predictive analysis of Splunk ITSI, we can monitor everything. If there is any anomaly, an alert gets triggered. The other thing is the integration part. We can integrate it with any of the ticketing platforms such as ServiceNow. As soon as the alerts get triggered, a ticket gets created so that a response can be made to a particular incident.

It is very integrable. It can be integrated with any network component, such as a router, or any of the logs. With the help of Glass Table, it becomes very easy to inspect if any of the services are down. If a person is trying DDoS on any of the IT servers, such as a web server, we will see a lot of packets getting injected. There will definitely be an increase in the number of packets that a server is receiving. With the help of Splunk ITSI, we can block that particular IP, so the actions can be taken at the same time.

With the help of machine learning and predictive analysis, it checks for any anomaly. It monitors the normal behavior of a service, and if there is an anomaly, it can definitely create an alert for the user. This is how Splunk ITSI works.

Splunk ITSI can integrate with various management tools for predictive analysis. It takes the data and tries to predict and see if anything is suspicious. It makes its own decision at that time, and based on the actions that are listed, it takes action on a particular incident.

Using Splunk ITSI in an IT environment is very helpful. It reduces the downtime and the time taken for a resolution. It can take certain actions on its own. We can monitor every service there. Splunk ITSI can be helpful to prevent something from going down and the users having to face any downtime, failures, or issues with the servers. There is a proactive approach where things can be fixed before they turn into a breach.

Nowadays, it has become very easy for attackers to perform any kind of attack on the servers. Every organization wants its servers to be up and running. So, there is definitely a lot of demand to monitor the entire IT infrastructure. Splunk ITSI is good for that. It plays a key role in the current era where organizations face a lot of attacks. It is a ten out of ten when it comes to being useful to fix all such issues.

Splunk ITSI completely integrates with the incident management platforms. For specific alerts or notable events, Splunk ITSI can also take action with the help of playbooks and defined workflows. With integrated incident management, we can take more advanced actions and make decisions for the environment.

Splunk ITSI helps reduce incident volume. It is business-centric and service-oriented. It provides visibility and is great for predictive analytics and incident management. It also reduces downtime and gives a clear picture of services from a business perspective. I do not have the metrics, but it reduced the incidents to a large volume.

Splunk ITSI reduces the mean time to detect through machine learning and predictive analytics. It observes the normal behavior of a service. If there is any anomaly, it triggers an alert based on the KPIs that are defined. If there is any suspicious behavior, Splunk ITSI can identify that.

We can define certain actions through playbooks for an alert. It can be integrated with SOAR. It can take certain actions as soon as an alert gets triggered. In the case of a DDoS attack, if an IP is sending a lot of packets, we want to block that particular IP to our firewalls. We can define this action within our playbooks, and Splunk ITSI will be able to sort that out in a quick manner.

We can integrate it with a SOAR to automate the workflows and take certain actions. Playbooks are useful for that. I do not have the data about time savings, but it saves a lot of time. Without it, a human will have to open the ticket and go through the incident before taking action, whereas Splunk ITSI can take certain actions on its own, saving a lot of time.

Splunk ITSI has saved money from the overall business perspective. No business wants to see downtime or failure of their services. For example, if you can proactively fix an issue and prevent a payment gateway service from going down, it will save you money. Splunk ITSI is very helpful in monitoring services, and certain actions can be taken to prevent them from going down. Any service going down costs a lot of money to a business.

Splunk ITSI can be easily integrated with the incident management platform. You can automate workflows and certain actions can be taken.

I like the KPIs aspect. If we have a number of services running, we can monitor each individual service. This is one thing that I find very useful. There is a feature in Splunk ITSI called Glass Table where we can visualize each service. We can check all the services there, and we can take a look from the high level to the low level. We can look at individual service. Glass Table is one of the features I like the most.

If they can somehow integrate it with AI in the near future, it will definitely be a game changer. Other than that, I do not see any issues with it. Overall, it suits our environment. Its scalability is good. The visualization is also good. The only thing we need to take care of is how we define the services. If the KPIs for a service are wrong, it is going to generate false positives and more alert noise.

It has been approximately three and a half years since I have been using Splunk along with this premium feature or the ITSI app. 

We have not faced any issues so far. It is a very stable tool. It is very helpful in monitoring overall IT infrastructure.

Scalability is definitely one of the key features. Splunk ITSI is very scalable. 

We have not faced any issues so far.

I have not used any solution other than Splunk ITSI. We have partnered with Splunk, and we provide consultancy with Splunk.

Splunk ITSI can be implemented on-premises or on a cloud such as Azure, AWS, or GCP. It is easy to deploy.

I was a part of the team that implemented it completely. I was involved in the initial setup and monitoring of the services. We defined all the KPIs. We completely set it up. 

The process is straightforward, but it depends on if you have a multi-site or single-site setup. For a single site, it is easy, but in the case of a multi-site, when we are doing a cluster setup, it can be challenging. However, it can be done, and it is possible to implement it with the help of the right KPIs.

The duration depends on the size and the number of resources a company holds. It depends on the size of the network they have. Ideally, you would want to integrate all of the services so that you have complete visibility and you can visualize it from an attacker's perspective.

In terms of implementation strategy, we need to be sure about the services that need to be monitored so that we do not miss anything. KPIs are important to reduce the noise. 

It is not difficult to maintain, but it does require maintenance. If there is any increase in services, Splunk ITSI needs to be scaled up, and there will be some costs for the licensing part.

We need the help of the security team. If it is going to be integrated with the service desk, we need to involve a system administrator. It depends on the privileges a company has. It varies from company to company.

It depends on how big an organization is. If we have a lot of resources, the licensing needs to be upgraded. If we have a small environment, the licensing cost is definitely going to be less.

To someone who already has an IT alerting and incident management solution but is considering switching to Splunk ITSI, I would say that it is a great move. Splunk gives you in-depth information about the health and performance of a particular service running within an organization. It will be a great move if they can implement Splunk ITSI in the organization.

Alert noise depends on how well you have defined the KPIs for your services. If KPIs are wrongly defined, you are definitely going to get more alert noise or false positives. To reduce that, you need to be very sure what a particular service is about and what could be a perfect KPI for that.

You need to assess the services you need to monitor. You should not miss any of the services. A small service can also be vulnerable. Based on the services, you need to define particular KPIs.

I would rate Splunk ITSI a ten out of ten.

I work for a consulting company that contracts with an organization to provide operation center services. We use Splunk ITSI as one of our key centralized monitoring tools for the organization. Our goal is to collect data from both the organization's centralized database, Spine, and their cloud platforms, such as AWS and Azure, and send it to Splunk for monitoring. Splunk then creates reports, alerts, and dashboards that we use to visualize the data and make the most of it.

ITSI has many benefits, but its visualization for monitoring is particularly great. We have been able to identify notable events that have occurred, track them back through history, and see what data is available for a long period of time. One of the best reasons we use ITSI is because of its indexing system. We can collect data from various sources in different formats and then operate on that data, even though we have different data from AWS and Azure. Splunk does a good job of ensuring that the data is compatible with different reporting methods.

Splunk ITSI has helped us streamline our incident management process. We have a custom configuration that outputs some alerts to Slack and others to email. We package only alerts and episodes, and when an alert is triggered, an email is sent and a ServiceNow incident is raised. This has significantly streamlined our analysis process.

Splunk ITSI helped reduce our mean time to detect by ten percent.

Splunk ITSI is similar to Splunk Cloud, but it includes some additional features that are specifically useful for IT service management.

We still get the standard package with ITSI, including alerts, reports, and dashboards. However, ITSI also includes a feature called alerts and episodes, which is similar to an ITSM tool. This feature allows us to bring our searches to life and create service trees that focus on business context.

For example, if we create multiple services, we can arrange them in a tree structure. ITSI then uses a traffic light system to indicate the health of each service and its dependencies. This allows us to see the overall health of our IT environment at a glance.

ITSI also includes a powerful KPI system that allows us to create complex saved searches that power multiple different areas of our dashboard. This is very useful for tracking key performance indicators and identifying potential problems early on.

Finally, ITSI includes a feature called a glass table. This feature allows us to create visually appealing dashboards that display our KPIs and other data in a clear and concise way.

One issue we have with Splunk Cloud is that the service team is sometimes not very helpful. This is because the team is outsourced, and they often cannot provide us with the information we need. This is a major complaint of mine, and it is unacceptable given the large amount of money we pay for the service. Splunk Cloud outsources its support team, and the people who are supposed to be helping us are not very knowledgeable. They often give us unhelpful or incorrect answers.

The UI needs improvement. With real-time monitoring, we can have a service structure, but we cannot easily adjust the graphical interface. For example, if we have a long name or a 2005 feature, we cannot easily move it slightly to the right on the web page. This can be a real pain.

Our large-scale system is noisy, making it difficult to pinpoint the exact cause. This is a trade-off for using Splunk as a central monitoring tool, as we cannot give everyone access to everyone else's AWS environment. We are investigating ways to reduce the noise, but I am not sure if it is a specific ITSI problem.

Quality-of-life features have room for improvement. The search function and other features are fine, but there are a few UI changes I would make. For example, I would like to be able to extend the graphical user interface so that we can see the full name by moving the window around. It is currently difficult to work with. 

We can create a correlation search, but when we save the page, it redirects us to the search system. We should be able to save the page and stay on the page, which is a bit annoying.

We have a lookup file, but it doesn't work very well. In fact, it doesn't work at all. I hope Splunk fixes this at some point. When we make a change, it completely wipes out the change. It also says to type in the search bar, click on what we need, and if we make a slight adjustment, it will completely wipe out the search bar and we have to start over. This is very annoying.

I have been using Splunk ITSI for two years.

Splunk ITSI is stable. Resilience is essential for our organization. We need it to be active all the time. It is incredibly important because some of our services are platinum-level. If anything goes wrong, we want to know about it instantly. It is very important that ITSI is stable and works as expected, which it does. We have not had too many problems where things have gone wrong. Most likely, these problems have been configuration issues, rather than our availability going down and us being unable to access Splunk. Splunk is up all the time and rarely goes down.

Splunk ITSI is scalable, and scaling is a primary feature of cloud products. With an enterprise license, we can scale as much as we need. However, scalability also depends on our hardware. If we purchase good hardware to run Splunk on, we should be able to scale easily by creating shared clusters, index clusters, and other types of clusters, and pairing them together.

Splunk's technical support is not very good. They outsource their support, and the outsourced support team is not very knowledgeable. I believe that in-house technical support would be better.

Neutral

The organization was using Splunk Enterprise which is similar to ITSI.

Splunk ITSI is expensive. We pay for the package once the sales team has priced all of our data and other relevant factors. We don't incur any further costs if we pay for a package. On its own, Splunk ITSI can be quite expensive, which is what scares many customers away. If a customer has the budget to use Splunk ITSI, then it is an excellent choice. It is one of those products where we may need to start weighing up different solutions. Splunk was recently sold to Cisco, and it could become the centralized monitoring tool for the organization for x, y, and z. I believe that our package is one of the lowest priced in the UK, even though we are squeezing as much value as possible out of the service. I would say that we should prioritize longevity over making an extra million pounds or so because that will come with time. However, I don't think that everyone sees it that way.

I would rate Splunk ITSI eight out of ten.

The visibility is good, but the issue we are interested in is split into different factions in some parts. Currently, we are not using ITSI to its full potential. The organization is enterprise-scale, which is huge. It is therefore very difficult to implement some of the ITSI best practices because we have so many different areas, each doing things differently. Standardization is difficult to achieve because everything is so massive. We could better use ITSI to its full capacity, but that is on us. However, I think it would work much better if it were a bit smaller in scale.

Cost is definitely a concern. Splunk can be quite expensive, especially if we are tied into a contract. However, it offers more features and capabilities than other solutions. I don't have a lot of experience with Splunk, but the way it aggregates data is very good. It can also parse and strap data, and search and operate on the data that is sent in. This is also very good. I suggest cleaning up the data before sending it to Splunk. This will make it easier to get real-time monitoring of the data needed. We pay for ingestion and storage, so it makes sense to only send in the data that we need. Splunk is a very good tool to use for building and operating real-time analytics dashboards. It has very good visualization, data separation, and real-time analytics capabilities. It can also create very complex queries that can do a lot.

We have over 50 users spread across the organization, and we implement around 100 or more services. Each service may have a tech lead in x and y and an architect in z. Therefore, Splunk ITSI reaches out to many different people in those departments.

Splunk Cloud takes care of all the maintenance. We simply open a case and they implement any new version as needed.

I have used Splunk ITSI to build a lot of glass tables and set up thresholds. We have also used MLTK for machine learning, predictive analytics, and anomaly detection. We use MLTK, which is an external application. We can get notified of issues well before the time to take proactive action.

We use core Splunk and Splunk IT Service Intelligence. It is a multisided cluster environment. Whenever the customer wants glass tables, notable events, or to set up some alert notifications, the product has helped our organization. We can set up our own threshold activities. We can also add ad-hoc searches in the solution. We can get the data of the indexes and alerts tracking by writing a search query.

The glass tables are very helpful. The solution also provides topologies showing exceptions or criticalities whenever something goes down. It is very helpful for customers. The notable events, glass tables, and setting up thresholds are the most valuable features of the solution.

Every customer has a different need and their own customized threshold settings. Some customers need 99% as critical, and some need 80%. We can set the customized thresholds in the product and get the alerts.

If the product had some prebuilt machine learning features, it would add value to our use cases. It would be very good if the product had some in-built predictive analytics and future forecasting features.

I have been using Splunk for almost four years.

The support depends on the licensing we use. There are different licenses available based on the volume and vCPUs. We use the license based on vCPU. It depends on how many virtual CPUs we use. It would be good if Splunk could give on-demand support.

Whenever we raise a support case, the support team follows the SLA and gives us a response. Sometimes, companies will also have on-demand support based on the support credits. Companies generally expect support persons and engineers to join the Zoom sessions when P1 and P2 issues arise. The support team takes a long time to join the meetings at such times. If we can have an engineer join the Zoom sessions right away, it would be helpful for the customers. The support team needs to respond quickly to P2 issues.

We had a P3-level case with a severity level of S2. It was a corrupt bucket issue. The case was in open status for six months. Generally, we don't need six months to fix a corrupt bucket issue. If the support case had been escalated to a higher-level engineer with advanced knowledge in debugging the issues, it would have been easier and would have taken less time.

Neutral

We have been using Enterprise Security. It is for intrusion detection and threat intelligence. It helps our enterprise security team to find vulnerabilities and take proactive actions. We started using Splunk IT Service Intelligence because it gives us some good topology if we build glass tables based on our data. The product provides us with service intelligence.

The deployment process is straightforward. It is the same as core Splunk. The solution uses summary indexing, itsi_tracked_alerts, and itsi_summary_metrics indexes. We must ensure these indexes are available and have a good retention policy.

Our customers have seen improvements in resilience and cost.

It would have been good if the product cost was much lower.

We chose Splunk over other vendors because it is much more reliable. We have done a POC to test how well the tool can help the customers and provide good value to their business. We have used other products like Elasticsearch and Cribl. However, we feel that Splunk is better. Log monitoring is very important to customers. Other log monitoring tools are not user-friendly and flexible. It is also not easy to write search queries on them. However, it is easy to write search queries on Splunk. It also has bucket lifecycles. It is easier to have a centralized repository to maintain and use the data.

Our clients monitor multiple cloud environments. We get data from different third-party clouds like Google Cloud, Microsoft Azure, or AWS. Sometimes, we also use Snowflake. Customers mostly try to build out their own dashboards and knowledge objects. They use Splunk IT Service Intelligence to be notified about any exceptions or critical issues. 

We cannot integrate the product directly with the cloud applications. First, we have to integrate our core Splunk with different clouds. We must first integrate add-ons using Splunkbase, a REST API mechanism, or an HTTP Event Collector (HEC) mechanism into core Splunk. Then, we can use the same ad-hoc search in Splunk IT Service Intelligence to get proper glass tables and results. It's easy to monitor multiple cloud environments using the solution, but we could directly integrate with it if it had the right integration features.

It is important for our organization that the solution has end-to-end visibility into our cloud-native environment. In today's world, most data goes into the cloud. Every organization wants to move the data to the cloud so that it would be more reliable and they can get the data easily. It's less cost-effective as well. So, most organizations are going to the cloud. It's really beneficial and important to the customers because they can easily get the data from the cloud and perform cost optimizations. Managing cloud-native environments with the solution is cost-effective.

The product has definitely helped reduce our mean time to resolve by 70%. If it has built-in machine learning or artificial intelligence techniques, it will be helpful to reduce the remaining 30%.

The tool has helped improve our customer's business resilience. Different SIEM applications and tools are available for enterprise security in today's world. Splunk's next version will have enhanced SOAR features. It will be useful if the product has additional features to help customers and organizations.

We used the MLTK app from Splunkbase and deployed it in Splunk IT Service Intelligence. It helped us to do predictive analysis, forecasting, and anomaly detection. It helped us gain some insights. I rate the tool's ability to provide business resilience a seven out of ten.

If we have a Splunk add-on for Unix and Windows, we can use those add-ons in our core Splunk to get the base monitoring, like OS metrics. For these things, Splunk has PowerShell scripts. It runs every five minutes. So, it is not in real-time. Every organization would need real-time monitoring. The product should provide these features in real time. For OS metrics, we use custom thresholds.

Our customers see time to value within seven days. We implement Splunk with minimal architecture, like two deployment servers, two heavy forwarders, four indexes, and three searchers. We initially had the search factor as two and the replication factor as two. We had very little data initially. We tested in our lower environment with the POC and found the data the customers wanted to see in Splunk. It was helpful for the customers. They can find the exceptions, write their own search queries, and build their own knowledge objects.

We get different types of security management tools in the market, like Enterprise Security, SOAR, and Phantom. The product brings a lot of value to the customers. It gives a lot of insights into notable events and predictive analysis. It also has a good dashboard. I expect the solution to provide enhanced features in the upcoming release.

Attending Splunk conferences provides us with an opportunity to interact and get more details on the products from different vendors. More than 1,000 vendors attend the conferences. The more we interact with the vendors, the more insights we get from them. It is also helpful to build relationships with the vendor.

Overall, I rate the tool an eight out of ten.

We use the solution for intelligence. For example, if I have a website that sells games, it might have a lot of things like databases, servers, et cetera. I can see how many users have logged in, what purchases can be made, and so on. Splunk provides the logs to see all of the data for all actions on the site. I can see things on a technical level, like how CPUs are performing.

I can see things in real-time, and it's based on real data. This is the advantage Splunk has. There is complete visibility and I can monitor KPIs as well.

I can look at how my database looks, how my sales look, et cetera, and all metrics are in one place.

There's machine learning as well, including anomaly detection. You can look at and understand the date very easily. It helps us provide a complete understanding of business so that I can understand anomalies better and watch the daily data. It gives me alerts in which I can take a deeper dive.

I have a ticketing system. If I have a Splunk power user, they can look at the data and create a ticket for future inspection. People can correlate and collaborate on the same ticket.

Basically, everything you need you can find on Splunk. You can also create custom actions. 

We can do actions right on the Splunk UI. 

The compatibility is good.

The end-to-end visibility is okay. The only thing that is lacking is the application monitoring. We struggled with one use case where payments were failing and they couldn't understand if it was the infrastructure or bandwidth. The capability of recording any transaction is not possible in Splunk. You have to write your own scripts, however, it's not as user-friendly.

The predictive analytics are pretty good. I've seen people using it. That said, I'd say the admin needs a deep understanding of the infrastructure. It has a tendency to create noise. If you have a noisy system, when there's an alert, people tend to miss issues. 

Customers have noted the solution helps streamline incident management. At a single glance, there is a complete view of infrastructure. It's good for the customer on the technical side. Teams were able to map the availability of the system more accurately - up by 28%.

It's helped reduce alert noise. It can aggregate the alerts and just create an alert only when needed. From the UI, you can correlate the alerts using dynamic conditions (not just static ones).

We've been able to reduce the mean time to detect. It has a similar meantime to detect as Dynatrace. We've used it when there wasn't an existing system, and we would have had similar results with other tools in the market. It's helped with MTTR for sure. Previous to implementing Splunk, the mean time was one hour or so. Once we implemented it, the alert notification was automatically sent to people, so it automatically reduced the time to two to five minutes. 

The mean time to resolve has been reduced thanks to Splunk. 

If you are using Splunk ITS and Splunk Enterprise Security, you have to run different searches. You cannot run both on the same server. You can bifurcate it however you want, however.

The license cost is expensive. When I want a premium application it's extra. I need to pay for this on top of my base license. 

We'd like to see more use of artificial intelligence. There's no easy knowledge-base bot. It would help if they had a ChatGPT-like AI that could show them the knowledge base information they could use to address tickets.

I've used Splunk as a product for about five years. 

The solution is stable. 

The solution can scale. I'd rate it seven out of ten. There are some requirements on the backend in terms of scaling. If you want extra storage, it will cost more money. If you are adding a new server you will have to go and configure it and then you have to restart everything, so there may be downtime. 

I've contacted technical support. They were good in terms of experience. The cloud support is excellent. 

Positive

I did not previously use a different solution. 

You can install the solution on-premises or on the cloud. If you want to send the data to your own on-premises environment, you can do so.

I was involved in the initial deployment. The setup was very straightforward, however, the requirements gathering can be complex, as well as gathering the KPIs and developing an understanding of requirements. You need someone who has a complete understanding and a holistic view of the environment. 

How many people you need for the deployment depends on how big the infrastructure is, what you want to monitor, and the timeline you have.

The on-premises deployment requires maintenance as you have to monitor the server. The cloud requires less maintenance. 

We tend to implement the solution for our customers. 

The solution can be costly. You have to have a fixed license. It's very difficult for people to know beforehand how much they will be charged. 

We're Splunk partners. 

For someone who already has an APM solution and is considering switching to ITSI, I'd advise them to look at the licensing and their budget and to consider where their APM is currently lacking. If you aren't getting the alerts you need or you can't see how your infrastructure looks, it might make sense to switch. They need to be aware, however, there will be an extra cost.

Secondly, if you can't see the logs in your application and can't fetch the logs, for example, if you are on Dynatrace, and Dynatrace does not provide your login analysis, you can just go and write a query. However, it depends on what your end customer needs as well. If they need good dashboards and they need flexible dashboarding, to which you can add images, and customize the way you want, you may need something more robust, like Splunk. We were able to pull it off using Splunk ITSI as it gives you very easy-to-customize dashboards. 

To someone who's considering a point monitoring system instead of ITSI, I'll say that, depending on your infrastructure, it might be a good idea. If you have less data, and you can manage with the manual alerts, you're fine. However, if you're wasting a lot of time with the alerts and get a lot of alert noise, that means you can be missing major alerts. For major infrastructure, it's a good idea to have ITSI.

You need a minimum of 14 days before seeing time to value. 14 days is required in order to be able to use the complete solution. That allows the system to get good at anomaly detection. 

I'd rate the solution eight out of ten.