We compared Splunk Enterprise Security and ArcSight ESM across several parameters based on our users' reviews. After reading the collected data, you can find our conclusion below:
Features: Splunk Enterprise Security stands out for its efficiency, extensive integration options, and powerful search functionality. Users say Splunk is a highly scalable and customizable solution. ArcSight ESM is praised for its well-designed dashboard, real-time reporting, and threat intelligence capabilities that leverage AI and correlation tools.
Room for Improvement: Splunk users recommended improvements in AI capabilities, user-friendliness, and analytics. ArcSight ESM users have recommended improvements in training, speed, and data administration.
Service and Support: While some users found Splunk support to be responsive and helpful, others reported slow response times and a lack of expertise. Some ArcSight ESM users have found the support to be responsive and helpful, while others have faced issues with slow response times and a lack of expertise.
Ease of Deployment: Some users thought Splunk Enterprise Security was easy to deploy, while others found it challenging and needed assistance from Splunk engineers or third-party integrators. Some said that ArcSight ESM is straightforward to set up, while others noted that integration with other systems can be challenging and requires specialized knowledge.
Pricing: Some users consider Splunk Enterprise Security to be expensive, but others said the price is reasonable. A few users expressed concerns about the cost of scaling up the solution and managing large volumes of data. Users consider the pricing of ArcSight ESM to be reasonable and affordable.
ROI: Users said that it’s challenging to calculate an ROI for Splunk Enterprise Security, and the return varies depending on individual circumstances. While some users have observed a substantial ROI, others have not actively explored or been engaged in ROI conversations. Splunk Enterprise Security offers varying ROI outcomes based on different situations, with certain users achieving significant returns. ArcSight ESM delivers an ROI by helping clients achieve compliance objectives and prevent incidents.
Comparison Results: Splunk is highly regarded for its efficient data processing and powerful search features, but users suggested improvements to its AI capabilities and analytics. ArcSight ESM offers robust threat intelligence and real-time reporting but falls short in terms of data administration and speed.
"It has a lot of great features."
"The analytic rule is the most valuable feature."
"The main benefit is the ease of integration."
"You can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today... but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer."
"The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance."
"The AI and ML of Azure Sentinel are valuable. We can use machine learning models at the tenant level and within Office 365 and Microsoft stack. We don't need to depend upon any other connectors. It automatically provisions the native Microsoft products."
"Free ingestion for Azure logs (with E5 licence)"
"Sentinel has an intuitive, user-friendly way to visualize the data properly. It gives me a solid overview of all the logs. We get a more detailed view that I can't get from the other SIEM tools. It has some IP and URL-specific allow listing"
"The solution offers very good monitoring."
"It is a very useful tool for intelligence building because it has many use cases and many rule sets."
"We use ArcSight ESM for log analysis and security alerts. It warns us of threats and then helps us conduct a forensic investigation of a cyber attack or internal incident after it happens."
"I am satisfied with the solution's stability."
"The most valuable features of ArcSight ESM are the dashboards, ease of management for anyone, and simple for teams to provide reports related to cyber security. There are a lot of good features that are provided."
"The most important feature is ArcSight's event correlation capabilities. It's powerful and easy. I also like the flex connector capability. It's easy to develop a new connector that isn't fully supported out of the box. For example, say you created a solution internally that's completely different, and it's not unsupported by the solution. You can write your own connector using the flex connector."
"The tool sends an automated mail to all the operators, which makes it easy to share the information and reporting."
"What I found most valuable in ArcSight Enterprise Security Manager (ESM) is its good integration with third-party products. The solution also has good core capabilities."
"The most valuable feature is the log aggregation, being able to scan through all of the logs."
"It's basically one of the best SIEM products on the market."
"To get visibility from your network devices, servers, and security devices is a great feature."
"It gives me notifications of notable events."
"The dashboards are the most valuable feature. We like the ability to drill in and see what queries are under the dashboard, build new visualizations, edit the querying, and see the reports."
"It allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar."
"I like Splunk's data aggregation and search capabilities."
"Splunk allows us to find insights that we were not able to with traditional BI tools using ETL. It allows us to dig into raw events."
"If Sentinel had a graphical user interface, it would be easier to use. I would also like it to be more customizable."
"The playbook is a bit difficult and could be improved."
"Sometimes, we are observing large ingestion delays. We expect logs within 5 minutes, but it takes about 10 to 15 minutes."
"If you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button... They could improve the ease of deploying these queries."
"We are invoiced according to the amount of data generated within each log."
"We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed."
"The only thing is sometimes you can have a false positive."
"One key area that can be improved is by building a strong integration with our XDR platform."
"Micro Focus does not have a physical presence here in Pakistan, although IBM does."
"The centralized dashboard for the hybrid cloud environment needs to be more focused. It needs to be redefined because it's missing most of the information. It should be a little bit easy to use. Currently, integration with various applications and connectors is not that easy. Deployment is easy, but integration is not that easy. ArcSight also has a very high bandwidth consumption to pull the local servers. It should have some kind of better process or ability to transfer files from on-premises to the cloud, from the cloud to on-premises, and from a cloud to another cloud."
"Customer service and support is our biggest challenge."
"In other products, I have found that they use some kind of GUI that is drag and drop. While in ArcSight they use still scripting. They should keep scripting because some people prefer scripting but they should have the option for those who prefer using drag and drop."
"Could benefit from a more modern interface."
"Customer service during the transition from HPE to Micro Focus was abysmal where it became disruptive to our service delivery."
"The stability isn't quite perfect. We occasionally run into problems."
"ArcSight ESM's UI is a little cumbersome and complex, especially for first-time and occasional users using the console manager."
"The documentation is in definite need of improvement."
"DMC should be a little more intuitive with better dashboarding. Seeing the cause of data flow can be tough to track down."
"In the next releases, I would like to see more pricing flexibility."
"We would like more integrations with other cloud products, not just AWS, e.g., Azure."
"The UI can be difficult to understand for non-technical people."
"Make it easy to use and the cost cheaper. This will help all organisations to implement Splunk."
"Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box."
"The administration of the cluster and app deployment to indexers or search heads can be done only using ssh access and command line, there is no GUI tools for that."
More ArcSight Enterprise Security Manager (ESM) Pricing and Cost Advice →
ArcSight Enterprise Security Manager (ESM) is ranked 12th in Security Information and Event Management (SIEM) with 93 reviews while Splunk Enterprise Security is ranked 2nd in Security Information and Event Management (SIEM) with 228 reviews. ArcSight Enterprise Security Manager (ESM) is rated 7.8, while Splunk Enterprise Security is rated 8.4. The top reviewer of ArcSight Enterprise Security Manager (ESM) writes "Allows for monitoring logs according to industry standards within ESM but has a total capacity capped at 12 TB, limiting real-time data retention periods". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". ArcSight Enterprise Security Manager (ESM) is most compared with ArcSight Intelligence, Trellix ESM, IBM Security QRadar, AWS Security Hub and LogRhythm SIEM, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, IBM Security QRadar, Elastic Security and Azure Monitor. See our ArcSight Enterprise Security Manager (ESM) vs. Splunk Enterprise Security report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.