Splunk Enterprise Security Reviews

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.

The primary focus of our work with Splunk is on security incident monitoring and security log monitoring. This involves utilizing it to analyze and respond to security events effectively. Additionally, compliance with regulatory requirements is another crucial aspect of your role. We also extend Splunk's functionality to custom applications by writing custom parsers and handling logs specific to those applications. This includes the development of unique dashboards tailored to the needs of each application.

Splunk's capabilities in insider threat detection are highly effective in assisting organizations in identifying unknown threats and anonymous user behavior. The sophistication of these features is notable, making them suitable and beneficial across a range of organizational sizes, from small businesses to large enterprises.

The threat topology and MITRE ATT&CK features are seamlessly integrated as complementary components within Azure.

It significantly accelerated security investigations, and I believe the improvement falls within the range of twenty to thirty percent.

The resilience provided by SIEM adds significant value; it is highly effective.

The most valuable features for us include its robust log management capabilities, which allow us to efficiently handle and retain logs for extended periods as needed. The flexibility to customize log retention periods is particularly beneficial. Additionally, we find the dashboard functionality and the advanced query language options to be highly valuable. These features, especially the powerful query language, are extensively utilized in our day-to-day operations.

I find that the learning curve for Splunk is relatively lengthy. To utilize it effectively, one needs a substantial amount of time for learning. I might appreciate a learning curve that comes with more out-of-the-box functionality, such as easily installable Splunk apps or user-friendly features.

I have been working with it for three years.

I find it to be highly stable, and I would rate it a solid ten out of ten.

I would rate its scalability capabilities ten out of ten.

Before using Splunk, I relied on the built-in tools of Linux operating systems, such as Syslog NG, but specifically the open-source versions. I haven't had experience with the commercial version of Syslog NG, which is a more advanced tool. In this category, Splunk is essentially my first exposure to such advanced features.

Setting up Splunk is quite straightforward, especially for basic configurations. The process is not overly complicated. While a cluster implementation may require more advanced steps, the basic setup is generally easy to handle.

I handled the deployment independently, but the required personnel depends on the organization's size and the expected outcomes. For larger organizations, especially when the new tool integrates with various departments like operations, development, and security, it becomes a collaborative effort. In such cases, it's not a one-person job and involvement from multiple departments is essential. However, for smaller companies, the process is less complicated. It involves coordinating with support and developer teams to communicate the implementation, and the focus is on providing the necessary outputs from the tool to support their ongoing work effectively.

I utilized it in a single, non-geographically dispersed location. My experience is limited to a single site, and I haven't worked on a multi-site installation.

While it can run stably for a certain period, eventually, there is a need to manage or archive logs, especially if your background storage is not unlimited, as is often the case in these scenarios.

The return on investment is quite favorable with Splunk, particularly for large enterprises that have made the initial purchase and possess the requisite expertise and technical support.

In terms of pricing, I believe Splunk is unreasonably costly for the majority of mid and small-sized companies. Its real advantages, or what sets it apart, seem to be more suitable for large enterprises.

For the market I focus on, which includes small to medium-sized companies, I would recommend Wazuh. It's an open-source security information and event management solution. The main consideration is that, in terms of both functionality and cost, Wazuh is sufficient for the requirements of smaller enterprises. Utilizing an open-source tool like Wazuh can effectively cover the necessary areas without the need for the higher costs associated with Splunk.

I would recommend that anyone considering implementing Splunk should first thoroughly assess their environment. It's crucial to determine whether Splunk is genuinely needed for your specific usage scenario or if a smaller software solution might suffice. Overall, I would rate it nine out of ten.

We are using the solution for security. We can use it to track what has happened in our network. We can check via dashboards and alerts. We can use it for load balancing and high-performance tasks. We use it to analyze data and logs. It normalizes logs and we can detect attacks, such as brute-force attacks. We can receive information from our firewall, our Fortigate. Since we receive a lot of traffic, we have to investigate events using the solution. It provides updates on attacks. The solution helps us report on what happens in our network.

We use Splunk for security and tracking what happens on our network and it is effective at that.

We like the big data analyzer.

The dashboard and alerts are good. We can use them for monitoring to see what’s happening on our network. It’s centralized. It gives us good visibility into multiple environments. We can use it in Windows, Linux, et cetera.

We can use platforms and integrate everything together. We can see multiple environments on-premises.

When something happens, we get alerts via SMS or email. 

We use the MTTR attack feature and it is very effective to use for detecting threats.

We can also schedule reports on a monthly or weekly basis.

It’s very useful for tracking. If you can look at the steps and see what happens, you can investigate effectively, and so on.

Splunk Enterprise Security is excellent for analyzing malicious activities and detecting breaches. We can see, step by step, what happened. We can escalate and investigate and so on.

Splunk has helped us detect threats faster. The alerts are very effective.

It helped to reduce alert volume. I’m not sure precisely how much, however, it depends on how many client devices you are tracking and analyzing.

Splunk is a suitable resource for collecting logs. 

The threat intelligence management feature is something we cannot use.

We'd like Splunk to reduce false positives. 

It would be helpful to be able to configure everything a bit more. If your network is very big, it's important to customize.

The dashboard could be improved so that tracking and analysis could be better visualized.

I've been using the solution for two years. 

The solution is stable. If you have suitable resources and buy and use the correct license, you'll get fine performance. 

The ability to scale Splunk depends on your network. If it is big, you can add more resources easily. You can use a cluster and several servers. 

When you work on Splunk, it's very easy. However, when you need to reach out to support, it could be better. It would be helpful if they could respond faster. 

Neutral

I have experience with another solution called ELK; I find Splunk better, even though it is not free to use.

I've done one implementation. I installed it across several servers. How long it takes depends on the project. It also depends on how many resources you have. If it's just a small setup it might take two hours. 

The product is easy to maintain. 

I'm a customer. We cannot use the cloud versions as we are based in Iran.

I don’t have experience with the Spunk Mission Control feature.

I've worked with Splunk so far and while it's very easy to use it's not free. There are other solutions that are open-source that you could use, however, I find Splunk to be worth the price and I'd recommend it to others. 

I'd rate the solution ten out of ten. I would recommend Splunk to others.

We use it for a lot of compliance work and incident reviews. We are also using it for remediation and tracking assets.

We use Splunk not just for security, but we also collect a lot of data from our operational equipment. We are using it a lot for troubleshooting and trending and even for command and control.

It has reduced our mean time to resolve some of the things. We are able to look at the data a lot faster and see what is going on. For some of our use cases, our NOC controllers or our operators are looking at the Splunk dashboard a lot. It is a part of their main job. In one specific use case, we used to take a couple of weeks to do certain maintenance. With Splunk and having the data, we were able to reduce that to just a few hours.

It has helped improve our organization's business resilience. We are able to have the data collected in one spot, see it, and get some insights from it. That has helped a lot.

It has definitely given our technical workforce tools to help with their jobs for troubleshooting and things like that.

From the class that I took this week, being able to create notable events from whatever you find in the data set is pretty useful.

We are waiting for Dashboard Studio to mature a little bit more. There are some things that we are using with Classic Dashboards which have not yet made it to Dashboard Studio. We are waiting for that.

It seems to be limited in terms of predictive features. I took up machine learning a couple of years ago. It seems to have some capabilities there, but I do not have specific things for it right now.

In our organization, we have had it for over five years, but my personal experience with it is very limited.

It has been working for us so far.

We have been able to scale as needed.

I have not contacted their support directly because we have folks who are pretty knowledgeable. I go to them, and then they go to their support if needed. As far as I could tell, their support has been okay. I have not heard of any issues.

We did not have a similar product. Splunk came as a security product, and we have evolved it into doing operational work.

We have folks who do the deployment. I am more on the interface side.

We would have seen an ROI. We are using it for a lot of our operational work and other things as well that are not related to what we are doing on a daily basis. We are looking at logs and other things that our executives are looking for.

Its time to value was within a year or so. There are a lot more things that we could do with Splunk, and that is why we ended up adding some stuff to it to fit our needs.

It is hard to tell whether we had any cost efficiencies because we did not have something like this before. Of course, we have Splunk now.

As a team, we prefer the old pricing model with a perpetual license. We are still evaluating the whole subscription-based model. 

We did not evaluate other solutions. Splunk came in with the modernization effort that we were going through, so it just came with the system.

We are pretty happy with it. I would rate Splunk Enterprise Security a seven out of ten.

Splunk Enterprise Security offers a wide range of capabilities that benefit our organization. This includes user behavior analytics, which helps us identify suspicious activity. Additionally, Splunk Enterprise Security allows us to create custom alerts for various internal security needs.

Splunk has been instrumental in improving our incident response time, especially for user authentication issues. It excels at detecting anomalous behavior, such as brute force attacks or multiple login attempts from a single source. This allows us to quickly identify and address potential security threats, making Splunk a vital tool for our cybersecurity incident response efforts.

The asset and identity management feature strengthens our overall security posture. This system relies on the creation of security roles by administrators. These roles then determine access permissions based on the principle of Role-Based Access Control. In this way, access is carefully controlled and assigned based on specific job duties. It's important to note that administrators retain a high level of access and make final decisions regarding access permissions.

Splunk offers a variety of dashboards, including real-time dashboards that update continuously. These dashboards complement Splunk's real-time alerts by providing a visual overview of our system's health. They can be built to leverage different Splunk resources, like indexes, search clusters, and host clusters. This allows us to monitor key metrics and identify potential issues in real-time, helping us maintain a healthy and efficient system.

Our SoC and Analytics teams use Splunk to monitor multiple cloud environments.

The visibility into multiple environments is good.

The insider threat detection is valuable for our organization because it helps us identify unknown threats. While we leverage existing threat intelligence for known threats through signatures and endpoint protection tools, these methods have limitations. Since they rely on predefined information, they can't be readily integrated with Splunk to monitor for and generate alerts based on these known threats. Splunk's strength lies in its ability to detect anomalies and suspicious user behavior, which can be crucial for uncovering insider threats that might bypass traditional signature-based defenses.

Splunk Enterprise Security excels at analyzing malicious activity. Our team has created several use cases to identify such activity. These use cases focus on data patterns that might indicate malicious intent, such as a sudden increase in login attempts or logins occurring outside of regular business hours. Additionally, we can identify brute force attacks attempting to crack passwords through repeated login attempts. This allows us to effectively monitor for and respond to potential security threats.

It has improved our detection ability and has helped reduce our alert volume to a manageable level.

Splunk has helped speed up our security investigation.

Splunk stands out for its extensive application integrations. It boasts a user-friendly interface with intuitive features that are easy to understand and navigate for technical users. This accessibility is a major reason why I find Splunk so appealing.

The user interface is not user-friendly for non-technical users. 

I have been using Splunk Enterprise Security for three and a half years.

Splunk Enterprise Security is extremely stable.

Splunk Enterprise Security is easily scalable.

We have only had minimal contact with Splunk technical support.

Neutral

The initial deployment is straightforward.

Splunk Enterprise Security is affordable.

While affordability is important, I recommend Splunk Enterprise Security over the cheapest option on the market. This is because Splunk offers a robust feature set that justifies its cost.

I would rate Splunk Enterprise Security nine out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security requires minimal maintenance.

I recommend Splunk Enterprise Security as a scalable and reliable solution for both on-premises and cloud environments. 

I use the solution for data analysis and log collection. 

Splunk Enterprise Security helps with advanced reports and keeps the system scalable and flexible. It provides a clear picture of the current status of any incidents. As a CISO, I see a lot of potential for future innovation, which is interesting. I've noticed better performance, especially with the reports.

Splunk Enterprise Security can provide more details and help CISOs resolve vulnerability situations better. The reason is that the tools we choose for data analysis and log collection cannot collect all the data and logs. Splunk Enterprise Security should help me with this, but it cannot.

I have been working with the product for four years. 

Splunk Enterprise Security's stability is very good. The system consistently performs well, and we don't encounter many issues. Ticketing problems are minimal, which is significant because it handles a lot of logs and data persistently without causing frustration.

The tool's customer support is good. 

Positive

We chose Splunk Enterprise Security because it was simple and had better data analysis capabilities. 

A reseller helped us with the deployment. 

The tool's licensing is good and we haven't received any complaints from the team handling it. 

I haven't used it for multi-cloud environments. As for on-premise, it's meeting my current needs quite well. When it comes to identifying and solving problems in real time, sometimes it's challenging to understand the situation, and generating reports can be difficult. But overall, it's good for monitoring activities like endpoint and authentication incidents and normalizing.

The solution has helped us reduce alerts by five to ten percent. It processes data and allows us to look back at incidents to see what happened and where they occurred.

I rate the overall product a nine out of ten. 

At a high level, its use cases are related to security monitoring, log aggregation, and a little bit of analysis related to incidents or fraud.

Splunk Enterprise Security has created better visibility for us on the cybersecurity type of events and issues. We are still maturing, but where we have seen some growth is getting better data, knowing what data to look at, and how to understand that data.

It has end-to-end visibility into our cloud-native environment. This is extremely important for us because of the type of business we do. We have a lot of PII data and a lot of compliance data on which we have to maintain very tight controls, so it is extremely important that we are able to put that in the cloud and monitor and watch our environment very closely.

It has reduced our mean time to resolve, but we are still maturing. We have got a lot of maturing to do. We have got a lot of growing to do. We have also been limited on the staff to be able to get the full realization of what we can get out of it yet, so that is a place where we are continuing to grow.

It has improved our business resilience. We have been able to identify things that could have presented a larger problem for us financially or legally through various events. We have been able to leverage the data there. We have been able to maintain that data and support that data. It does the job. It meets the needs.

Splunk has not helped to predict problems in real time because we have not yet matured to that place, but we need to. Generally, it has been helpful, but we know that we have got a lot of growing up there. We still have not got everything identified and captured in the space we want to be able to do better analysis.

Its ability to provide business resilience by empowering our staff is really high. Empowerment is great, but we have a resource problem, so we have not quite realized where we could be. 

We monitor multi-cloud environments. We have three of them. It is difficult to monitor them currently with Splunk. We are living in a highly regulated stack and a very little regulated stack and the ability to get a single pane of glass for all of that is very difficult.

Integration with the cloud is pretty important and good for us. We found the integration with a lot of tools, not all tools yet, valuable. It does make the transfer of data, log files, and other things easier for us.

Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market.

In terms of scalability, it is hard to forecast where you are going. There is room to improve there.

I have been using this solution for about five or six years.

I would rate it eight out of ten in terms of stability. Where there has been ambiguity for me is that I recently had system stability issues that were beyond my control. They were part of my solution, and I was not aware that Splunk was accountable for it. It got quickly resolved, but there was a gap there that created pain for my business.

We have not had any issues. We also have not had any detriment, but it is hard to forecast based on where you are going from a business perspective, at least with the models and the account teams that I have been working with. There is room to improve there. 

It has been a rocky road. I have been through a road where I have had limited to little engagement or support. I am on the cusp of a large turnaround, meeting with my client team and dialoguing through it. Based on the history, I would probably rate their sales support a four out of ten. Going forward, I would rate their sales support an eight out of ten. They are in the right direction. I would rate their technical support a nine out of ten.

Positive

We have been using the same solution for five or six years. It was selected before I joined, so I do not know.

I joined after it was implemented. What I am working on now is the technical depth. I am spending a lot of time with the teams there for direction strategy. Splunk has done a great job there, specifically in pulling the right resources to bear. I had executive briefings directly with executives today where we had an opportunity to talk about different components of our solutions and our stacks, and it has been very good.

We are in a growth state right now. We have seen an ROI, but anticipating any point in the future is a little difficult, so it is a mixed response. Our scale is not quite clearly defined to be able to put it to a metric or to tie it back to consumption use. There is a little bit of autonomy in there to over-adjust and still find that we can true-up in a better space. That has been good for us, but if you let that run away from you, then you start to get in trouble. 

We have not seen any cost-efficiency. We have seen our usage and needs grow, so we have seen Splunk go up in cost for us. We have not quite realized any efficiencies yet. It is also indicative of our maturity model.

The licensing is good, but the pricing absolutely needs some work. It is very high. One thing that they put in a contract, but they do not emphasize it enough is true-ups on usage based on the quarterly consumption. They do not follow that methodology. They let a customer use, use, and use, and then at some point, a true-up occurs, and it is a large cost. There is an opportunity to do a quarterly track type of true-ups as per the agreements out there. That would put them in a position where customers are able to plan on, forecast around, and work through volume adjustments that may occur in their environment. 

The other place where Splunk could spend time is the scale-up and scale-down model. Scale-up is easy where you get more business, and it is easy to add more capacity, whether it is storage or SVUs, but when you need to scale down because of a change in a business, it does put customers in a position where they are locked in, and there is no way to maneuver around that. 

We do an evaluation annually. It is important for us to do a market comparison and make sure we are looking at options in our work. What makes Splunk Enterprise Security competitive is the variabilities that they bring to the table for the overall solution. It has things like APIs that you can tie into. There is also the bonus functionality of being able to do analytics there. User behavior analytics is important for us.

I would rate Splunk Enterprise Security an eight out of ten.

We use it mostly to generate notables, and then we can use other tools, such as ticketing systems or other SOAR platforms, to investigate.

I was not around before we had Splunk Enterprise Security in our organization, so I do not know about the before and after, but I can tell it would be very painful to not have it. 

It is pretty easy to monitor multiple cloud environments. All the logs from our cloud environments go to Splunk, and then we can search everything at once. It is pretty helpful.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is pretty important. Especially if you use it as your single source of truth, it is pretty invaluable that you have everything in there.

It has reduced our mean time to detect, so inadvertently, it has also reduced our mean time to resolve. However, I do not have the metrics.

Splunk Enterprise Security has definitely improved our organization’s business resilience. There are a lot of logs that help with monitoring and alerting and keeping the business up.

It can help to predict, identify, and solve problems in real time. We do have some health alerts, and if they kick off, we might be able to fix something before it is really broken. In that sense, it is good.

Splunk Enterprise Security has been pretty good in terms of providing business resilience by empowering our staff. Most of our users are security-focused, but having everybody with the ability to write their own searches or build upon what we already have for detection of the future things is pretty helpful.

The correlation search functions that generate all the notables are valuable. That can get pretty complicated, and it handles that pretty well.

Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help. 

I have been using Splunk Enterprise Security for about two years.

It is pretty stable. We have not had any instances where Splunk just completely died. Its stability is good.

It seems pretty scalable, especially considering how much data we ingest. It is a good tool.

I have not interacted with them recently, but they are pretty good when I do need something from Splunk. I would rate them a ten out of ten. I have not had any issues with their support.

Positive

We were probably using Elasticsearch.

It was already implemented when I got here.

We have probably seen an ROI. We are in the security space, and there has definitely been improvement in uptime and the mean time to detect and respond to security alerts.

Its time to value is pretty immediate. The more logs and the more standardization that we get into Splunk, the quicker that comes.

Most people share the same thought that the ingestion rates can get pretty pricey. There is a lot of work we do to curate the data that we send to Splunk so that it is not too noisy or too expensive.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are some cool things. A lot of the talks at this Splunk conference have touched on some of the gaps that Splunk is working to close, but it is a very solid tool.