What is our primary use case?
My reason for implementing it was just to learn more about the product. I wanted to learn about the Splunk programming language, how to pipe searches, add logs, verify the logs, create fields, extract data into fields, build dashboards, and to get hands-on experience with the product.
What is most valuable?
The Splunk programming language allows you to pipe searches into another searches.
What I really like is that even if you have already collected the data, you can extract data and add fields which improves building searches. This is not the case with Elasticsearch, where this needs to be done upfront.
What needs improvement?
I really dislike how Splunk sales and partner manager behaves. I have faced several sales model and partnership changes. Also, the last time I wanted to by a license ro built a SIEM solution, they had removed the ability to purchase a splunk subscription or license from their website. In the past, there was a web page calculator it was possible to by online, but now it instructs to contact sales.
The free version is limited to 500 megabytes and there is no alerting. Due to the missing feature on the Splunk webpage, I have ask Splunk Sales to purchase a license like 1Gyte a day or a license for max 2500 Euro/year to use it as a test or development instance for myself. Asking Splunk for a quote willing to pay for Splunk license to learn and to get used to the product, Splunk didn't get it managed to offer my a license neither arranging the partnership paperwork I have ask for. Sales people from Splunk where calling, each time after I left my details on ther trial download page. I explained my experience and concerns about Splunk in the past. All excuses received and promises that someone will contact me to solve the issues faced in the past, was leading in excactly nothing. Well Done Splunk.
Inflexible and expensive and I do not have much faith in the people working there because if someone is asking for a test environment and is willing to spend up to €2,500 a year, I can't understand why they are unable to provide a license. This could be a lost opportunity because they are not able to onboard a potential new partner.
They definitely need to boost their sales and partner program because it changes to often, where they are dropping partners and it is difficult to get in contact with somebody. This is something that needs to be improved.
I would like to see more SIEM functionality and embedded moduled such a ticket tool to make a end to end SIEM.
For how long have I used the solution?
I have been using Splunk for a few weeks.
What do I think about the scalability of the solution?
As I was using a test environment, I can't comment on scalability. It was just myself and a colleague who was using it as a test instance.
How are customer service and technical support?
I have not been in contact with technical support.
Which solution did I use previously and why did I switch?
I have worked a little bit with Elasticsearch. I also have an instance of SIEMonster running, and I'm trying to get used to it. I found that Splunk provided a good benefit compared to Elasticsearch.
With Elasticsearch, if you have already inserted the data then it's gone because you need to do the pre-filtering. Once you've inserted or ingested the raw data, using Logstash, for example, you are no longer able to build the fields such as IP address, hostname, username, and the other fields that you want to export. This unsorted, raw data that you have is really a drawback for Elasticsearch and some other products. This is something from Splunk that I consider to be a heavy feature, where you can just insert data and ingest it later on.
How was the initial setup?
really fast and easy to install a test instance.
What's my experience with pricing, setup cost, and licensing?
The pricing model is expensive and could lead into a budget nightmare based on the amount of data.
A better pricing plan would be an improvement.
Which other solutions did I evaluate?
I have done some research on LogRhythm, IBM QRadar, and ArcSight, but I don't have any hands-on experience yet.
I did a comparison for a customer two weeks ago and the outcome of my comparison was SIEMonster, effortable price model, even though it's a niche player, it's quite powerful. I also provided Splunk as a recommendation because it is a market leader, really powerful, and really good to use. I also recommended LogRhythm; it is also expensive but it's also really powerful, and the feedback of customers is really good.
With respect to Splunk, I would recommend it but when a customer is budget-driven then Splunk is not the solution. Money shouldn't be the question.
What other advice do I have?
This is a solution that I could recommend for somebody who wants a really powerful product. It is not an end to end orchestrated SIEM yet.
This is a product that I would generally recommend, although I would not do so if the customer is really budget-driven.
I would rate this solution a six out of ten.
Which deployment model are you using for this solution?