- We can do things in minutes instead of days.
- We solve issues which we could not before since we have the data.
- We can quickly search for almost anything across many log sources in seconds
- Teams have the dashboards or alerts that they need
There are too many features to list, but here are a few:
The GUI can be improved to include some of the capabilities that other BI solutions have. Basically, the layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this could become a non-issue.
There were no issues with stability.
There were no issues with scalability.
Technical support is excellent. They also have Splunk Answers, which is community driven and it great.
We were not able to get the value we needed from the previous solution. It was too difficult or complex. With Splunk, we can do things we want and things we have not even dreamed of yet.
The initial setup was straightforward. We had the POC up in minutes. Within days, we got more value out of this solution than our existing solution.
While licensing can be a concern, there are ways to reduce the licensing costs including filtering some events. We have replaced many solutions with Splunk, which have more than paid for the Splunk licensing.
We evaluated ArcSight, QRadar, and LogRhythm.
Do a PoC and you will be amazed. Also, check out the Splunk .conf sessions to see what is possible. If you are into security, watch Mark Russinovich’s RSA 2017 presentation about Sysmon. Check out free EDR type capabilities.