Splunk Review

Enables Centralization And Correlation Of Data That Was Unattainable With Other Solutions


How has it helped my organization?

Splunk helped reduce development cost since it provides free applications on Splunkbase that can save a huge amount of time and effort. It also gave us the ability to dig into logs to find not just one needle but many needles in the haystack of data, and that helped solve multiple production issues and reduced system downtime.

A great improvement brought by Splunk is the ability to remove sensitive data before displaying it in reports. This allows Splunk administrators to filter data according to the user’s clearance level.

What is most valuable?

Splunk can be seen as a huge box that allows the storage of all sorts of logs. This allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar. Splunk allow schema on the fly and therefore simplifies all the data onboarding process. All that leads to flexibility when it comes to defining the metadata since it is not necessary to have all the fields defined and extracted to be able to use Splunk.

Another great feature is the field extractor that allows persons with little or no experience with Regex to define fields and extract valuable information from the data.

Finally, the ability to connect with various sorts of databases, NoSQL solutions, makes it a very powerful tool, not only as a SIEM but also as a datalake for machine learning and data analysis.

What needs improvement?

Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources.

What do I think about the stability of the solution?

Released versions are quite stable. We encountered some visual bugs following major upgrades but that was due to custom CSS that we had edited into Splunk.

What do I think about the scalability of the solution?

Splunk is a data analytics platform and is designed to scale easily. Adding or removing machines from a splunk index can be done without affecting any of the existing members of the infrastructure.

How is customer service and technical support?

In my opinion Splunk has three levels of support. First level is their forum (Splunk Answers). The Forum is very rich and solves 90% of the issues that can be encountered. Then comes the real technical support team that replies quite fast, depending on the SLA. Finally comes the professional services team, which provides a very advanced level of expertise and can solve any issue.

Which solutions did we use previously?

Yes, ArcSight. We switched because of how slow the support can be with HPE sometimes and also because Splunk is simpler to use, is more data oriented, and is more adapted for business security use cases.

How was the initial setup?

We started Splunk on a stand-alone server. Installing that was very easy, a basic RPM install for Linux and an installer for Windows. When we moved to a distributed environment, it was a bit more complicated but the documentation on Splunk Docs was clear and easy to use so we had no problem there.

What's my experience with pricing, setup cost, and licensing?

Splunk licensing model might seem expensive but with all the gain in functionalities you will have compared to traditional SIEM solutions I think it’s worth the price. Also, when you have small volumes of data to index daily (which might account for high EPS) you will be gaining the full advantage of using Splunk for a very low price.

Which other solutions did I evaluate?

Yes, Graylog and QRadar.

What other advice do I have?

You're in for a nice surprise, Splunk is fun, easy to use, and will give you the results you are looking for and more. It's a great tool for security and business analysis, you're looking at a big data platform that will allow a lot more than what the good old SIEMs could do.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 visitor found this review helpful
4 Comments
HenryReal UserTOP REVIEWERTOP 5

Yes Splunk is still a top dog in SIEMs

17 July 17
Alireza GhahroodReal UserTOP 5LEADERBOARD

Yes Splunk is still a top dog in SIEMs-exactly

18 July 17
MS AlamReal UserTOP 5LEADERBOARD

its very easy to use to drill the logs and finding the issue and information from this device.

26 March 18
Alireza GhahroodReal UserTOP 5LEADERBOARD

According to Splunk documentation posted here, Splunk offers reporting capabilities for various security compliance initiatives, including the following:

Federal Information Security Management Act (FISMA) of 2014
Gramm-Leach-Bliley Act
Health Insurance Portability and Accountability Act
International Organization for Standardization/International Electrotechnical Commission 27001/27002, Information Security Management
North American Electric Reliability Corporation Critical Infrastructure Protection
Payment Card Industry Data Security Standard
Sarbanes-Oxley Act
At least some of these reporting capabilities are provided by specialized apps added onto Splunk Enterprise, such as the Splunk App for PCI Compliance and the Splunk App for FISMA Continuous Monitoring.

14 July 18
Guest

Sign Up with Email