What is our primary use case?
Our primary use case of Splunk has been on the implementation side for clients. Splunk has proven, on multiple occasions, to be extremely useful in the proactive monitoring of clients' hardware, networking, and security operations. Some use cases that we have implemented include, but are not limited to, proactive account lockouts based on machine learning of a typical person's average number of failed login attempts, aggregation of a servers logs in order to predict downtime/maintenance/hardware failures quite accurately, as well as helping administrators of all sorts to gain a full picture of their environments under a single screen.
How has it helped my organization?
Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some predictive and proactive models, which are programmed to take action on anything outside of the normal usage. These actions range from alerts being sent to the Splunk page, administrators being notified, and if escalated enough, automatic account locks.
What is most valuable?
The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.
What needs improvement?
Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.
We did about a year and a half ago. The implementation was able to notify me 34 seconds after the initial breach had happened, but our implementation was already configured to auto-logout any "suspicious" users (our internal networking team had set this detection code up) which alleviated the problem, before it really became a problem for us.
Efficiency of Security Team
Immensely, I cannot stress enough the positive impact this has had on our security team.
Events per Day
Our personal implementation brings in only around 48GB to 48.5GB of events per day. Depending on the amount of remote workers in the office, it averages around 50 million events daily.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
We did not encounter any issues with stability.
What do I think about the scalability of the solution?
We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster.
How are customer service and technical support?
I have not personally dealt with customer service/technical support.
Which solution did I use previously and why did I switch?
We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.
How was the initial setup?
The initial setup is very straightforward, unzipping a tar, creating a service, starting the service.
What about the implementation team?
My team was the team who had set up this implementation. I would be remiss if I didn't say that our level of expertise is quite high with an average of 4 Splunk certifications per person on my team.
What was our ROI?
ROI is estimated at saving my team roughly 10 to 12 man hours per week in troubleshooting for our company as well as what our profits had been from our services of installing, configuring, and supporting other clients with the product.
What's my experience with pricing, setup cost, and licensing?
Setup cost is cheap: It is free, it is user-friendly, and it is fast.
I would highly recommend anyone evaluating this option to download the free trial which allows for the ingestion of 500MB of data per day in order to get a feel for what Splunk does at its core. It will get pricey once your ingestion rates start to sky rocket, but I would consider it expensive given the amount of information that it allows you to analyze and react on straight out-of-the-box.
Which other solutions did I evaluate?
We evaluated the ELK Stack, of which recently we have implemented with a customer who was looking for a more lightweight, cheaper alternative that would work "Good Enough". They felt they did not need all of the bells and whistles that came with Splunk.
What other advice do I have?
If you have an R&D department within your company that is looking for something new to increase the efficiencies and effectiveness of your company's operations, I would highly recommend having them get the free trial to test out.
Which version of this solution are you currently using?