Splunk Review

Our clients are easily able to modify and evolve their implementations


What is our primary use case?

Security. We have built SIEM solutions three times from the ground up (not ES) using Splunk for some of the largest companies in the world.

How has it helped my organization?

Out clients went from unhappy using inflexible, poorly-supported products (in some cases barely functionally) to confident and excited when using Splunk. Not only are they able to do their security jobs and investigations, but they are also easily able to modify and evolve their implementations themselves to keep up with the shifting sands, which is the SecOps landscape.

What is most valuable?

  • Core Splunk
  • Saved searches
  • Dashboards (SimpleXML) 

With good domain knowledge, one can build almost anything. If you throw in Alert Manager or an integration with ServiceNow. Then, you have your own SIEM.

What needs improvement?

  • It needs integration with a configuration management solution. 
  • It could use better password management for forwarders. 
  • It needs a better way to export dynamic views without requiring a ton of code and user/pw.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

Unfortunately, lately every release has a new memory leak.  Be SURE to upgrade late and READ THE RELEASE NOTES, especially the "Known Issues" section.

What do I think about the scalability of the solution?

We only ever have issues when deployed on VMs and the VM admins do not do what we tell them to do which is EXCLUSIVELY RESERVE OUR RESOURCES.

How are customer service and technical support?

It used to be great (but perhaps that was because my employer at the time was a key prospect in a vertical where Splunk had no customers) but Splunk support is definitely a victim of Splunk's explosive growth.  The first tier support is as bad as it is most places and getting worse all the time.  If you KNOW your problem is not run of the mill, ask for escalation immediately.  Also the clock on the case does not start until somebody adds a note to the case so always call in and ask if they got your diag file (always attach a diag) and the person who answers will have to add a note to the case which will start the clock.

If you previously used a different solution, which one did you use and why did you switch?

I have dabbled with LogRythm and ArcSight and they are both OK, but Time-To-Value is WAY shorter with Splunk, IMHO.

How was the initial setup?

Use bare metal severs on Linux and you will be fine.  Use Windows and you will have much trouble.  Use VMs and your admins will cheat you and you will have much trouble.  Do not use NAS!!!!

What about the implementation team?

In-house.  We at Splunxter are Splunk experts.  We can do anything with Splunk.  We always hit homeruns.

What was our ROI?

We usually get multi X-factor within a quarter.

What's my experience with pricing, setup cost, and licensing?

Get free PS if you can (ask) or USE THE DOCS.  The documentation will get you to success.  If you are not getting more value out of Splunk than the license you are paying, then you are doing something wrong and should spend a tiny bit more to get a consultant like Splunxter.com to help you.

Which other solutions did I evaluate?

No,we went with the free trial and got so much value so quickly we bought in.

What other advice do I have?

You can also get GREAT help at answers.splunk.com.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Splunk-focused consulting company, but not a Splunk Partner. I am also a member of the "Splunk Trust", Splunk's "MVP" program.
Add a Comment
Guest
Sign Up with Email