Splunk Review
Low barrier to start searching with the ability to normalize data on the fly


What is our primary use case?

Security analysis to identify issues and for use in incident handling. Correlating logs across over 1000 servers with different operating systems and applications logs to provide security insights. 

How has it helped my organization?

Before we analyzed required manual correlation of individual log files, and this was almost impossible to do. With Splunk, what was once almost impossible, is now unbelievably fast.

What is most valuable?

Low barrier to start searching with the ability to normalize data on the fly.  

I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs.

What needs improvement?

I would like to see Splunk improve its posture as a production operations tool.  This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have.

I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.

Efficiency of Security Team

It has absolutely improved the efficiency of my security team.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No stability concerns.

What do I think about the scalability of the solution?

We did encounter scalability issues. As we scaled out in search heads, we found that some of our activity could only be found on the search heads that it was originally done on. For example, the history of search runs are stored locally, so I needed to logon to each search head to try and find it.

How is customer service and technical support?

Most of my interaction is with the user community, which is how Splunk wants it.  When I need help, that community is very hit or miss.

Which solutions did we use previously?

I previously used LogRhythm. I found this tool particularly difficult to use. It was more rigid in its normalization of data.

How was the initial setup?

The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files.

Which other solutions did I evaluate?

We evaluated our existing tool, LogRhythm.

What other advice do I have?

Growth in data ingested will be much larger that you anticipated. If you need to prove this first, consider using an ELK Stack Logstash type of solution before using Splunk.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Add a Comment

Guest
Why do you like it?

Sign Up with Email