Splunk Review

Extremely scalable but they need to make purpose-built modules more robust


What is our primary use case?

  • SIEM
  • Security information 
  • Event management

What needs improvement?

The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication.

What they need to do more than anything else is, they need to take a serious look at purpose-built modules like the SIEM and put a lot more effort into making them more robust. If they did that I think they would have a better chance on the market. The base tool was great, and if the organization that they're looking to sell into requires a good, solid logging solution then they would have a very good sales statement to make because you could get the logging solution you need that could give you the SIEM at the same time.

What do I think about the scalability of the solution?

It's extremely scalable. It's a very robust solution and certainly has the capability of handling far bigger data requirements than a lot of the other tools. Generally what ends up happening with me is that my clients tend, for the most part, to be mid-tier organizations where the cost of that solution would be accompanying requirements for people just becomes way too prohibitive. Especially considering the model that they use for costing, which is based on the volume of data. Of course, they're going to put everything including the Coke machine as the ability to collect data off of it, because of course the more they can put through the tool the more money they make.

If you previously used a different solution, which one did you use and why did you switch?

  • AlienVault
  • LogRhthym
  • ArcSight
  • QRadar

I've used a whole bunch of different solutions. For a SIEM based solution, they are more purpose-built for that function. Where Splunk is purpose-built for a general logging and data capture solution so you'd be able to capture a lot of different information.

How was the initial setup?

Anything that's not out of the box requires codding. Even up until recently when they finally released their SIEM or their security add-on. Before then there was not security stuff at all. I would actually have to go in and code that within the system to able to do the necessary searches to pull that information. Where a lot of the other tools, they already have those preconfigured which means I don't have to go and recreate the wheel. Now, we finally figured that out to a certain degree, and started putting the new tool in a place that gives you some SIEM functionality.

What other advice do I have?

As a logging solution, I would say it's probably an eight or nine. If you're talking about the SIEM I'd say it's probably about a five. For logging, I think they would have to change the costing model. The costing model is way out of line. It's built for very large organizations.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email