Splunk Enterprise Security Reviews

Our primary use case of Splunk has been on the implementation side for clients. Splunk has proven, on multiple occasions, to be extremely useful in the proactive monitoring of clients' hardware, networking, and security operations. Some use cases that we have implemented include, but are not limited to, proactive account lockouts based on machine learning of a typical person's average number of failed login attempts, aggregation of a servers logs in order to predict downtime/maintenance/hardware failures quite accurately, as well as helping administrators of all sorts to gain a full picture of their environments under a single screen.

Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some predictive and proactive models, which are programmed to take action on anything outside of the normal usage. These actions range from alerts being sent to the Splunk page, administrators being notified, and if escalated enough, automatic account locks.

The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

We did about a year and a half ago. The implementation was able to notify me 34 seconds after the initial breach had happened, but our implementation was already configured to auto-logout any "suspicious" users (our internal networking team had set this detection code up) which alleviated the problem, before it really became a problem for us.

Immensely, I cannot stress enough the positive impact this has had on our security team.

Our personal implementation brings in only around 48GB to 48.5GB of events per day. Depending on the amount of remote workers in the office, it averages around 50 million events daily.

We did not encounter any issues with stability.

We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster.

I have not personally dealt with customer service/technical support.

We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.

The initial setup is very straightforward, unzipping a tar, creating a service, starting the service.

My team was the team who had set up this implementation. I would be remiss if I didn't say that our level of expertise is quite high with an average of 4 Splunk certifications per person on my team.

ROI is estimated at saving my team roughly 10 to 12 man hours per week in troubleshooting for our company as well as what our profits had been from our services of installing, configuring, and supporting other clients with the product.

Setup cost is cheap: It is free, it is user-friendly, and it is fast. 

I would highly recommend anyone evaluating this option to download the free trial which allows for the ingestion of 500MB of data per day in order to get a feel for what Splunk does at its core. It will get pricey once your ingestion rates start to sky rocket, but I would consider it expensive given the amount of information that it allows you to analyze and react on straight out-of-the-box.

We evaluated the ELK Stack, of which recently we have implemented with a customer who was looking for a more lightweight, cheaper alternative that would work "Good Enough". They felt they did not need all of the bells and whistles that came with Splunk.

If you have an R&D department within your company that is looking for something new to increase the efficiencies and effectiveness of your company's operations, I would highly recommend having them get the free trial to test out.

The ability to see logs and correlate them using Splunk has greatly improved our organization's functionality with auditing and troubleshooting.

Splunk's capability to receive any types of logs and index them is a very good feature. To get visibility from your network devices, servers, and security devices is a great feature.

Better directions on search head clusters. A lot of the documentation that I saw was either old or out of date. I believe I ended up doing a lot of searching and ended up not completing the feature. I opted out of creating a search head cluster.

Not at all.

None.

Customer Service:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

Technical Support:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

No solution was available at the time.

No the initial setup was fairly basic.

In-house. We had professional services however, we did the install prior to the consultant arriving. So, his workload was light considering we had already installed and configured the Splunk servers.

We purchased and paid for it as an annual subscription for three years and working on purchasing the Perpetual edition.

Pricing is pretty fair. However, I would suggest you trial for at least 90 days if you can get the sales person to offer you the option to renew your 30 day trial a couple of more times to evaluate. The 30 day trial is not enough.

The other SIEM solution providers we looked at were ArcSight, QRadar and SolarWinds LEM.

Splunk is a good product. Pricing is a bit high however, after it's installed you can understand why and get caught up in reading the logs that are available.

I need the product for SIEM, Security Identity Event Management. I also need it for security operations, automated response, as well as mapping adjusting of security components as well. It helps us with how best to look at various events, and orchestrate between various different hyper-scalers.

The solution has made us more secure and has allowed for more definable mapping.

The SIEM is the most valuable feature of the product.

Having a better integration method and then ingesting and mapping the information have been somewhat easier than some of the other tools that I've used previously (other than QRadar and Rapid7).

The initial setup is pretty simple.

The solution is scalable.

Stability has been quite good. 

The pricing is pretty decent.

The documentation is in definite need of improvement. 

There are pieces of it that are somewhat just daunting and there should be better orchestration and automation. 

I've done some automation with it, with Terraform, and also with some other sources. If it wasn't so proprietary, that would be ideal.

I'd like to have it so that Splunk integrates better with Terraform and Python.

I've used the solution for eight years. I've used it for quite a while. 

Splunk is probably the best brand in terms of stability. I'd rate its reliability at a four out of five. There aren't bugs or glitches. It doesn't crash or freeze.

The scalability is great. I'd give it a score of four out of five. If a company needs to expand, it can do so. 

We have 450 people in our organization that use the product. We've also done this for clients that needed access for over 200,000 people.

We use the solution extensively and likely will increase usage.

The support is okay, however, there are a couple of things that they couldn't figure out and they couldn't help me with automation or stuff like that. It could have been better from there, however, it's not that bad. 

I've previously used QRadar and it wasn't ideal.

There were certain times I integrated with other solutions too.

The initial implementation is pretty simple and straightforward. It's not too complex. I'd rate the experience at an eight out of ten.

The initial deployment took us about two weeks or so.

The amount of personnel you need for deployment and maintenance tasks depends on the size of the deployment. Typically, it's just one or two people. That said, it needs to be proportionate to certain sizes. Usually, the staff is from procurement or provisioning.

I handled the implementation myself. I didn't need any outside assistance from any integrators. I'm a consultant myself.  

We've seen quite extensive ROI, however, it's more of a qualitative assessment and I don't have numbers to share. It works well and customers are happy. That's what counts. 

It's a little bit more expensive than some of the other tools. It's not as expensive as QRadar. That said, it's more expensive than LogRhythm or Sentinel.

There aren't really other fees beyond the standard costs of licensing. 

I evaluated other things. I also integrated with other solutions too. I decided to go with Splunk due to the fact that it worked well.

I'm a consultant. I'm also a customer and use it myself. 

We use multiple deployment models, including public and private clouds. 

We typically use the latest version of the solution. 

I'd advise potential new users to get a proper plan. They should have a good partner or someone that can help them and quickly map and orchestrate.

I'd rate the solution at a ten out of ten.

We are a software development company and Splunk is one of the products that we have implemented for our clients. It is used for log analytics as well as the mobile SDK for checking the stability of mobile applications.

It's the completeness of the solution that we like the most. It has a solution for backend log analytics, but also one for mobile applications.

Our two main complaints are about the difficulty of the initial setup and the licensing model.

The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.

I have been working with Splunk for more than five years.

There have been no issues in particular. What we are using has not been that heavy.

We have not had any problems with respect to scalability.

Based on when we have been in contact with them, I think that technical support was fine.

I'm not sure if they have different support models but I think it took a long time for them to respond. It may be a consequence of the support contract our client had with them.

This is a complicated product to use and you need constant help to set it up. I really wish that it was easier to set up and use.

We do not have any dedicated people who are working on Splunk, but we have a team of approximately 100 people that are responsible for the development of mobile applications, backend systems, DevOps, etc.

I think that most of the log analytics solutions are expensive and I'm not sure if it's worth it. However, I wish that they were less expensive. I am not talking about a single product but rather, all of the ones that are in the domain of log analytics.

Splunk is a good product but I would definitely tell people to analyze their requirements to see if Splunk fits their use case, or not. The licensing model is very complicated, so if there is a product that has a better licensing model then it would probably be good to start with that. Then, later on, if the product is not working well enough, then they can switch to Splunk. At that point, they will have knowledge of the data they are using and will understand the costs that they might incur while using it. 

The only way that I would suggest somebody use this as their first solution is if they already had all of the data that is required to get a cost estimate.

I would rate this solution a seven out of ten.

We are using the mobile SDK to check the stability of mobile applications.

The completeness of the solution is what we like the most.

It's difficult to set up initially, and their billing model is also a bit complicated. 

We have to predict in advance how much data we will have and what the storage would be that we don't have. This makes the licensing complicated because when you start you don't have these numbers.

In order to know how much it will cost, you need those numbers.

I really wish that it was an application that was easier to use.

I have been working with Splunk for more than five years.

We have not experienced any issues.

For our use cases, we have not required any scaling.

The technical support is fine. At times, they take time to respond back but it may have been the support contract that our client had.

I would assume that they are not as responsive as we want them to be.

We have a team of approximately 100 people who are responsible for the development of mobile applications, DevOps, and application development.

The licensing cost model is complicated.

I think that most of the monitoring solutions are expensive. I wish they were less expensive, for all types of products for monitoring.

We work with Splunk, but we are looking for some LOG Kinetics solutions for our clients.

I would definitely suggest sending people to analyze or evaluate Splunk.

Because the licensing model is very complicated to understand, it would be better to start with another product that provides a better licensing model. Later, if the product is not working well, they can consider using Splunk and may have a better understanding of the cost.

For me, I would not recommend Splunk as their first solution unless they have all of the data that is required.

I would rate Splunk a seven out of ten.

Security analysis to identify issues and for use in incident handling. Correlating logs across over 1000 servers with different operating systems and applications logs to provide security insights. 

Before we analyzed required manual correlation of individual log files, and this was almost impossible to do. With Splunk, what was once almost impossible, is now unbelievably fast.

Low barrier to start searching with the ability to normalize data on the fly.  

I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs.

I would like to see Splunk improve its posture as a production operations tool.  This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have.

I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.

It has absolutely improved the efficiency of my security team.

No stability concerns.

We did encounter scalability issues. As we scaled out in search heads, we found that some of our activity could only be found on the search heads that it was originally done on. For example, the history of search runs are stored locally, so I needed to logon to each search head to try and find it.

Most of my interaction is with the user community, which is how Splunk wants it.  When I need help, that community is very hit or miss.

I previously used LogRhythm. I found this tool particularly difficult to use. It was more rigid in its normalization of data.

The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files.

We evaluated our existing tool, LogRhythm.

Growth in data ingested will be much larger that you anticipated. If you need to prove this first, consider using an ELK Stack Logstash type of solution before using Splunk.

Some of my clients had rudimentary home-grown security solutions that Splunk ES has completely replaced.

In these cases, the improvement was dramatic; they had visibility into systems and activities that they never had before.

In the case of clients who already had a SIEM solution, the change was more incremental. However, in my opinion, the Splunk ES solution is superior because it is so flexible. It can consolidate data from almost anything.

Splunk Enterprise Security is most valuable, my clients use it as a SIEM solution. Splunk gives them the ability to bring multiple, disparate types of data together, then correlate and report on them.

The GUI can be improved. Splunk has always suffered from having a kind of goofy UI, it needs some updating.

There were no stability issues. It is one of the most stable systems that I have worked with.

As of now, no scalability issues were experienced. Splunk is highly scalable, so don’t anticipate that. However, scaling can get very expensive with their pricing model.

Technical support is excellent! It is of top notch level. The customer support folks really know their stuff, the turnaround is fast.

Previously, we were using HPE ArcSight.

That’s a hard one. The initial setup is easy but making it actually work is complex. However, the complexity is something that just comes with all top SIEM tools. Very few companies have exactly the same data and issues, so a great deal of data onboarding and normalization are always required.

We evaluated HPE ArcSight.

Plan your implementation carefully. Be sure you have someone to implement it, someone who knows what he is doing. Splunk’s inherent flexibility is a great thing, but it also provides an opportunity to really mess things up.

Splunk helped reduce development cost since it provides free applications on Splunkbase that can save a huge amount of time and effort. It also gave us the ability to dig into logs to find not just one needle but many needles in the haystack of data, and that helped solve multiple production issues and reduced system downtime.

A great improvement brought by Splunk is the ability to remove sensitive data before displaying it in reports. This allows Splunk administrators to filter data according to the user’s clearance level.

Splunk can be seen as a huge box that allows the storage of all sorts of logs. This allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar. Splunk allow schema on the fly and therefore simplifies all the data onboarding process. All that leads to flexibility when it comes to defining the metadata since it is not necessary to have all the fields defined and extracted to be able to use Splunk.

Another great feature is the field extractor that allows persons with little or no experience with Regex to define fields and extract valuable information from the data.

Finally, the ability to connect with various sorts of databases, NoSQL solutions, makes it a very powerful tool, not only as a SIEM but also as a datalake for machine learning and data analysis.

Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources.

Released versions are quite stable. We encountered some visual bugs following major upgrades but that was due to custom CSS that we had edited into Splunk.

Splunk is a data analytics platform and is designed to scale easily. Adding or removing machines from a splunk index can be done without affecting any of the existing members of the infrastructure.

In my opinion Splunk has three levels of support. First level is their forum (Splunk Answers). The Forum is very rich and solves 90% of the issues that can be encountered. Then comes the real technical support team that replies quite fast, depending on the SLA. Finally comes the professional services team, which provides a very advanced level of expertise and can solve any issue.

Yes, ArcSight. We switched because of how slow the support can be with HPE sometimes and also because Splunk is simpler to use, is more data oriented, and is more adapted for business security use cases.

We started Splunk on a stand-alone server. Installing that was very easy, a basic RPM install for Linux and an installer for Windows. When we moved to a distributed environment, it was a bit more complicated but the documentation on Splunk Docs was clear and easy to use so we had no problem there.

Splunk licensing model might seem expensive but with all the gain in functionalities you will have compared to traditional SIEM solutions I think it’s worth the price. Also, when you have small volumes of data to index daily (which might account for high EPS) you will be gaining the full advantage of using Splunk for a very low price.

Yes, Graylog and QRadar.

You're in for a nice surprise, Splunk is fun, easy to use, and will give you the results you are looking for and more. It's a great tool for security and business analysis, you're looking at a big data platform that will allow a lot more than what the good old SIEMs could do.