Splunk Enterprise Security Reviews

We use it for a lot of compliance work and incident reviews. We are also using it for remediation and tracking assets.

We use Splunk not just for security, but we also collect a lot of data from our operational equipment. We are using it a lot for troubleshooting and trending and even for command and control.

It has reduced our mean time to resolve some of the things. We are able to look at the data a lot faster and see what is going on. For some of our use cases, our NOC controllers or our operators are looking at the Splunk dashboard a lot. It is a part of their main job. In one specific use case, we used to take a couple of weeks to do certain maintenance. With Splunk and having the data, we were able to reduce that to just a few hours.

It has helped improve our organization's business resilience. We are able to have the data collected in one spot, see it, and get some insights from it. That has helped a lot.

It has definitely given our technical workforce tools to help with their jobs for troubleshooting and things like that.

From the class that I took this week, being able to create notable events from whatever you find in the data set is pretty useful.

We are waiting for Dashboard Studio to mature a little bit more. There are some things that we are using with Classic Dashboards which have not yet made it to Dashboard Studio. We are waiting for that.

It seems to be limited in terms of predictive features. I took up machine learning a couple of years ago. It seems to have some capabilities there, but I do not have specific things for it right now.

In our organization, we have had it for over five years, but my personal experience with it is very limited.

It has been working for us so far.

We have been able to scale as needed.

I have not contacted their support directly because we have folks who are pretty knowledgeable. I go to them, and then they go to their support if needed. As far as I could tell, their support has been okay. I have not heard of any issues.

We did not have a similar product. Splunk came as a security product, and we have evolved it into doing operational work.

We have folks who do the deployment. I am more on the interface side.

We would have seen an ROI. We are using it for a lot of our operational work and other things as well that are not related to what we are doing on a daily basis. We are looking at logs and other things that our executives are looking for.

Its time to value was within a year or so. There are a lot more things that we could do with Splunk, and that is why we ended up adding some stuff to it to fit our needs.

It is hard to tell whether we had any cost efficiencies because we did not have something like this before. Of course, we have Splunk now.

As a team, we prefer the old pricing model with a perpetual license. We are still evaluating the whole subscription-based model. 

We did not evaluate other solutions. Splunk came in with the modernization effort that we were going through, so it just came with the system.

We are pretty happy with it. I would rate Splunk Enterprise Security a seven out of ten.

At a high level, its use cases are related to security monitoring, log aggregation, and a little bit of analysis related to incidents or fraud.

Splunk Enterprise Security has created better visibility for us on the cybersecurity type of events and issues. We are still maturing, but where we have seen some growth is getting better data, knowing what data to look at, and how to understand that data.

It has end-to-end visibility into our cloud-native environment. This is extremely important for us because of the type of business we do. We have a lot of PII data and a lot of compliance data on which we have to maintain very tight controls, so it is extremely important that we are able to put that in the cloud and monitor and watch our environment very closely.

It has reduced our mean time to resolve, but we are still maturing. We have got a lot of maturing to do. We have got a lot of growing to do. We have also been limited on the staff to be able to get the full realization of what we can get out of it yet, so that is a place where we are continuing to grow.

It has improved our business resilience. We have been able to identify things that could have presented a larger problem for us financially or legally through various events. We have been able to leverage the data there. We have been able to maintain that data and support that data. It does the job. It meets the needs.

Splunk has not helped to predict problems in real time because we have not yet matured to that place, but we need to. Generally, it has been helpful, but we know that we have got a lot of growing up there. We still have not got everything identified and captured in the space we want to be able to do better analysis.

Its ability to provide business resilience by empowering our staff is really high. Empowerment is great, but we have a resource problem, so we have not quite realized where we could be. 

We monitor multi-cloud environments. We have three of them. It is difficult to monitor them currently with Splunk. We are living in a highly regulated stack and a very little regulated stack and the ability to get a single pane of glass for all of that is very difficult.

Integration with the cloud is pretty important and good for us. We found the integration with a lot of tools, not all tools yet, valuable. It does make the transfer of data, log files, and other things easier for us.

Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market.

In terms of scalability, it is hard to forecast where you are going. There is room to improve there.

I have been using this solution for about five or six years.

I would rate it eight out of ten in terms of stability. Where there has been ambiguity for me is that I recently had system stability issues that were beyond my control. They were part of my solution, and I was not aware that Splunk was accountable for it. It got quickly resolved, but there was a gap there that created pain for my business.

We have not had any issues. We also have not had any detriment, but it is hard to forecast based on where you are going from a business perspective, at least with the models and the account teams that I have been working with. There is room to improve there. 

It has been a rocky road. I have been through a road where I have had limited to little engagement or support. I am on the cusp of a large turnaround, meeting with my client team and dialoguing through it. Based on the history, I would probably rate their sales support a four out of ten. Going forward, I would rate their sales support an eight out of ten. They are in the right direction. I would rate their technical support a nine out of ten.

Positive

We have been using the same solution for five or six years. It was selected before I joined, so I do not know.

I joined after it was implemented. What I am working on now is the technical depth. I am spending a lot of time with the teams there for direction strategy. Splunk has done a great job there, specifically in pulling the right resources to bear. I had executive briefings directly with executives today where we had an opportunity to talk about different components of our solutions and our stacks, and it has been very good.

We are in a growth state right now. We have seen an ROI, but anticipating any point in the future is a little difficult, so it is a mixed response. Our scale is not quite clearly defined to be able to put it to a metric or to tie it back to consumption use. There is a little bit of autonomy in there to over-adjust and still find that we can true-up in a better space. That has been good for us, but if you let that run away from you, then you start to get in trouble. 

We have not seen any cost-efficiency. We have seen our usage and needs grow, so we have seen Splunk go up in cost for us. We have not quite realized any efficiencies yet. It is also indicative of our maturity model.

The licensing is good, but the pricing absolutely needs some work. It is very high. One thing that they put in a contract, but they do not emphasize it enough is true-ups on usage based on the quarterly consumption. They do not follow that methodology. They let a customer use, use, and use, and then at some point, a true-up occurs, and it is a large cost. There is an opportunity to do a quarterly track type of true-ups as per the agreements out there. That would put them in a position where customers are able to plan on, forecast around, and work through volume adjustments that may occur in their environment. 

The other place where Splunk could spend time is the scale-up and scale-down model. Scale-up is easy where you get more business, and it is easy to add more capacity, whether it is storage or SVUs, but when you need to scale down because of a change in a business, it does put customers in a position where they are locked in, and there is no way to maneuver around that. 

We do an evaluation annually. It is important for us to do a market comparison and make sure we are looking at options in our work. What makes Splunk Enterprise Security competitive is the variabilities that they bring to the table for the overall solution. It has things like APIs that you can tie into. There is also the bonus functionality of being able to do analytics there. User behavior analytics is important for us.

I would rate Splunk Enterprise Security an eight out of ten.

We use it mostly to generate notables, and then we can use other tools, such as ticketing systems or other SOAR platforms, to investigate.

I was not around before we had Splunk Enterprise Security in our organization, so I do not know about the before and after, but I can tell it would be very painful to not have it. 

It is pretty easy to monitor multiple cloud environments. All the logs from our cloud environments go to Splunk, and then we can search everything at once. It is pretty helpful.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is pretty important. Especially if you use it as your single source of truth, it is pretty invaluable that you have everything in there.

It has reduced our mean time to detect, so inadvertently, it has also reduced our mean time to resolve. However, I do not have the metrics.

Splunk Enterprise Security has definitely improved our organization’s business resilience. There are a lot of logs that help with monitoring and alerting and keeping the business up.

It can help to predict, identify, and solve problems in real time. We do have some health alerts, and if they kick off, we might be able to fix something before it is really broken. In that sense, it is good.

Splunk Enterprise Security has been pretty good in terms of providing business resilience by empowering our staff. Most of our users are security-focused, but having everybody with the ability to write their own searches or build upon what we already have for detection of the future things is pretty helpful.

The correlation search functions that generate all the notables are valuable. That can get pretty complicated, and it handles that pretty well.

Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help. 

I have been using Splunk Enterprise Security for about two years.

It is pretty stable. We have not had any instances where Splunk just completely died. Its stability is good.

It seems pretty scalable, especially considering how much data we ingest. It is a good tool.

I have not interacted with them recently, but they are pretty good when I do need something from Splunk. I would rate them a ten out of ten. I have not had any issues with their support.

Positive

We were probably using Elasticsearch.

It was already implemented when I got here.

We have probably seen an ROI. We are in the security space, and there has definitely been improvement in uptime and the mean time to detect and respond to security alerts.

Its time to value is pretty immediate. The more logs and the more standardization that we get into Splunk, the quicker that comes.

Most people share the same thought that the ingestion rates can get pretty pricey. There is a lot of work we do to curate the data that we send to Splunk so that it is not too noisy or too expensive.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are some cool things. A lot of the talks at this Splunk conference have touched on some of the gaps that Splunk is working to close, but it is a very solid tool. 

Our primary use case is for cyber security, tracking logs, and incident response.

I haven't had the chance to properly sink my teeth into Enterprise Security but so far I like that they added the MITRE ATT&CK features. 

This feature helps us know how to plan when we have an incident, know where to look, what to look for, and aspects like that. 

The MITRE ATT&CK planning is valuable. When we see those incidents and those logs, having the information right there speeds up the process a bit.

We did not have a SIEM at the time, so we added Enterprise Security as our SIEM. We're hoping to learn more about it and grow as we progress.

They wanted us to do basic training, which was offered to our organization for free. That was great. However, ours is a cybersecurity focus. The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training.

We upgraded to Enterprise Security a year ago but have been using general Splunk for longer. 

Stability-wise, despite these issues, it's been solid. I haven't had any issues with access to it or anything like that. The only issue we did have was with the engineer. After informing him of those issues, he went back and tweaked them, and then everything worked fine. 

It seems pretty scalable. Our network isn't extremely large, so I don't think scalability will be an issue in our case, but I definitely see the opportunity to scale if needed.

We have around 8,000 devices, so it's a fairly small network. It's across several different networks.

I have not used support yet mainly because I haven't delved into it as much because of the issues with our initial integration with our engineer not being so trained. 

We have different contractors and they have other solutions. Some of those solutions included Elastic. We want to use Splunk and our contractors want to use Elastic. We're hoping .conf23 will broaden our imagination, so we'll have more to bring back and push towards just using Splunk only.

I have not used Elastic myself. It does sound like it does a lot. There's a lot that Splunk offers that we haven't actually used. I want to play with Mission Control. We only use Enterprise Security but I do want Mission Control where everything is in one centralized application where you don't have to jump to different applications. 

I would love to get Mission Control.

My engineer had a little bit of an issue with it but it was because of his own lack of training. We were pushed to hurry up and get a SIEM. He did the best he could. I let him know what wasn't working, and then he would try to fix what he could on the backend so it could work. He was in talks with Splunk to fix those issues. The results are coming back a bit better, but I think that there is still room for improvement.

I was not involved with the setup. I came in afterward. One of our guys here was the one that was in the initial integration of Splunk. We ended up with Splunk as our main SIEM. I've never had any issues with it and I enjoyed it. 

We will see cost efficiencies mainly just from saving time and the shortened time and response to those incidents that we see. The fact that everything's organized in one application, we should see a bit of an increase in efficiency.

I do see the possibility and the opportunity to increase the meantime to resolution by a lot. We use several different applications to monitor logs. We have the vision. 

I've seen some of the updates and changes like Splunk AI and Splunk Vision Control that look nice. I didn't manage to get on some of the hands-on, which would have been lovely. I would like to get more ideas on how we can integrate Splunk into our networks. 

I would rate Splunk Enterprise Security a nine out of ten. I see the opportunity and I'm hoping with our engineer that we can get to where we can make the best use of Splunk. It really seems great. A lot of our staff here were all ready to use it. We're just hoping our engineer can get to the place where we can actually make use of it. 

The biggest value I get from attending a Splunk conference is being able to see the updates, changes, the features they're adding, the Splunk AI, and Splunk Vision Control. That's been nice. I am looking forward to some of the sessions. I want to get more ideas on how we can integrate Splunk into our networks and things like that, especially focusing on cybersecurity. I would also like to see some of the stock sessions because it's a brand new stock. We're trying to stand it up. Seeing how they're using it for stocks would be great.

Enterprise Security has reduced our mean time to detection to results. It used to take 25 to 30 minutes and now it's down to less than ten minutes. 

Our customer has been far more satisfied with our incident response and remediation since we adopted Splunk several years ago.

Our time to value was within a few weeks to a month.

The most valuable feature is the incident dashboard, and the extensive use of correlation searches, which isn't available with a standard Splunk search package. This feature is important to me because it enables SOC analysts to do their job more efficiently and be able to investigate or mediate incidents at a faster pace.

Another benefit is the expansion of the use of ITSI, SOAR, and now Mission Control being able to holistically monitor an environment with one tool. Also with Mission Control, we have the ability to have one interface.

It's very easy to monitor a single cloud with ES solutions. I've worked with several other SIEM tools before and Splunk does it better.

Splunk's ability to predict, identify, and solve problems in real time is good. They do it better than other tools.

I am looking forward to their expansion of the use of AI. Using AI in the user interface will go a long way because one of the challenges in my organization is getting other people to use Splunk. A lot of people are averse to using new tools so if they make it even more user-friendly than it already is, I think that could go a long way.

I have been using Splunk Enterprise Security Enterprise for three and a half years. 

Stability is excellent. It is the most stable SIEM solution I've worked with.

Scalability is excellent. If you need to add more capacity, you can add more indexes, and more search heads as you need. The environment stays stable as you're doing it if you do it the right way. 

My environment is about nine indexes, four search heads, and about 800 GBs a day.

Their support is excellent. Every case I ever had to put in has been handled and resolved in a matter that I would hope for many support tickets.

I would rate them a ten out of ten because they are much more responsive than a lot of other vendors I've worked with.

Positive

There are mostly pros when comparing Splunk to its competitors because it collects data and analyzes it. It analyzes data better and in a more detailed, documented, and organized fashion than any other SIEM that I've worked with.

I have worked with Microsoft Sentinel and ArcSight.

I was involved in the initial setup with the help of their professional services. It was complex at first because my colleagues and I did not know the application that well. There was definitely a learning curve but once we started to understand how to design it the proper way and how to manage it the proper way which made things a lot easier.

It's more expensive than the other tools but it's worth it. Every penny is worth it. They do analytics better. They do security investigations better. They do everything better.

I would rate Splunk Enterprise Security a ten out of ten. I have worked with other SIEM solutions before and Splunk is the best one.

The biggest value I get out of attending a Splunk conference is getting to network with other people within my same account under my same account manager. I appreciate the ability to go to sessions about different support products that my organization doesn't use and try to help myself understand how some of these tools are used and how I could encourage my organization to use them.

It's the mainstay of our monitoring solutions that we have for auto-logging, et cetera, for our enterprise solution.

The most valuable aspect of the solution is the ability to capture the different data streams. We also appreciate the reporting in that aspect of Splunk. If we can grow now, with any security arena, it's going to be proactive, not reactive. It allows us to digest the information, the data, the different data streams, so we can make decisions based upon information that we receive, and it is pretty robust.

The configuration could be better.

We would like to see improved pricing, however, I'm kind of out of that arena. I make suggestions based upon the flexibility with which we serve our customer base, which is millions of our veterans. I would say that if someone was not familiar with it, one of the things that I've heard is that it's kind of hard for them to understand the whole thing. Splunk is just one piece to the puzzle. It's not the whole puzzle. It's kind of not the solution's fault, in that sense. That said, if it could be more accessible to people with different skillsets, that would be ideal.

We'd like to see reporting where there's a way that we can get a higher description without being too technical, for example, where it's kind of more of an executive-level of technical.

I've personally been using the solution for over ten years. At this point, it's been more than a decade. I've used it for a while now. 

We're partners and end-users. We don't have a business relationship with Splunk.

We use the latest version. I'm not hands-on. I'm called the architect, however, we do use the latest version as that's a part of our configuration management framework, that all of our applications - especially in security - are up-to-date with the latest and greatest updates, bells, and whistles. We use both public and private clouds.

In terms of creating the solution, for what we do from an enterprise standpoint, everything from monitoring to data capture to reporting, we would rate it at a nine out of ten.

Our primary use case is for security audit log collection correlation. We wanted something that the security team could focus on versus going directly into our enterprise. We had some initial use cases to supplement our IT ops security into one product. We had a SIEM but not one that was as customizable as Splunk Enterprise Security.

The out-of-the-box capabilities that Enterprise Security offers were very helpful. We're not using it anymore because it was almost overkill. We have shifted to go back to just the core functionality. We were inundated with the amount of alerts and alarms that we could get out of it. It is also a resource hog and we didn't have the resources to support it on-prem so we're taking it offline now.

We saw the granularity that we could get from Splunk far exceeded what we already had. We had the ability to have our security team really focus on the platform and stay within the platform, but they could correlate with a variety of other stakeholders, and our stakeholders were growing. So we tried to get ahead of that and filter it in to create customizable KPIs for those user groups versus having a one-size-fits-all approach. That unique was very helpful for us to expand upon. The driving force is resources, and we were lacking those.

We use it to monitor multiple clouds. We weren't leveraging it for all of our clouds, but we have a presence in GCP, AWS, and Azure. The unity and uniformity across all of it would have been great but at that stage, we were only using it for on-prem coverage. We would like to go ahead and understand how we can implement it as a cloud solution as we are increasing our daily footprint too. We weren't really prepared to understand the workflows we already had in the CSPs or the new integrations of data lakes at a warehouse that were and are still being built out to get Enterprise Security to function off of that too. We hadn't gotten to that stage.

A lot of what we were doing was done manually in terms of vulnerability and remediation and is still being done manually now. Evolving to a stage where the alerts weren't inundating our customers and getting familiar with the product would have helped us perhaps get a bit more functionality and usability out of it. We are seeing some value out of Enterprise Security and think we can get similar results elsewhere. I think that down the road, as our understanding gets better of how we want framework requirements, Enterprise Security could come back into the picture.

I have been using Splunk Enterprise Security for around twelve months.

Stability had its drawbacks because of how much it consumes. We had to justify whether or not it was worth keeping it up. The decision was to not keep up with it.

We are only on-prem so we do manual scaling. We don't have the elasticity that we would have in the cloud which limited us. Justifiably, in order to scale up the platform, we would have to go through procurements and more hardware, which was not an option. So we were limited, and we knew that. We had done pilots and buildout but a hardware refresh cycle was coming up, we had to justify whether or not it was in the cards.

I've been working with Splunk for several years now, and I've always found them very responsive and supportive in a variety of technologies around core functionality like Enterprise Security and ITSI. 

I would rate them an eight out of ten. They have a strong team through and through from the pre-presales all the way through architectural changes and shifts that we need to do to address the customer.

Positive

We've had numerous implementations of SIEM solutions over the years. Splunk offered a lot of capabilities on top of some of our old antiquated Sentinel and Azure. We had many other products before we pursued Enterprise Security. But we weren't in a position to really go down the Enterprise Security route because we hadn't quite fleshed out what our end goal was.

We're still in the evaluation stages. Looking at Enterprise Security, given the fact that we already have an investment in Splunk, it makes sense. We would like to see it grow beyond just Enterprise Security to more of not just observability, but pro actions to utilize the source of that nature. 

We had great success potentially going into a SOAR from Enterprise Security. We hadn't quite evolved to that point yet. At this stage, it's just not really in our pipeline to pursue Enterprise Security until we get a better understanding of our requirements.

Refining those playbooks and so forth also is going to take time. We have customers who have categorically unique requirements. From a security standpoint, one group's security requirements are going to be different from some of the other teams that we have. We are trying to find that uniformity across the board. We may have to entertain multiple security solutions to meet their needs.

My role was to support a lot of the backend and the configuration of the platform as it was being established.

The level of difficulty was on par with the Splunk Enterprise core. My team was involved with a lot of the provisioning from the virtual environment and on-prem to support it. It wasn't overly complicated. Once it was up it took a lot of resources. Evaluating and seeing whether or not we could actually move it to the cloud when the core functionality still existed on-prem, we weren't willing to split them at this stage.

We would almost always have Splunk support through the deployment and configuration stages of it. It was always solid. Once we had the platform up and running, we had to consider general operations and maintenance. While the Splunk team was great and the resources are available, there is a finite amount of resources on-site.

Splunk is not cheap. That's definitely a consideration as we look at other products.

We haven't seen much time to value using the solution system but it wasn't necessarily a fault of the product. It was the cycles to maintain it and support it, to make sure it's growing correctly. We hadn't gotten to that stage. Our ROI and TCO, given the fact that its footprint is being looked at because of what it takes to maintain it in terms of resources. We have the core platform, and then we have a growing license. We're looking at how we can efficiently use Enterprise Security. It's just not there at this point.

I would rate Splunk Enterprise Security an eight out of ten. I think the rating has the potential to be higher. If we had time to flesh it out and vet some of the core capabilities of Enterprise Security and how it could benefit us over the core. Getting to that stage requires a lot more customer engagement on our side that we weren't really prepared to do because of budgetary constraints, hardware refresh cycles, and so forth. Overall, we dropped the product not necessarily because of a lack of capability, it was more along the lines that the timing wasn't appropriate for our security teams.

The biggest value I get from attending a Splunk conference is knowledge transfer. I work in the public so it's valuable having a lot of conversations with fellow colleagues who are in the public sector and hearing their hurdles. We don't want to reinvent the wheel every time, and we don't want to hit obstacles that could have been lessons learned. The conference is a really good opportunity to see what's new, what's out there, and how it can blend in with our current architecture and designs. It also helps to understand what's not going to work to be able to get ahead of it before questions come up. We can properly equip our customers and answer their questions. The Splunk conference is a good brain dump.

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.