Splunk Reviews

Since we have an IT services company, we have been using Splunk for the deployment to the customer locations as well. Sometimes the customer will come back to us and say that we need to have a SIEM tool, and when we do the benchmarking, we'll do a couple of deployments on the Splunk side and at the customer's locations as well.

As an example use case, we deployed Splunk to a banking institution a few years ago. There the use case was basically this: the customer wanted to set up a security operation center, and they wanted to have a pretty large deployment in terms of the number of endpoints and number of switches and routers. There were many regional branch offices and they have data centers and therefore, many assets in terms of endpoints. They had 30% of their assets are running on the cloud and they needed a complete solution from an incident monitoring and management perspective. That's why we deployed Splunk. 

They wanted to reduce the MTTR, and meantime resolution, and maintain detection. They didn't want to add more SOC analysts into their SOC as the organization scaled up. They have a plan to scale from 5,000 endpoints into 15-20,000 endpoints. They're very particular about deploying the SOC operation center.

Splunk has since acquired Phantom as a SOAR platform. Therefore, we have tried to manage the security automation using Phantom with the help of Splunk deployments. It helps us meet the customer's requirements.

In terms of support, we're able to get the right support at the right time. If there's a break or an appliance issue, they're are on top of it.

This is very important during large-scale deployments. It's not easy to address product-related issues or appliance-related issues, and the number of collectors or number of logs that come into the collector, and managing the collectors across the branch offices, across the corporate offices, etc. It is a cumbersome process for us. That's why it's integral that we get the right support at the right time - and they make this happen.

The most valuable aspect of the solution is the dashboard. It's very intuitive. 

The reporting is excellent. The team and the SOC analyst are able to easily track the alerts and the correlation is very good compared to other SIEM tools. 

There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side.

The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly.

The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available.

In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.

In terms of Splunk, I've been working on it for more than three years in the current company. Prior to that, I worked with it at another company as well. In total, I have been using Splunk for close to six or seven years.

The solution is stable, however, sometimes in some of the collectors, we are facing a lot of issues. That said, overall, if you rate it from one to five, I would say in terms of stability, it will stand at a three. 

The scalability is perfectly fine. It's very awesome compared to all the other tools, as easily we can integrate with the log forwarding modules and the collector management appliances or modules. That aspect won't be a problem. 

If you look at the SIEM as a market today, Splunk is expensive compared to other competitive products. I'm also into the SIEM evaluation in my current role. I've seen that there are many tools are coming up in the last one and half years. I have also seen many other mature tools that are available now. If you compare next-gen SIEM tools compared to the Splunk, it's expensive. Therefore, it's possible we may not use this in the future or expand on current usage.

In terms of technical support, we don't have any issues, as the professional services which they have extended to us are very, very good. We're able to manage many of the critical issues with their support. I'd say we are definitely satisfied with the level of service provided.

In terms of deployment, it's not so complex compared to the competitive products, however, we will be able to manage that deployment. We don't feel there's any problem on the deployment side. In that sense, I don't think deployment is a complex one when somebody going for Splunk as a tool.

How long it takes to deploy the solution depends on the size of the deployment, basically. Even a large deployment won't take more than a week. When I say deployment, I'm considering all the log collection, log management, and the curation of the incidents, and how incidents are created and routed properly according to prioritization. 

In terms of ROI, for example, if you look at one of our customers today, they are managing close to 100 million events per day. If you look at a traditional SIEM with 100 million events, they need to manage this environment with at least 25 to 30 people. That's 30 security analysts that have to be there. However, when Splunk was deployed, a lot of automation was added on top of it, and today we are managing the same environment with Splunk with close to 15 people. In that sense, if you look at it that way, the ROI is between 30-40%.

In terms of a comparison with the rest of the competition, the licensing cost would be, I would say, 30% higher than most.

Before choosing Splunk, we have evaluated QRadar and LogRhythm. QRadar is much more expensive. LogRhythm lacked reporting.

We ended up choosing Splunk due to the pricing and the reporting features. It also had the kind of scalability that was required. We felt it would help us in terms of positioning from both a cost perspective and an incident alert perspective.

We're partners. We have a business relationship with Splunk.

We're using the latest version of the solution.

Overall, I would rate the solution at a seven out of ten.

I'd advise potential new users to ensure they do proper sizing before deploying the product. If it's a very large deployment, the number of endpoints will be quite sizeable. You need to figure out the correct number of endpoints as well as endpoint devices, switches, routers, etc.

It's also a good idea to look at use cases. Splunk is very strong in some use cases. It's important to look into deployment scenarios and check out the use cases before deploying anything.

My biggest takeaway after working with the solution is that the environment is very important. You need to be clear about the problem you are addressing and it takes a lot of planning at the outset.

My reason for implementing it was just to learn more about the product. I wanted to learn about the Splunk programming language, how to pipe searches, add logs, verify the logs, create fields, extract data into fields, build dashboards, and to get hands-on experience with the product.

The Splunk programming language allows you to pipe searches into another searches.

What I really like is that even if you have already collected the data, you can extract data and  add fields which improves building searches. This is not the case with Elasticsearch, where this needs to be done upfront.

I really dislike how Splunk sales and partner manager behaves. I have faced several sales model and partnership changes. Also, the last time I wanted to by a license ro built a SIEM solution, they had removed the ability to purchase a splunk subscription or license from their website. In the past, there was a web page calculator it was possible to by online, but now it instructs to contact sales.

The free version is limited to 500 megabytes and there is no alerting. Due to the missing feature on the Splunk webpage, I have ask Splunk Sales to purchase a license like 1Gyte a day or a license for max 2500 Euro/year to use it as a test or development instance for myself. Asking Splunk for a quote willing to pay for Splunk license to learn and to get used to the product, Splunk didn't get it managed to offer my a license neither arranging the partnership paperwork I have ask for. Sales people from Splunk where calling, each time after I left my details on ther trial download page. I explained my experience and concerns about Splunk in the past. All excuses received and promises that someone will contact me to solve the issues faced in the past, was leading in excactly nothing. Well Done Splunk.

Inflexible and expensive and I do not have much faith in the people working there because if someone is asking for a test environment and is willing to spend up to €2,500 a year, I can't understand why they are unable to provide a license. This could be a lost opportunity because they are not able to onboard a potential new partner.

They definitely need to boost their sales and partner program because it changes to often, where they are dropping partners and it is difficult to get in contact with somebody. This is something that needs to be improved.

I would like to see more SIEM functionality and embedded moduled such a ticket tool to make a end to end SIEM.

I have been using Splunk for a few weeks.

As I was using a test environment, I can't comment on scalability. It was just myself and a colleague who was using it as a test instance.

I have not been in contact with technical support.

I have worked a little bit with Elasticsearch. I also have an instance of SIEMonster running, and I'm trying to get used to it. I found that Splunk provided a good benefit compared to Elasticsearch.

With Elasticsearch, if you have already inserted the data then it's gone because you need to do the pre-filtering. Once you've inserted or ingested the raw data, using Logstash, for example, you are no longer able to build the fields such as IP address, hostname, username, and the other fields that you want to export. This unsorted, raw data that you have is really a drawback for Elasticsearch and some other products. This is something from Splunk that I consider to be a heavy feature, where you can just insert data and ingest it later on.

really fast and easy to install a test instance.

The pricing model is expensive and could lead into a budget nightmare based on the amount of data.

A better pricing plan would be an improvement.

I have done some research on LogRhythm, IBM QRadar, and ArcSight, but I don't have any hands-on experience yet.

I did a comparison for a customer two weeks ago and the outcome of my comparison was SIEMonster, effortable price model, even though it's a niche player, it's quite powerful. I also provided Splunk as a recommendation because it is a market leader, really powerful, and really good to use. I also recommended LogRhythm; it is also expensive but it's also really powerful, and the feedback of customers is really good.

With respect to Splunk, I would recommend it but when a customer is budget-driven then Splunk is not the solution. Money shouldn't be the question.

This is a solution that I could recommend for somebody who wants a really powerful product. It is not an end to end orchestrated SIEM yet.

This is a product that I would generally recommend, although I would not do so if the customer is really budget-driven.

I would rate this solution a six out of ten.

The solution is primarily used to monitor the operating system for threats, specifically related to login threats. If someone trying to log-in, or somebody trying to break into the system, the idea is it will check that and catch things. It's mainly for external threats to the operating system.

The solution has improved our organization by providing a comprehensive picture of any external threats to the operating system. It improves asset control.

The logs on the solution are excellent. Mostly I see just the reports or the outcome, however, with the log portion, where you could actually take log entries and pass them through the system in order to create events or conditions, and get reports. You can set up your conditions to the logs that you invested into Splunk, and get the reports or the output that you want. 

We're still going through it at this time. However, there are a few changes that could be made.

It could be more user friendly, in terms of the end-user experience. The end-user aspect of it could be more enhanced, whereby you could probably have a lot more people that could sign into the tool and look at the reports, and have the reports actually laid out in plain English. Usually, with tools like Audit Vault and Splunk, if you're not the IT person and you're not trained on that system and you're seeing all of the outputs, the language is something you have to convert.

Therefore, the end-user experience could be improved so that when you get those alerts and notifications, you could have supervisors and different people actually knowing what those reports mean instead of having someone convert them into something more easily digestible. 

There should be more enhancements done to the end-user dashboards. Improved dashboards are always good. If you have an IT tech that's up there, and they're looking at the dashboards and they're seeing everything, it would help they could do events and have a dashboard that they could log into as a supervisor and see everything, and just get specific reports for specific areas.

We've been using the solution for three years.

I can't really speak to the solution's stability beyond how I use it, which is for training. However, I've never experienced bugs or glitches on it and therefore believe it to be very reliable.

The solution seems to be very adaptable, and if not, we'll figure it out what to do in the next couple of years when the program has developed more, and the general capabilities become apparent. 

It is a log parsing tool, so if you take any type of log, operational or financial or security logs, and you put it in there, hopefully, we will find out that a log is a log, and you just create your events and you get the output that you want. Therefore, I don't foresee an issue with scalability per se.

The technical support is pretty good. I would rate it at a seven out of ten. We're mostly happy with the level of service we receive from them.

What they probably need to do is help make the reports more manageable for the end-user or to help the end-user understand them more easily.

We didn't previously use a different solution. We've only ever really used Splunk.

The initial setup was not complex. It was pretty straightforward. It was already loaded on the environment. It's managed by a third party or service provider, therefore we just kind-of fell into the rhythm of using it pretty quickly.

We're just a customer. We don't have a business relationship with Splunk.

We're using the latest version of the solution.

I'd advise those considering the solution to do some basic training before jumping into using the solution. It will help you understand how everything is supposed to work.

I'd rate the solution at an eight out of ten, due to the fact that it's more flexible than other solutions. I like the idea of taking a log, any log, and putting it into a tool and creating your events and your conditions in order to get the output that you're looking for. It's more scalable and flexible than other options on the market.

I'm the CSSP manager and we are customers of Splunk. 

Splunk is good at log collection and log management.

I'm a security manager and Splunk is not a good solution for my needs and not as good as other products I've used. I really think they just overreached and are marketing the solution as something that it really isn't. It's really not an SIEM product. It's really not a monitoring solution. If Splunk wants to get into SIEM, they need to make a totally new product. They should just leave SIEM, it's not their thing, not what they do. They're good at log collection and indexing. Stick to it. There are some things with log collection and log retention capabilities that they could actually improve instead of trying to create products for all these other different areas. I don't want their next release, I would rather just kind of scale back on some of the extras, and just really focus on log collection and log retention. I'd like to have more options on how I can perform those features with their products. I'd like to see a lot more integration with other products.

I've been using this solution for three years. 

Once you set up the solution, you don't really have to worry about it. It's very stable. I like the fact that you can pretty much just patch the OS, and it doesn't really affect how Splunk runs. With a lot of products, you almost have to wait for that company to implement a new patch or version of the product before you can upgrade the server it's on, or anything like that. Or you can't upgrade, you just have to go with whatever they give you, because they're giving you an appliance or something. I like the fact that Splunk allows you to integrate and still run as Splunk and still be compliant with most vulnerabilities out there without affecting functionality.

The solution is extremely scalable. We probably have about five or six users, so all our system administrators use it, they're the ones that implement it. Right now, just the CIO, the CTO, and there's a ISSM who has access. There are plans to add more people once we fully implement the Enterprise Security solution. We have admins responsible for maintenance.

The initial setup is kind of complex but I think it's an issue we have and not connected to the solution. We're still deploying. The company didn't have an implementation strategy, they're kind of just flying by the seat of their pants which wasn't a great plan. We're doing it ourselves, we didn't use an integrator. 

We have a 100 gig annual license. I'm not sure of the cost. Their licensing is based on the amount of data you collect. There is an additional cost for Enterprise Security. If there are any other kind of applications, the APIs that we created that we want to add, there are costs for most of those as well. Their pricing structure really could use a revamp. They really need to review and look at that and see if there's a better way that they can do it. Elasticsearch is a little cheaper and a better product in my view. 

It's important to prepare. You can't just get a solution and start to implement it. A big part of that needs to be preparation, and in IT, we're not great at that. I would go with Elastic, a similar product but better. The licensing is a little different but it gives you a little more freedom to do things. It's really flexible with what you can do and versatile in how you can use it. Splunk is still top when it comes to log collection. If you wanted anything more than that, you should probably look into using several different products. There isn't really one product that you're going to find that's going to give you that coverage and I just like the versatility of using several different products. There are some other things you can use that actually do a better job at the correlation part. 

I would rate this solution a seven out of 10. 

I use Splunk on-and-off — I started with in-house projects, then moved up to commercial projects. 

Splunk can extract all kinds of data. There's no limitation on what kind of structured and unstructured data one needs to extract — it can access any kind of data, including machine-generated data. 

The ease of deploying the agent is great in Splunk. One can easily deploy the Universal Forwarder which can extract any amount of information and put it into an indexer. The flexibility of ingesting any kind of data is good with Splunk.

In regards to action-oriented tasks, If an alert is triggered where I have to perform a certain action in the form of executing a Python script or invigorating a PowerShell script — this is easy to do with Splunk. 

The Splunkbase is great. There are thousands of apps that are already available, I can install those apps with full-connectivity and use them to extract any form of data. The community in the Splunkbase is also really strong. 

The ease of integration with third-party tools is great. In the Splunkbase, there are so many apps that are easy to integrate with. 

The user interface is really good. There is a machine learning toolkit — I like it a lot. They have use cases in place so that people with little experience in machine learning can go through these examples of use cases and gain a better understanding. 

Sometimes we experience issues when formatting and configuring files; however, this is a very technical issue that's hard to explain.

When extracting the data or structuring the data in the right format, sometimes it becomes challenging. It's up to the user to understand the regex commands. 

Our customers often complain that the price of Splunk is too high.

When Splunk is deployed on the cloud, there are certain considerations that cannot be met. Cloud-based configuration cannot be done by our Splunk admin team. It needs to be routed via a ticket. You don't have more control on the cloud from a configuration point of view, whereas, with on-premise, you are in control — you can define any configuration settings. 

When you install on-premise, many types of configurations can be done but when Splunk is on the cloud, you're dependent on their specific configurations.

I started using Splunk in 2018.

The scalability is good. If you have the money, you can expand — it's volume-based, not instance-based. 

I'd say I am happy with the technical support, not elated. They provide great support, but sometimes they don't have the answers that I need. I've only ever raised two big support issues, and both times they haven't been about to fully resolve the issue. In the end, I had to figure it out myself.

We have one or two engineers that take care of all maintenance-related issues. It really depends on the scale of your project. One of our projects required a huge deployment — we needed a huge team to match. If it's a small deployment, then two people are enough.

Its cost model is dependent upon the amount of data used — how many GBs we extract in a day determines our price. The price is not dependent upon how many instances we installed in Splunk. I can install thousands of instances, but it will only charge me according to how many GBs I extract per day. 

Overall, our customers complain that the price is too high.

I would definitely recommend using Splunk. They have free learning models available. There are models available on their learning page where you can gain a better understanding of how to use Splunk. Within one month alone, you can at least understand how to operate Splunk, whereas, with other tools, it can take a lot of time to understand.

On a scale from one to ten, I would give Splunk a rating of nine. The only downside is the cost. Price is the only factor; sometimes, companies shy away from Splunk because of the price.

It provides a lot of analytics with the underlying AI engine, and it is a lot easier than other solutions. There are some products that do automated AI-based detection and drawing up charts, but for network monitoring and all of the monitoring aspects, it is quite a nice tool.

It is very convenient for business users because they get more or less a lot of data readily available. If you're familiar with the Splunk query language, you can pretty much do whatever you want.

If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide.

I have been using this solution for about three to four months.

I'm not sure. I do not really throw a lot of data in it, but it has been authenticated very nicely. It manages indexes and all of these things very nicely. I have not been privy to any production systems where you have millions of lines of log coming in every second. It works very well for the data that I have. It should be able to handle a lot of data. That's the whole purpose of it, and that's why Splunk has become so popular. It is an enterprise monitoring tool, and a lot of customers have Splunk in their ecosystem.

They have pretty much good documentation and good training. Their documentation is a lot better than Qlik Sense.

Splunk is an enterprise monitoring tool. Qlik Sense can do a little bit of log monitoring, but it is mostly used for dashboard reporting, whereas Splunk is more around monitoring and figuring out threats and all such things. They are different, but both deal with the data and allow you to create operation reports. 

Power BI is another tool that a lot of our customers use, but Splunk is quite often requested. It is also a lot more popular than Qlik Sense. We have a fair number of Qlik Sense customers.  

We usually sell Blue Prism to business users who are more concerned with the reporting aspect, which is why they would like to have easy tools like Qlik Sense in their ecosystem, but on the infrastructure side, it would be Splunk for enterprise monitoring.

Simple environments are easier to install. Because there is a lot of data log monitoring, once you have a production system, there is some amount of work in setting it up, especially making it SSL Secure and exposing it on the internet. There are multiple components behind it, so you need to ensure that all these things are set up correctly. These kinds of things are not required on a cloud platform because you are just uploading data. You really don't have much access to the backend.

Splunk also has a cloud version, which I haven't looked at, but I have used Qlik Sense's cloud platforms. With on-premises, you are in control of pretty much how you set up all the data that you are sending out. A lot of our customers have the issue that if it is a cloud platform, they cannot really send out the data to any of these cloud platforms. So, there are data residence and other issues.

It is economical than other solutions.

I would definitely recommend Splunk. It is quite a decent tool, and it is there in a lot of enterprises.

I would rate Splunk an eight out of ten.

We are a solution provider and Splunk is something that we provide as a service to our customers.

The most valuable feature is the reporting and the information that is provided by the tool.

It is very easy to implement a PoC using Splunk, which will show the value of the reporting and data that it provides.

The integration is seamless with many devices and operating systems.

It is flexible enough that you can choose what kind of deployment model you want.

They have a large solution toolkit that supports IoT, wherein businesses can get a lot of help with the centralized management functionality. There are also tools to assist from the security and SIEM perspective, and there is a centralized dashboard.

Being a SIEM solution with a centralized dashboard, we would like to have more options to customize it. It should be easy to customize dashboards.

When we are monitoring something, we would like to have a more granular outlook. Splunk has a good dashboard that is easier to use than some competing products, but better customizability would be a great help for the users.

We have been working with Splunk for approximately three years.

This product is very stable.

Splunk is a very scalable solution. Being a Japanese product, they will ensure that all of the features work in any environment. It is very heterogeneous. It can integrate with Windows, Linux, AIX, HP-UX, and Solaris. It also supports IoT devices, mobile phones, and more.

We have more than 150,000 people using our services.

The Splunk team has good, proactive support. Also in terms of assisting with the installation, they are quite good.

Splunk is similar to IBM QRadar, which we also have experience with. However, Splunk has advanced SIEM features included with it, so we often use it to satisfy this requirement. Whenever an organization is looking to implement SIEM, they have the flexibility to choose Splunk, QRadar, or the ArcSight Logger solution.

One of the major differences that I see between Splunk and QRadar is that Splunk gives the users fewer devices, so they can do things quicker. 

The installation for Splunk is easier than competing products QRadar and ArcSight.

We have Splunk deployed on the cloud so that we can provide the service, but some of our customers have it installed on-premises.

All the user has to do is download the Splunk server agent, install it on the laptop or endpoint, integrate 50 or 100 devices, then see what kind of reporting is available.

We have an in-house team for deployment in maintenance. Splunk is a tool that does not require much staff to maintain. The users can start with a PoC, simply learn it, and deploy it for themselves. They don't require subject experts to be hired for the installation and configuration.

Price-wise, if you compare QRadar to Splunk for SIEM functionality then they are in the same range but when you integrate SOAR with these solutions, Splunk takes the lead and is more competitive.

This is a product that I recommend for anybody who wants and advanced SIEM solutions. Of the three that I have used including QRadar and ArcSight, Splunk is the one that I prefer.

I would rate this solution a nine out of ten.

We primarily use the solution for monitoring and security.

We can use the solution to try to find some correlational data. For example, in banks, there is usually a protocol whereby users cannot withdraw more than a certain amount of money from an ATM. However, we find that, when people are on holiday, they are trying to withdraw more than the allowed amount. It's a use case we can deploy in our country. You can set certain rules and watch the data in order to gain insights.

I cannot speak to a specific example of how the solution has assisted our organization.

The solution's capability is its most valuable aspect.

The initial setup is very straightforward.

The solution has proven to be quite stable.

We've found the solution to be very mature.

The integration capabilities are excellent. They have apps that integrate quite well with Palo Alto and Cisco, for example.

Sometimes it becomes very difficult to find certain results from Splunk. Not all users are developers and they are not able to write code to find specific results or specific details from Splunk. From a user perspective, the solution needs to improve the search functionality.

The dashboard could be improved. If it was easier for non-developers or those working in network security, it would be ideal. It would be nice if they had a built-in dashboard for those who are less knowledgeable in coding.

The product is relatively expensive. 

I haven't been using the solution for very long just yet.

The solution is very stable. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

We do not plan to increase usage at this time.

We've used technical support in the past. We've found them to be very helpful and responsive. We're satisfied with the level of support that we receive when we reach out for help.

I've previously used LogRhythm, among other solutions. We sell a few different solutions.

The initial setup is not too difficult. It's not overly complex. It's straightforward. The code is very easy.

The deployment took two or three months or so.

We used an integrator to assist us in the initial setup.

The problem with the product is that the price of Splunk is very high. It is an industry leader and therefore it's high in terms of price. That is the issue in our country. Sometimes people want to buy Splunk, however, due to the budget, they are not able to.

We are resellers.

We use a variety of deployment models, including private cloud and hybrid.

This solution is the best security solution. If a company is looking for the best, they have to buy Splunk. It is a very good and very mature solution. It is very easy to integrate with some other service or security solutions. If they have specific solutions that need to be integrated for monitoring purposes, it should be a problem. For example, it integrates very well with Cisco.

I'd rate the solution at a ten out of ten. We are quite happy with its capabilities.