2018-04-20T18:39:00Z

What needs improvement with Splunk?


Please share with the community what you think needs improvement with Splunk.

What are its weaknesses? What would you like to see changed in a future version?

Guest
2929 Answers

author avatar
Top 5LeaderboardReal User

New build-in use-cases for Enterprise Security, a fair price-model, improvement over SPL and index performance, adding and integrating with new connectors and market platforms (more open-source solutions too).

2021-05-11T18:24:28Z
author avatar
Top 5Real User

There is improvement needed when importing from some types of data sources. Most of the time you have to do some customization for the data because not everything is working the way it should. Additionally, in other solutions, it is easier to build use cases.

2021-05-24T15:00:29Z
author avatar
Top 5LeaderboardReal User

Splunk is query-based, which is not the case with most cybersecurity tools. It is based on search queries and can be difficult to use. It would be good if they can make it easier to understand how to create search queries. They can improve the knowledge base for better understanding. To create your dashboard, you need to have a search query. We have multiple firewalls in our company, and we need a dashboard for them. It would be helpful if a default firewall dashboard is included in Splunk to make monitoring easier. If a dashboard is available for a security device, the operation part will be more efficient. We won't have to follow a manual process for this.

2021-04-19T15:09:49Z
author avatar
Top 10Real User

Its pricing model and integration with third-party services can be improved. We had faced an issue with integration. The alerting feature is currently not available with Splunk, but it is definitely available with Datadog and PagerDuty. They should include this feature. A few dashboards in Splunk look quite old and are not that modern. They aren't bad, but improving these dashboards will definitely make Splunk more attractive and usable. I read in a few blog posts that there were a few security incidents related to Splunk agents. So, it can be made more secure.

2021-03-26T12:45:56Z
author avatar
Top 5LeaderboardReal User

Being a SIEM solution with a centralized dashboard, we would like to have more options to customize it. It should be easy to customize dashboards. When we are monitoring something, we would like to have a more granular outlook. Splunk has a good dashboard that is easier to use than some competing products, but better customizability would be a great help for the users.

2021-03-05T11:09:33Z
author avatar
Top 20Consultant

Its setup is a little bit complex for a distributed environment. Their support can also be better. If we raise a case with Splunk support and by any chance we missed to respond for more than a week, they usually close the case. Sometimes, it can take us more than a week to reply. In that case What they can do is they can send a followup mail before closing.

2021-03-04T14:36:29Z
author avatar
Top 10Real User

If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide.

2021-02-17T16:35:30Z
author avatar
Top 10Real User

Technical support is lacking post-sale. The modification of firmware could be improved. We find that the maintenance process could be a lot better. The solution is more expensive than other options on the market.

2021-02-17T09:35:39Z
author avatar
Top 5LeaderboardConsultant

I really dislike how Splunk sales and partner manager behaves. I have faced several sales model and partnership changes. Also, the last time I wanted to by a license ro built a SIEM solution, they had removed the ability to purchase a splunk subscription or license from their website. In the past, there was a web page calculator it was possible to by online, but now it instructs to contact sales. The free version is limited to 500 megabytes and there is no alerting. Due to the missing feature on the Splunk webpage, I have ask Splunk Sales to purchase a license like 1Gyte a day or a license for max 2500 Euro/year to use it as a test or development instance for myself. Asking Splunk for a quote willing to pay for Splunk license to learn and to get used to the product, Splunk didn't get it managed to offer my a license neither arranging the partnership paperwork I have ask for. Sales people from Splunk where calling, each time after I left my details on ther trial download page. I explained my experience and concerns about Splunk in the past. All excuses received and promises that someone will contact me to solve the issues faced in the past, was leading in excactly nothing. Well Done Splunk. Inflexible and expensive and I do not have much faith in the people working there because if someone is asking for a test environment and is willing to spend up to €2,500 a year, I can't understand why they are unable to provide a license. This could be a lost opportunity because they are not able to onboard a potential new partner. They definitely need to boost their sales and partner program because it changes to often, where they are dropping partners and it is difficult to get in contact with somebody. This is something that needs to be improved. I would like to see more SIEM functionality and embedded moduled such a ticket tool to make a end to end SIEM.

2021-01-04T14:26:19Z
author avatar
Top 20Real User

An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times. They also need to update their documentation.

2020-12-27T09:14:00Z
author avatar
Top 10Real User

Over the years, I know they've been doing what they can to continue to add integration capabilities to their solution. If they continue to do that, that would be ideal. However, beyond that, there really aren't any features that I find to be lacking in any part of the solution. On-premises scaling of the solution is a bit more limited than it is on the cloud. The pricing of the solution needs to be a bit lower. It would be ideal if the hardware could meet more universal global regulatory requirements. It would be great it the solution better aligned with global standards.

2020-12-19T13:28:50Z
author avatar
Top 5LeaderboardMSP

I'm a security manager and Splunk is not a good solution for my needs and not as good as other products I've used. I really think they just overreached and are marketing the solution as something that it really isn't. It's really not an SIEM product. It's really not a monitoring solution. If Splunk wants to get into SIEM, they need to make a totally new product. They should just leave SIEM, it's not their thing, not what they do. They're good at log collection and indexing. Stick to it. There are some things with log collection and log retention capabilities that they could actually improve instead of trying to create products for all these other different areas. I don't want their next release, I would rather just kind of scale back on some of the extras, and just really focus on log collection and log retention. I'd like to have more options on how I can perform those features with their products. I'd like to see a lot more integration with other products.

2020-12-16T06:34:38Z
author avatar
Top 10Reseller

They could have more dashboards done or predefined so our clients could use them directly in order to have more information ready to use. The difficult part is related to integration with sources of data that are used to create the logs as this depends on the infrastructure of the client.

2020-12-15T22:53:44Z
author avatar
Top 5LeaderboardReal User

Splunk is very complex. The implementation and the scanning of the logs can be difficult.

2020-12-15T15:05:19Z
author avatar
Top 20Real User

Splunk needs to be able to hold more days of data. At the moment it only holds three months of data. It needs more views and colors within the dashboard and the ability to have the flexibility to create a user-defined panel.

2020-12-09T16:02:00Z
author avatar
Top 5LeaderboardReal User

Queries are not always as easy or straightforward as they might be, so it can be difficult to figure out what you need to look for. In the next release of this product, I would like to see it offer more recommendations as to what needs to be done.

2020-12-07T22:17:33Z
author avatar
Top 10Real User

Sometimes we experience issues when formatting and configuring files; however, this is a very technical issue that's hard to explain. When extracting the data or structuring the data in the right format, sometimes it becomes challenging. It's up to the user to understand the regex commands. Our customers often complain that the price of Splunk is too high. When Splunk is deployed on the cloud, there are certain considerations that cannot be met. Cloud-based configuration cannot be done by our Splunk admin team. It needs to be routed via a ticket. You don't have more control on the cloud from a configuration point of view, whereas, with on-premise, you are in control — you can define any configuration settings. When you install on-premise, many types of configurations can be done but when Splunk is on the cloud, you're dependent on their specific configurations.

2020-12-02T20:10:59Z
author avatar
Top 10Real User

Index performance is a bit slow but this is partly due to the huge volumes of data for our industry within our environment This makes the index very large and inefficient in terms of performance. Performance could be improved to cater to this, however. We have also had problems with the compatibility between Splunk and other systems. We have previously been on 5.3 and migrated to 5.5. We are now planning to migrate to version 7.7. It has been difficult to find documentation about the compatibility with Linux. In terms of the interface, it could include some improvements for the look and feel.

2020-12-02T19:50:00Z
author avatar
Top 20Real User

We're still going through it at this time. However, there are a few changes that could be made. It could be more user friendly, in terms of the end-user experience. The end-user aspect of it could be more enhanced, whereby you could probably have a lot more people that could sign into the tool and look at the reports, and have the reports actually laid out in plain English. Usually, with tools like Audit Vault and Splunk, if you're not the IT person and you're not trained on that system and you're seeing all of the outputs, the language is something you have to convert. Therefore, the end-user experience could be improved so that when you get those alerts and notifications, you could have supervisors and different people actually knowing what those reports mean instead of having someone convert them into something more easily digestible. There should be more enhancements done to the end-user dashboards. Improved dashboards are always good. If you have an IT tech that's up there, and they're looking at the dashboards and they're seeing everything, it would help they could do events and have a dashboard that they could log into as a supervisor and see everything, and just get specific reports for specific areas.

2020-11-27T18:12:28Z
author avatar
Top 5LeaderboardReal User

Splunk is a very costly solution and I think it's the most expensive in the market in terms of costing. Splunk provides an application for infrastructure monitoring. If we're monitoring the docker with containers, we can't see the container name, only the ID. That's a big drawback.

2020-11-23T21:49:36Z
author avatar
Top 10Real User

The solution has a high learning curve for users. It's a little complicated when you're trying to figure out all the features and what they do. The solution needs a bit more functionality. For example, being able to save a search and select it when you're doing an investigation. I know you can create dashboards and things like that, however, sometimes being able to have a pre-saved search and just fill in whatever value you need would make everything so much easier.

2020-11-23T17:00:05Z
author avatar
Top 5LeaderboardReal User

Our two main complaints are about the difficulty of the initial setup and the licensing model. The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.

2020-11-19T12:12:05Z
author avatar
Top 5LeaderboardMSP

There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side. The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly. The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available. In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.

2020-11-18T18:48:43Z
author avatar
Top 5LeaderboardReal User

It's difficult to set up initially, and their billing model is also a bit complicated. We have to predict in advance how much data we will have and what the storage would be that we don't have. This makes the licensing complicated because when you start you don't have these numbers. In order to know how much it will cost, you need those numbers. I really wish that it was an application that was easier to use.

2020-11-13T19:55:12Z
author avatar
Real User

Due to the size limit, we could not see the full product.

2019-03-27T11:05:00Z
author avatar
Real User

The clusters are hard. It has too many moving parts. They should make data onboarding easier.

2019-03-14T11:34:00Z
author avatar
Real User

Splunk should be able to integrate with other product using the free version. The product was difficult to back up the first time.

2019-03-10T16:43:00Z
author avatar
Real User

If possible, we would like to have not only a log monitoring system but a network monitoring feature in this solution as well.

2019-03-06T07:41:00Z
author avatar
Top 5Real User

* It needs integration with a configuration management solution. * It could use better password management for forwarders. * It needs a better way to export dynamic views without requiring a ton of code and user/pw.

2018-04-20T18:39:00Z
Learn what your peers think about Splunk. Get advice and tips from experienced pros sharing their opinions. Updated: May 2021.
510,534 professionals have used our research since 2012.