Splunk Cloud Platform needs improvement in its security offerings, specifically in cybersecurity. It has not kept pace with competitors over recent years, and integration with the Cisco ecosystem after Cisco's acquisition of Splunk has also been slow. The product should incorporate more readily available features, especially in security monitoring.

The federated search feature is costly.

Extracting meaningful insights beyond essential log data proves challenging due to the product's reliance on manual processes. Users must manually configure detections, develop logic for insights, and manage dashboards. While the product boasts numerous out-of-the-box capabilities, these often require extensive modification to align with specific user needs, limiting their practical applicability.

Splunk Cloud Platform doesn't inherently provide visibility as a standalone product. It's a platform for building custom visibility solutions. We need to feed it data and then write logic to define what insights we want to extract. While pre-built solutions might be available in the marketplace, Splunk doesn't offer out-of-the-box visibility. If we know our requirements, we can utilize code and research to create custom dashboards, but it requires effort and expertise.

The pre-built reports in Splunk Cloud Platform are generic and require manual adjustments to extract specific, granular information, which requires the user to be knowledgeable.

For one of the areas I am working on right now, they did an update this week which gave me back something. It was a feature that I have been using, but they took it away last conference. They just gave it back to me now, and I had to go through the setup again to make it work with our Okta. We have had issues with the maintenance windows. Sometimes I get informed about those at the last minute. They are getting better about informing us when they are going to do maintenance, but there were times when they did maintenance, and then I came in the next day and something was broken. They have gotten a lot better about that. I am still working on a couple of issues. They have cases open for them, so they know about them. They are working on them. The communication is getting better. That was an area that had a lot of feedback. I can see that they are accepting the feedback and taking it to heart, which is great.

Some of the Victoria Experience that was rolled out is not yet fully everywhere.

The AI assistant is going to be good, but we are on GCP, so I am worried about how fast it is going to get rolled out and if it is going to be nine months late for the GCP customers or not. That would be a bad thing because that would put a black eye on the whole marketing part of that. The same thing is with the Victoria Experience. They already have a black eye on that one. It has been two years since it came out and they still do not have it on GCP, so they need to get that fixed up. I would like to see the AI assistant feature as it rolls out. That helps with me wanting to roll out ITSI and the O11y suite with them bringing that AI assistant over there. I have teams right now that hit me up. They have been using some kind of AI assistant. We have Microsoft CoPilot. It is allowed in our company now. They tell us not to use ChatGPT right now because it is not approved for whatever reason. I have had some of our people hit me up who are not Splunk users but they have access to some dashboards and want to do a little bit of searching. If they use generic AI to find out how to do a generic Splunk search, it is not going to work in my environment at all. They will wonder why this is not working. That is because the AI does not know our environment. It will be handy to have an AI assistant that knows our environment.

The only disadvantage of Splunk Cloud compared to Splunk Enterprise Security is that you only have two options for long-term storage: AWS S3 Buckets and GCP.

The disadvantage of Splunk Cloud Platform is that its integration process should be improved.

The challenges I have encountered while integrating Splunk Cloud Platform include that integration is a bit difficult due to the coding required for the integrations.

The Splunk Cloud Platform deployment process could be improved to reduce the time required.

Splunk Cloud Platform should have better integrations with its suite of tools. Splunk Cloud Platform should include a more seamless connection with ES.

We're interested in learning more about the new AI features, especially the natural language to SPL conversion. While we jokingly worry these features might replace us, our main focus is helping users understand Splunk and build dashboards. We're curious how these AI features will integrate into our work, how many people will use them, and if there will still be a need for our Splunk expertise. Overall, we're excited to see how AI will impact our work.

Areas of improvement for Splunk Cloud Platform are difficult to say because we're still learning about the platform. I want to have the ability to process the ingestion before it is sent to the back end and Splunk just announced that the feature is coming, so now it just needs to be released.

I think the tool has some scalability issues, especially when used in larger organizations. I feel the searching part gets really slow, which is based on one's resources.

The AI features will be a huge improvement for Splunk. Using basic natural language in English instead of writing a regex expression will be helpful. For example, I can tell Splunk AI that I need to get the logs from last week between eight AM and ten PM on a specific asset. Instead of me going in, doing the regex expression, and then having to Google what it is because it's super hard to do sometimes. That is the biggest area for improvement. Hopefully, it will be released soon because that will simplify things for me and non-technical people. 

It would be nice to see more comparisons between Splunk and other log management tools. There are some legacy tools that people are often coming off. It will ease the transition if you are coming off a Windows LogViewer or any other logging tool. Splunk could offer more advice on how to transition into it or onboard it.

The expensive nature of the product is an area of concern that needs to be considered for improvement.

If I focus on the observability part of the product, I see that it is an area that doesn't offer more integrations compared to what Splunk Cloud Platform or Splunk Enterprise offers. When it comes to the integrations with the other platforms, there is a little bit of a lag in the observability part, making it an area where improvements are required.

The on-premises version of Splunk includes all the integrations, while the Cloud platform lacks certain integrations and is limited in terms of the number of supported apps.

The Splunk Cloud Platform is not a very mature solution; it has only been on the market for four or five years. While they have made significant improvements, there are still limitations, such as the absence of CLI access. Therefore, there are several limitations that still exist with the CLI. 

The standard support has room for improvement. 

First-time users may struggle with the user interface. When I first used Splunk, I entered my username and password. After that, we get a dashboard on the left side with apps. At the top, you can click the gear icon to view the settings. Within those settings, there's a distributed console option with several settings. It's a bit overwhelming for a beginner. The user knows what they want and can search for it in the search bar. If I see several apps, my first instinct is to scroll down to find the app, or perhaps you will find that search and report. That bugged me when I was learning.

Application support is another problem. We created a custom Palo Alto app that isn't fully supported by the latest version of Splunk. We had to downgrade to older versions to use the custom app properly. That was one problem we faced daily with one client. 

I am relatively new to the platform. So far, I have been able to use it to do what I need. I know that there are a lot more features and functionality that I don't even know yet, so I am still on the learning side. I don't really have any recommendations related to things that need to be improved in the tool.

So far, it meets my needs, so I don't need to see any additional features in the tool.

Splunk should increase the frequency of new feature releases, particularly those related to real-time operational flow monitoring and analytics reporting. It has been over a year since any significant updates were added to the Splunk Cloud Platform.

Sometimes, integrating with other systems is difficult, and it isn't feasible to connect with other applications, but it's easy most of the time. I rate Splunk 7 out of 10 for its ability to integrate with other systems. 

Every time they launch new versions, we experience a few bugs. The most recent version had a couple of bugs in the databases. We contacted the vendor and got assistance solving these bugs, so the environment is more stable. 

Splunk Cloud Platform should improve its integrations and consider multiple integrations or direct integration with other platforms like Microsoft Azure, Google Cloud, or AWS.

I would like to see more integrations because integration is related to bringing in more data. More integrations would increase the visibility and customer's point of scope. Customers are initially tied to one platform and stick to it because of its feasibility. Integration becomes a major challenge when they want to bring in different solutions.

Once they have different integrations from Splunk, they need not worry about security, things to monitor, or what compliance they must meet. Everything will be physical, and integration will bring in a lot of things.

They can offer more self-service capability to their customers. Currently, most of the things happen behind the Splunk Cloud Platform. As a customer, I do not have an opportunity to see my platform. If they can offer more self-service to see the health of my endpoints and stack, it would be appreciated. 

Their support also needs improvement. I have had issues with the support team. When I run into issues, it is always hard to get hold of them and get things done with the support team. Other than that, product-wise, it is very good.

It could have a more efficient UI. If they could integrate more AI and make search more efficient so that other people can access and use it, not just engineers, that would be ideal.

It needs to mature; it's just getting established in the industry on a wider scale. 

The API still needs some enhancements from a post-performance point of view.

From a monitoring point of view, Splunk is doing very well. However, if they could provide a post-provisioning aspect. Right now, we have to install a monitoring tool while we are post-provisioning every virtual machine. If they could be a provider that precluded having a virtual machine being created or provisioned, that would be ideal.

Alerting could be faster. Sometimes the actions that happen take some time to reflect on the Splunk dashboard. There is still latency. Especially when you work in a multi-cloud environment, you deal with a lot of regions. They still need to focus on availability across regions. 

They need to have some security enhancements. Most users are using it with other single sign-on features like Okta. If they had their own SSOs that would be ideal. we'd be able to work independently. Right now, we have to log onto the virtual machines then move to Okta, then go to Splunk. 

Some of the implementation is challenging. They're not very proxy-aware. Their recommendation is to set up an intermediate forward in a DMZ environment or something like that. That's not always the most convenient way to do things. It would be better if we could use an HTTP proxy, send data out via HEC, HTTP, or in a way that is proxy-aware.

I faced a few minor issues with Splunk Cloud Platform. In the case of knowledge objects, even a Splunk admin does not have access to delete them.  If we want to remove a knowledge object, we need to contact Splunk support and raise a case. After that, they delete it. They should give us access to delete knowledge objects. 

Everything else was good. It already had all the features. We did not require any new features.

Its stability and performance can be better. Very rarely does a day go by when we do not see an error in the console, such as a health check error. Because it is cloud-hosted, we do not have access to the backend to figure it out ourselves. We are reliant on their support to figure it out, and a couple of days later, the error comes back or it is a different error. It is a never-ending cycle of support tickets. Their support is also not great.

In terms of performance, we are on the classic version of Splunk. We are not yet on Victoria or the new version, so we do not get auto-scaling. Therefore, we are limited. 90% of the time, Splunk is not doing anything. It is just reading logs, and 10% of the time is when we need to use it, but when we actually need to use it, there are five or six different teams trying to use it at the same time, and there are speed issues with search.

The support from the Splunk team is generally good, but sometimes, there's a lack of coordination between our account reps and the hands-on technical people. This misalignment can lead to issues with getting what we need done and what is happening.

Splunk Cloud's SVC licensing model lacks transparency. Customers are unsure of how SVC consumption translates to costs, and there's no easy way to identify what's driving SVC usage within the platform. While some external applications provide limited insight, Splunk Cloud itself doesn't offer a clear view into SVC consumption. This lack of clarity makes it difficult to explain cost spikes to customers, as the cause could be anything within the platform.

I would love to be able to manage my own apps. 

Splunk Cloud Platform's dashboard could benefit from some improvements. While it functions adequately, it appears very minimalistic. It's built using a simple XML format, and while newer dashboard options have been released, it still lacks the visual capabilities of tools like Power BI and Tableau. While I understand these are different platforms, having a more powerful dashboard option for the Splunk Cloud Platform would be valuable.

There is a lack of comprehensive learning materials offered by Splunk to prepare for their certifications.

Splunk uses SQL as its search language. One challenge I've encountered is with subsearches used in joins. These subsearches can only handle a maximum of 50,000 entries. If our data set is larger, we won't be able to join it using a subsearch. This limitation has been a significant obstacle for me. I've searched the Splunk community forums, and even reached out to my colleagues and seniors for a solution, but haven't found a definitive answer yet.

There's one specific use case I work with. I work with some Splunk experts, and it lacks workload management rules.

It can identify specific dashboards e.g., or all-time searches. When I try to track back to the user, I don't have additional information within those logs to help me know, "This is the dashboard this guy accessed."

Instead of relying on those particular workload management logs, I have to do an investigation that takes time. It takes too much time when it shouldn't.

Currently, Splunk Cloud Platform is very easy to use and read. The solution's visualization for the end users is also good. However, setting up the solution or an alert is not straightforward. There's a lot of incompatibility and areas that you have to consider while setting up the solution.

All those things make setting up the solution very complex for regular people who know the business operation. So, they have to hire a third party or a technical person who doesn't understand the business to set it up for them, which usually creates a gap.

When someone who cares about the business and understands its operation sets up the solution, they would set it right. There's always a gap when a technical person or third party sets it up. It may lead to many workarounds to fix issues like alert fatigue or false security. Splunk Cloud Platform needs to be made more user-friendly because it's not user-friendly.

Splunk should offer various options for real-time monitoring. If we could enhance the speed of data ingestion or data retrieval, that would be an added advantage. Additionally, there is room for improvement in SaaS-to-SaaS integration. I believe that reintroducing HTML dashboards would be beneficial, as they provide dedicated web features. This, in turn, gives users the flexibility and freedom to create custom dashboards more easily.

It's improved a lot since we began using it. We have been seeing issues, but they get resolved by working with the support. It's just getting expensive with time.

Support is the bigger issue when we have a problem. When we need their help, it takes weeks or months to actually get resolved. To date, we have cases open for two or three months without a resolution. Support is the worst part.

Splunk currently manages the components, which restricts our ability to access them directly. I would like to be granted read access to be able to review the components.

It works as needed, and it does everything that we want to do. I have not come across anything that I would consider missing as such. If anything, sometimes we have dashboards that would not go into the dark mode. It is a minor issue, but it is the only thing that I wish was there. The dark mode would definitely help.

Testing can handle a lot of logs, however, we are unsure if the speed will be affected.

When we are using OneDrive or SharePoint, as a developer, we'd like to have better integration between the two.

There are some issues with Splunk blocking some shared mailboxes. 

Support could be improved. 

One thing that is a stickler for us is the ability to download apps. I guess it depends on what kind of license you have. It allows some of them if I want, but this is something that we need on a day-to-day basis. When one of my customers needs an app, and I am able to find that app on the Splunk base, I have to create a ticket and wait for five days for them to download the app into the cloud environment. That is probably one of the main things. It is painful because I have to wait to get that app in the cloud.

Another issue is that if I build my own app to some configuration, I cannot load it up there myself. They have to vet it, which is important but it takes a long time to do all that.

They can streamline the process of creating custom apps. I do not have a lot of experience with it. It was not very difficult for me to do so, but there is probably a better way to present the ability for people to push their own custom apps to the platform and go through Splunk's manual and automatic reviewing process.

The cost of Splunk Cloud Platform is high and has room for improvement.

The current visuals on the dashboard could be more impactful.

Since I work on data collection from external sources and send them into Splunk, I miss its ability to collect that data through REST API applications. I would like the ability to configure an endpoint, set it on Splunk, and set a schedule for it to pull information every ten minutes, and pull this endpoint information. I could search through it, look for keywords, restructure the data that's brought back to me, and then store it in the Splunk index. This is not available and if it is available, it is bare bones. I would like Splunk to have this function by default.

It is sometimes slow. Some of that has to do with the queries themselves not being efficient, but sometimes it is slow. They changed their model a few years back. It seems to be working better for us as opposed to having some limits that they had.

Considering its price point, it does not need any improvement. However, it does require manual implementation.

There can be more modules and more integration with other areas in the cloud and on-prem. I am not sure whether it includes network devices and things like that.

The security connection should have a seamless integration. Other than that, the way we are using it, so far, it seems quite good.

The administration could use improvement. We have to rely on support more often than we're used to.

Its performance can be better. The searches sometimes take a long time. There could be better searches, but mainly, it needs to improve the performance with a vast amount of data. That will make it better and easier to use.

Their support can also be better.

The reporting provided by Splunk Cloud Platform is often good, but it only provides the data and not the flash, whereas the other platforms provide both. From an enterprise standpoint, we are more limited in terms of what data we can export and how we can present it.

Navigating the solution can be more user-friendly.

The documentation has room for improvement and the price is high and can be improved.

The search for bulk data needs to be improved. When we were looking for the flow, we had to search really hard. I wanted to request the Splunk team to add some features for better search because getting the flow of the bulk data was sometimes hard.

Training should be free of cost. They need to provide more training options. 

There are no missing features at this time. 

Splunk Cloud could improve by having pre-defined templates. It has very good design views, but there is no predefined template. You have to define your own. If they could add predefined templates for different use cases.

The pricing models should be improved and optimized. Right now, the pricing is a bit too expensive.  

One other thing you need is more ability to customize the dashboard to the way you want to have it. If you had a template that you could create and label inside of Splunk that would be good.  

One good thing that could be added to the AWS side of the solution is that you should have an OPS (Operation Alert) alert built into the dashboard that comes with Splunk. That would be very useful. For example, if you have a pre-defined template creator to fill in the information to forms that are loaded. That would be really beneficial.  

We are on the classic Cloud that is hosted on GCP. There are a lot of functionalities that are missing for Splunk Cloud hosted on GCP but they are available on AWS. Adding more IPs to allow lists and many other functionalities are not supported on Splunk Cloud hosted on GCP. One good example is the ingest action which is not there in Splunk Cloud hosted on GCP. I wish they would add these missing features to the GCP platform.

The Splunk interface is on-premises, so we have limited access to Splunk Cloud. Splunk support is not so good on Splunk Cloud. The Splunk side of the Splunk Cloud should also be more customizable. Integrating Splunk UBA, Splunk Phantom, and Splunk Cloud is also a bit difficult. 

The training models can only be accessed for 30 days, even if it is paid training. This is a limitation that I feel should be lifted because if we are paying for it then we want to be able to continue to use it.

The only thing I would say is an issue is the cost. It matches other products. The costs can be justified for the value that we gain. The entire threat analysis stack should come in a bundle. If the cost was matchable with other products I think Splunk would pick up in the market. 

I did evaluate other products and installations. I can't compare it to Splunk. 

The only thing that is missing compared with Splunk Enterprise is the ability to manually edit all config files. This task is easily handled with support tickets but sometimes is would be nice to experiment directly.

Although there is documentation available, it is really hard for me to find relevant topics on what it is that I'm searching for. For example, when something goes wrong, I can spend hours trying to figure out the problem and have nothing to refer to. I find that it confuses me somewhat, so it is something that can be improved.

I feel that technical support can be improved because it is always done through the use of a support ticket, which is not very convenient.

Setting up and configuring integrations are not easy to do. 

From my perspective, customization needs to be simplified and I'd like to see a reduction in the cost of the solution.

The documentation available could be improved as there is sometimes no documentation or updated documentation available. For example, I tried to get the metrics from MongoDB, and there's very low documentation for the module.