Splunk Enterprise Security Reviews

We use Splunk Enterprise Security for security log investigation. It is a SIEM platform. Many cybersecurity and technical alerts generated by Splunk turn out to be false positives. We then analyze these alerts to determine if they indicate a genuine security threat.

We will be ingesting logs from various sources, including firewalls, databases, Windows devices, and Linux devices. These logs will be used to investigate security incidents and troubleshoot system issues. Our use cases will be brief and focused, allowing us to leverage pre-defined queries in Splunk for efficient analysis. These queries will trigger alerts based on specific security or operational criteria within the predefined use cases. We will then investigate the triggered alerts by further analyzing the corresponding logs.

Splunk Enterprise has improved our incident response time. For instance, if an end user attempts to log in to a system with an invalid password from a device using an unusual port number, we will receive an immediate alert. This could be indicative of a brute-force attack aimed at stealing credentials, making it a suspicious activity. This is just one example of how Splunk Enterprise enhances our security posture.

Splunk's threat detection capabilities are strong, and Splunk is a leading platform for SoC monitoring. To maximize effectiveness, we need to develop strong query-building skills. Additionally, we have the flexibility to fine-tune existing queries or remove them altogether once an issue is resolved.

The customizable dashboards of Splunk are good for visualization. It gives a better understanding, and the graph is highly customizable.

I would rate Splunk Enterprise Security a nine out of ten for analyzing malicious activities.

Splunk Enterprise Security helped the organization control suspicious and malicious activities.

Splunk Enterprise Security has helped speed up our security investigations.

Splunk Enterprise Security's customization capabilities enable integration with other tools like EDRs, providing real-time event insights.

I like the Splunk dashboard and search engine.

Although the technical support is adequate, there is still room for improvement.

I have been using Splunk Enterprise Security for 2 years.

I would rate the stability of Splunk Enterprise Security 9 out of 10.

I would rate the scalability of Splunk Enterprise Security 9 out of 10.

The technical support is adequate.

Positive

I would rate Splunk Enterprise Security nine out of ten.

While I understand the desire for a cost-effective SIEM solution, prioritizing security over budget is crucial. In cybersecurity, even a seemingly minor breach can have significant consequences. Therefore, choosing the best SIEM for your needs, even if it has a higher upfront cost, can ultimately save money and protect your organization.

We have Splunk Enterprise Security deployed in four locations in one country.

Splunk takes care of the maintenance of the solution.

I recommend Splunk Enterprise Security to others.

We use it in our company to log everything. We use tools like XSOAR to take appropriate actions to mitigate threats.

Splunk Enterprise Security has aided our organization in the way it provides great visibility and helps with what our company's users do with it.

I like how easy it is to integrate the logging of all of the various nodes. The product also offers nice connectors. Other features include the product's ability to allow users to customize their dashboards, signatures, metrics, and other elements, making it a very valuable and reliable tool for my organization.

I don't know if there is a need for any improvements in the product since it is one of my peers and not me who is directly responsible for Splunk Enterprise Security in our company, so I will have to ask him if there are any requirements associated with the product.

The price may be an area of concern where improvements are required. Splunk Enterprise Security doesn't indulge in whitewashing, but Cisco does it too much.

I have been using Splunk Enterprise Security for two years.

I have not seen any outages in the product in the past two years that it has been running in our company, so I think it is good when it comes to the stability part. I have had an experience with the vendor during which there were two products, one from the vendor and the other from Splunk Enterprise Security, and we saw that one of them was not able to capture all the logs appropriately, after which our company had to figure out whether it was Splunk API or the vendor's tool.

I have never used the product's customer support. My peer has contacted the product's technical support team, and it has worked very well for him.

My company used to use one of the spin-offs from IBM. My organization has used IBM QRadar.

Though I am not sure about the deployment model, I feel that since it may not be on Azure, the product must be deployed with the help of AWS.

I have experienced an ROI revolving around the product's dashboards, metrics, and other such related stuff, but I don't know how to quantify them. My peer would be the best person to speak about the product's ROI.

My peer would be aware of the product's pricing part.

There was a pre-vendor selection approach my company followed, but I don't remember the names of the products involved.

It is pretty important how the solution provides end-to-end visibility in our company's environment because it provides opportunities for shadow IT and for people to do things that they should be doing. If one is appropriately logging in, the product gives us a view and helps our company discover things that we didn't know about.

In terms of Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments, I will have to say that since we are still using it, it has to be effective. If it wasn't effective in the aforementioned area, my peer would have found something else in the product. I don't have enough personal insight into Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments.

Splunk Enterprise Security has helped to reduce my company's alert volume. Our organization does get alerts, and we are trained for them. I will have to ask my peer to give me the exact number associated with the alerts my company receives.

The solution provides the relevant context that helps guide our company's investigations. The context information has impacted our company's investigation process as it definitely speeds it up because we have only a single source from which we can get that, and it helps us understand what may have taken place in a particular incident that we are looking at in our organization. In our company, if we look at any of the other services, we can see whether a particular or specific user touched just a single system or ten different systems.

The solution has helped reduce my company's mean time to resolve, but I don't have numbers to explain it.

The reason why I rate the tool a nine is because of the flexibility it provides to go back to the dashboards. The flexibility to be able to customize standard dashboards and other standard things that I want to be able to grab and have them pop out and then be able to create some sort of an action against those kinds of things that I want, of which the first is the standard reporting part, which is very valuable.

To those planning to use the solution, I would suggest that they need to get Splunk to work hard on the pricing part. People also need to encourage Splunk to stay true to its roots because I have seen what has happened to some of the other tools in the market. Splunk has been acquired by Cisco. You want Splunk because of its capabilities, not because of what Cisco wants to give you.

If I consider my company's needs, I rate the overall product a nine out of ten.

We are using the solution for security. We can use it to track what has happened in our network. We can check via dashboards and alerts. We can use it for load balancing and high-performance tasks. We use it to analyze data and logs. It normalizes logs and we can detect attacks, such as brute-force attacks. We can receive information from our firewall, our Fortigate. Since we receive a lot of traffic, we have to investigate events using the solution. It provides updates on attacks. The solution helps us report on what happens in our network.

We use Splunk for security and tracking what happens on our network and it is effective at that.

We like the big data analyzer.

The dashboard and alerts are good. We can use them for monitoring to see what’s happening on our network. It’s centralized. It gives us good visibility into multiple environments. We can use it in Windows, Linux, et cetera.

We can use platforms and integrate everything together. We can see multiple environments on-premises.

When something happens, we get alerts via SMS or email. 

We use the MTTR attack feature and it is very effective to use for detecting threats.

We can also schedule reports on a monthly or weekly basis.

It’s very useful for tracking. If you can look at the steps and see what happens, you can investigate effectively, and so on.

Splunk Enterprise Security is excellent for analyzing malicious activities and detecting breaches. We can see, step by step, what happened. We can escalate and investigate and so on.

Splunk has helped us detect threats faster. The alerts are very effective.

It helped to reduce alert volume. I’m not sure precisely how much, however, it depends on how many client devices you are tracking and analyzing.

Splunk is a suitable resource for collecting logs. 

The threat intelligence management feature is something we cannot use.

We'd like Splunk to reduce false positives. 

It would be helpful to be able to configure everything a bit more. If your network is very big, it's important to customize.

The dashboard could be improved so that tracking and analysis could be better visualized.

I've been using the solution for two years. 

The solution is stable. If you have suitable resources and buy and use the correct license, you'll get fine performance. 

The ability to scale Splunk depends on your network. If it is big, you can add more resources easily. You can use a cluster and several servers. 

When you work on Splunk, it's very easy. However, when you need to reach out to support, it could be better. It would be helpful if they could respond faster. 

Neutral

I have experience with another solution called ELK; I find Splunk better, even though it is not free to use.

I've done one implementation. I installed it across several servers. How long it takes depends on the project. It also depends on how many resources you have. If it's just a small setup it might take two hours. 

The product is easy to maintain. 

I'm a customer. We cannot use the cloud versions as we are based in Iran.

I don’t have experience with the Spunk Mission Control feature.

I've worked with Splunk so far and while it's very easy to use it's not free. There are other solutions that are open-source that you could use, however, I find Splunk to be worth the price and I'd recommend it to others. 

I'd rate the solution ten out of ten. I would recommend Splunk to others.

Our primary use case is for cyber security, tracking logs, and incident response.

I haven't had the chance to properly sink my teeth into Enterprise Security but so far I like that they added the MITRE ATT&CK features. 

This feature helps us know how to plan when we have an incident, know where to look, what to look for, and aspects like that. 

The MITRE ATT&CK planning is valuable. When we see those incidents and those logs, having the information right there speeds up the process a bit.

We did not have a SIEM at the time, so we added Enterprise Security as our SIEM. We're hoping to learn more about it and grow as we progress.

They wanted us to do basic training, which was offered to our organization for free. That was great. However, ours is a cybersecurity focus. The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training.

We upgraded to Enterprise Security a year ago but have been using general Splunk for longer. 

Stability-wise, despite these issues, it's been solid. I haven't had any issues with access to it or anything like that. The only issue we did have was with the engineer. After informing him of those issues, he went back and tweaked them, and then everything worked fine. 

It seems pretty scalable. Our network isn't extremely large, so I don't think scalability will be an issue in our case, but I definitely see the opportunity to scale if needed.

We have around 8,000 devices, so it's a fairly small network. It's across several different networks.

I have not used support yet mainly because I haven't delved into it as much because of the issues with our initial integration with our engineer not being so trained. 

We have different contractors and they have other solutions. Some of those solutions included Elastic. We want to use Splunk and our contractors want to use Elastic. We're hoping .conf23 will broaden our imagination, so we'll have more to bring back and push towards just using Splunk only.

I have not used Elastic myself. It does sound like it does a lot. There's a lot that Splunk offers that we haven't actually used. I want to play with Mission Control. We only use Enterprise Security but I do want Mission Control where everything is in one centralized application where you don't have to jump to different applications. 

I would love to get Mission Control.

My engineer had a little bit of an issue with it but it was because of his own lack of training. We were pushed to hurry up and get a SIEM. He did the best he could. I let him know what wasn't working, and then he would try to fix what he could on the backend so it could work. He was in talks with Splunk to fix those issues. The results are coming back a bit better, but I think that there is still room for improvement.

I was not involved with the setup. I came in afterward. One of our guys here was the one that was in the initial integration of Splunk. We ended up with Splunk as our main SIEM. I've never had any issues with it and I enjoyed it. 

We will see cost efficiencies mainly just from saving time and the shortened time and response to those incidents that we see. The fact that everything's organized in one application, we should see a bit of an increase in efficiency.

I do see the possibility and the opportunity to increase the meantime to resolution by a lot. We use several different applications to monitor logs. We have the vision. 

I've seen some of the updates and changes like Splunk AI and Splunk Vision Control that look nice. I didn't manage to get on some of the hands-on, which would have been lovely. I would like to get more ideas on how we can integrate Splunk into our networks. 

I would rate Splunk Enterprise Security a nine out of ten. I see the opportunity and I'm hoping with our engineer that we can get to where we can make the best use of Splunk. It really seems great. A lot of our staff here were all ready to use it. We're just hoping our engineer can get to the place where we can actually make use of it. 

The biggest value I get from attending a Splunk conference is being able to see the updates, changes, the features they're adding, the Splunk AI, and Splunk Vision Control. That's been nice. I am looking forward to some of the sessions. I want to get more ideas on how we can integrate Splunk into our networks and things like that, especially focusing on cybersecurity. I would also like to see some of the stock sessions because it's a brand new stock. We're trying to stand it up. Seeing how they're using it for stocks would be great.

We are using Splunk Enterprise Security for collecting and analyzing logs. We are keeping up with the SLAs with Splunk Enterprise Security.

Splunk Enterprise Security has helped reduce our alert volume. There is about 30% reduction.

Splunk Enterprise Security improves our organization’s ability to ingest and normalize data, but it requires lots of effort from our side. Splunk Enterprise Security can do that, but we also need to put effort into it. It is good enough to achieve that.

Splunk Enterprise Security has helped reduce our mean time to resolve. We have seen a reduction because doing this manually through queries is crazy. It helps to find out the root cause and things like that. It is helpful. 

We have an on-prem environment. Our information security team is using the data security features. Its security features are satisfactory.

It is pretty good. We can extract the metrics we want on the dashboards. We are able to react to the incidents. We are also able to monitor the service. In addition to the incident response, we can also do investigations, fraud detection, and other things like that.

We have this issue of data versus pricing. Its pricing can be better. There should also be a more flexible licensing model.

There is a learning curve in order to start using machine learning. We have been trying to do it for three years, and we have not managed anything. It is too complex.

Its ability to identify and solve problems in real-time could be better. We would like to have pattern recognition. There should be some kind of pre-made model to help detect something. For example, at the time of the incident investigation, there should be an option to ask questions, such as if anything changed. It is pretty hard to find out the patterns that are occurring currently because you have to have deep knowledge about your log content. There should be an option to ask a question like, "What has changed as compared to a week ago?" We should be able to specify a time frame and compare.

We have been using Splunk altogether for probably five years.

It has not failed over the last year. There were no failures, so it is pretty good.

Its scalability is quite good if you are willing to invest in the new design and do the manual work. You have to deploy new servers and things like that. In terms of architecture, it is scalable.

Based on the few problems that we have had, I would rate them a seven out of ten. For an issue, we did not get the answer we needed within the timeframe we were expecting. They took more time, and some IT guys were disappointed. The experience varies from case to case.

Neutral

We were not using any similar solution previously. We were only collecting logs through open-source means. We went for Splunk Enterprise Security because we needed visibility into the logs. It was the primary requirement.

We are also using Elasticsearch. We have two parallel systems.

Splunk Enterprise Security is better in terms of query language and the capability to do great searches, whereas Elasticsearch has a little bit less functionality. It is more complicated for end-users to use. However, Elasticsearch is better in terms of pricing because they do not charge based on the daily ingestion amount. You can put whatever amount into the system. Elasticsearch also has lots of additional logging capabilities. It has file beats and metrics beats capabilities, so you can use it more widely. You can also get end-to-end visibility because you can make integrity checks with it. It helps with IT operations as well. They can include these capabilities in Splunk Enterprise Security.

Its deployment was not very complicated. It was easy.

The hard part comes after you have deployed it. You have to educate people to start using it and understand the relevant information in your logs. The configuration itself is pretty simple, but field extractions and tagging are complex.

We are just using it and doing our queries and dashboards. We have not been calculating the ROI. It has been quite easy. We invest and create our dashboards and reports. Sometimes, when a dashboard becomes too complex or too expensive, we start to think about alternatives. Other than that, we have not thought of ROI.

The pricing can be better. We are already considering Elastic because Splunk is too expensive. 

You have to pay based on per-day ingestion. There should be a more flexible model for the use cases where one day you have a huge amount, and on other days, it is quite less.

Splunk Enterprise Security provides end-to-end visibility into an environment, but it is not our use case currently.

Splunk Enterprise Security does not really provide the relevant context to help guide our investigations because, in our country, Splunk is not represented, so it is pretty hard to get the relevant information.

Overall, I would rate Splunk Enterprise Security a seven out of ten. Its pricing is not good, and the learning curve for machine learning is not good. However, the parts that are working are working very well.

I use the solution for data analysis and log collection. 

Splunk Enterprise Security helps with advanced reports and keeps the system scalable and flexible. It provides a clear picture of the current status of any incidents. As a CISO, I see a lot of potential for future innovation, which is interesting. I've noticed better performance, especially with the reports.

Splunk Enterprise Security can provide more details and help CISOs resolve vulnerability situations better. The reason is that the tools we choose for data analysis and log collection cannot collect all the data and logs. Splunk Enterprise Security should help me with this, but it cannot.

I have been working with the product for four years. 

Splunk Enterprise Security's stability is very good. The system consistently performs well, and we don't encounter many issues. Ticketing problems are minimal, which is significant because it handles a lot of logs and data persistently without causing frustration.

The tool's customer support is good. 

Positive

We chose Splunk Enterprise Security because it was simple and had better data analysis capabilities. 

A reseller helped us with the deployment. 

The tool's licensing is good and we haven't received any complaints from the team handling it. 

I haven't used it for multi-cloud environments. As for on-premise, it's meeting my current needs quite well. When it comes to identifying and solving problems in real time, sometimes it's challenging to understand the situation, and generating reports can be difficult. But overall, it's good for monitoring activities like endpoint and authentication incidents and normalizing.

The solution has helped us reduce alerts by five to ten percent. It processes data and allows us to look back at incidents to see what happened and where they occurred.

I rate the overall product a nine out of ten. 

We mainly use the solution as a reseller. We give our users the latest version of the product. 

The solution is the market leader.

Our customers are always looking to partner with market leaders as you can't go wrong with them.

Customers can monitor cloud environments. 

The threat detection capabilities are quite fast and efficient based on my customer's feedback. 

We've used the MITRE ATT&CK feature and it's good. It's pretty standard and comparable to IBM. Most products offer this as well. 

It's good for analyzing malicious activities. It's good as an overall platform. It's good at detecting threats. It's a basic feature that is quite effective.

Splunk can help to reduce alert volume if you configure it properly.

They are a market leader in a lot of areas in terms of features and functions. 

It helped us speed up security investigations. I'm not sure of the exact percentage it helped us speed up by, however.

It has a lot of basic and standard features. 

It is a full-fledged solution that provides everything a company needs.

When it comes to malicious activities, however, it's rather overpriced. There are cheaper ways to detect.

There are quite a lot of security platforms on the market that do the same thing in a similar way at a cheaper rate. 

The pricing could be a lot lower. I'm from Asia, and they need to provide Asian pricing. They should price better for the region they are in. Once companies see the price, it puts them off. 

The integration could be a bit better. They charge for certain integrations. 

I've used the solution for about a year or more. 

It is a stable product.

The solution is used across multiple departments, not locations. That said, it would support multiple locations. 

We've had no issues with scalability. We usually have a solution that lasts three to five years and have had no issues scaling in that time.

I do not directly deal with technical support. 

We previously used many solutions, such as IBM. The implementation times are about the same. There are some ways that IBM is faster and other ways Splunk is faster. However, Splunk offers a more modern look.

The initial setup is very easy. It's quite straightforward. The process is similar to IBM. The deployment takes less than one day. It is done by a different team. I don't handle the initial implementation process.

The maintenance needed is very minimal. We have at least ten people that can handle deployment and maintenance. 

The solution is quite expensive compared to the competition. It's considered a premiere security option. 

We also looked at Dynatrace before choosing Splunk. 

I'm a registered partner of Splunk. 

We are using the latest version of the solution. 

We haven't used the threat intelligence management feature. We usually use another product.

The mission control feature hasn't been used. I'm not familiar with it.

For those looking for a cheaper product, I'd suggest, if they had a limited budget, to go cheaper. Likely a cheaper option that can do the same work as Splunk. At the end of the day, whether you choose a Toyota or a Rolls Royce, you get from A to B the same. The price is the differentiation. 

I'd rate the solution eight out of ten. It's a good product overall. 

Our primary use case is for security audit log collection correlation. We wanted something that the security team could focus on versus going directly into our enterprise. We had some initial use cases to supplement our IT ops security into one product. We had a SIEM but not one that was as customizable as Splunk Enterprise Security.

The out-of-the-box capabilities that Enterprise Security offers were very helpful. We're not using it anymore because it was almost overkill. We have shifted to go back to just the core functionality. We were inundated with the amount of alerts and alarms that we could get out of it. It is also a resource hog and we didn't have the resources to support it on-prem so we're taking it offline now.

We saw the granularity that we could get from Splunk far exceeded what we already had. We had the ability to have our security team really focus on the platform and stay within the platform, but they could correlate with a variety of other stakeholders, and our stakeholders were growing. So we tried to get ahead of that and filter it in to create customizable KPIs for those user groups versus having a one-size-fits-all approach. That unique was very helpful for us to expand upon. The driving force is resources, and we were lacking those.

We use it to monitor multiple clouds. We weren't leveraging it for all of our clouds, but we have a presence in GCP, AWS, and Azure. The unity and uniformity across all of it would have been great but at that stage, we were only using it for on-prem coverage. We would like to go ahead and understand how we can implement it as a cloud solution as we are increasing our daily footprint too. We weren't really prepared to understand the workflows we already had in the CSPs or the new integrations of data lakes at a warehouse that were and are still being built out to get Enterprise Security to function off of that too. We hadn't gotten to that stage.

A lot of what we were doing was done manually in terms of vulnerability and remediation and is still being done manually now. Evolving to a stage where the alerts weren't inundating our customers and getting familiar with the product would have helped us perhaps get a bit more functionality and usability out of it. We are seeing some value out of Enterprise Security and think we can get similar results elsewhere. I think that down the road, as our understanding gets better of how we want framework requirements, Enterprise Security could come back into the picture.

I have been using Splunk Enterprise Security for around twelve months.

Stability had its drawbacks because of how much it consumes. We had to justify whether or not it was worth keeping it up. The decision was to not keep up with it.

We are only on-prem so we do manual scaling. We don't have the elasticity that we would have in the cloud which limited us. Justifiably, in order to scale up the platform, we would have to go through procurements and more hardware, which was not an option. So we were limited, and we knew that. We had done pilots and buildout but a hardware refresh cycle was coming up, we had to justify whether or not it was in the cards.

I've been working with Splunk for several years now, and I've always found them very responsive and supportive in a variety of technologies around core functionality like Enterprise Security and ITSI. 

I would rate them an eight out of ten. They have a strong team through and through from the pre-presales all the way through architectural changes and shifts that we need to do to address the customer.

Positive

We've had numerous implementations of SIEM solutions over the years. Splunk offered a lot of capabilities on top of some of our old antiquated Sentinel and Azure. We had many other products before we pursued Enterprise Security. But we weren't in a position to really go down the Enterprise Security route because we hadn't quite fleshed out what our end goal was.

We're still in the evaluation stages. Looking at Enterprise Security, given the fact that we already have an investment in Splunk, it makes sense. We would like to see it grow beyond just Enterprise Security to more of not just observability, but pro actions to utilize the source of that nature. 

We had great success potentially going into a SOAR from Enterprise Security. We hadn't quite evolved to that point yet. At this stage, it's just not really in our pipeline to pursue Enterprise Security until we get a better understanding of our requirements.

Refining those playbooks and so forth also is going to take time. We have customers who have categorically unique requirements. From a security standpoint, one group's security requirements are going to be different from some of the other teams that we have. We are trying to find that uniformity across the board. We may have to entertain multiple security solutions to meet their needs.

My role was to support a lot of the backend and the configuration of the platform as it was being established.

The level of difficulty was on par with the Splunk Enterprise core. My team was involved with a lot of the provisioning from the virtual environment and on-prem to support it. It wasn't overly complicated. Once it was up it took a lot of resources. Evaluating and seeing whether or not we could actually move it to the cloud when the core functionality still existed on-prem, we weren't willing to split them at this stage.

We would almost always have Splunk support through the deployment and configuration stages of it. It was always solid. Once we had the platform up and running, we had to consider general operations and maintenance. While the Splunk team was great and the resources are available, there is a finite amount of resources on-site.

Splunk is not cheap. That's definitely a consideration as we look at other products.

We haven't seen much time to value using the solution system but it wasn't necessarily a fault of the product. It was the cycles to maintain it and support it, to make sure it's growing correctly. We hadn't gotten to that stage. Our ROI and TCO, given the fact that its footprint is being looked at because of what it takes to maintain it in terms of resources. We have the core platform, and then we have a growing license. We're looking at how we can efficiently use Enterprise Security. It's just not there at this point.

I would rate Splunk Enterprise Security an eight out of ten. I think the rating has the potential to be higher. If we had time to flesh it out and vet some of the core capabilities of Enterprise Security and how it could benefit us over the core. Getting to that stage requires a lot more customer engagement on our side that we weren't really prepared to do because of budgetary constraints, hardware refresh cycles, and so forth. Overall, we dropped the product not necessarily because of a lack of capability, it was more along the lines that the timing wasn't appropriate for our security teams.

The biggest value I get from attending a Splunk conference is knowledge transfer. I work in the public so it's valuable having a lot of conversations with fellow colleagues who are in the public sector and hearing their hurdles. We don't want to reinvent the wheel every time, and we don't want to hit obstacles that could have been lessons learned. The conference is a really good opportunity to see what's new, what's out there, and how it can blend in with our current architecture and designs. It also helps to understand what's not going to work to be able to get ahead of it before questions come up. We can properly equip our customers and answer their questions. The Splunk conference is a good brain dump.