Splunk Enterprise Security Reviews

We implement Splunk Enterprise Security for our clients. It's a security tool that centralizes data in one location, so we can gain some insights from it. We can also use it to create alerts. For example, let's say we want to find an incident in real-time, but we can't sit in a single place and stare at the screen. We can create alerts that send us an email notification or automate a response. 

Splunk helped us reduce our alert volume because we could optimize our risk-based user analytics. I estimate that we decreased alerts by around 20 percent. Splunk Enterprise Security speeds up security investigations.  

Splunk's strongest suit is its user interface. We can integrate multiple solutions and adjust settings in the Splunk interface. It's easy to manage multi-cloud environments because we can use rules to segregate the data and restrict our clients from seeing each other's data. Splunk has a lot of plugins and add-ons that provide a lot of information about our cloud and on-prem environments.

Splunk's MITRE ATT&CK framework is excellent, but I haven't used it for investigation. I'm primarily involved in implementation and development. Splunk Enterprise Security is solid detection-wise and faster than many other SIEM solutions. 

We already have an antivirus solution in our environment, so Splunk detects viruses based on that. Once the antivirus detects something, it generates an incident in Splunk that we can investigate. The detection time depends on a few factors, but we can detect a threat in two to five minutes under ideal conditions. 

Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model. 

We have used Splunk Enterprise Security for more than three years.

Splunk Enterprise Security has gone through multiple versions, so the product is mature and stable. It's currently on version 9. 

We can scale Splunk Enterprise Security horizontally or vertically. It isn't a problem. 

I rate Splunk support 10 out of 10. Splunk has better support than other vendors I've worked with. It's better than IBM support. 

We previously partnered with IBM and used QRadar as our SIEM. Splunk is faster, and I like the look and feel better. If you are looking for the cheapest solution, some free open-source SIEM solutions exist. They can do many of the same things that Splunk can do but maybe not at the same scale. 

One person can deploy Splunk Enterprise Security in 15 to 20 days, depending on the architecture. It takes less time to deploy on the cloud. The solution requires some maintenance. We need someone there to monitor it in case there are issues. Three people are responsible for maintaining Splunk. 

Splunk costs a little more than other SIEM solutions. It would be nice if they could bring the price down a little. 

I rate Splunk Enterprise Security nine out of 10.

My main use case for Splunk Enterprise Security is centered around threat detection and incident response. I’ve configured correlation rules and alerts within the SIEM to proactively detect suspicious activities. The environment includes multiple servers and security devices from which I collect log data using forwarders. These logs are ingested into Splunk, parsed, and analyzed to identify anomalies, security issues, and performance concerns. This setup helps streamline investigations and reduce response time to potential threats.

Splunk Enterprise Security has significantly improved our organization by centralizing log management, enhancing visibility into security events, and enabling faster detection and response to threats. The customizable dashboards, real-time alerts, and powerful correlation capabilities have streamlined our incident response process and reduced investigation time. It has also helped us meet compliance requirements more efficiently by automating reporting and audit trails.

Splunk Enterprise Security’s most valuable features include its powerful log aggregation from diverse platforms, flexible search and correlation capabilities, and customizable alerting system. It allows me to collect logs from virtually any source—servers, firewalls, cloud services—and create custom rules to generate meaningful alerts. The flexibility of Splunk’s Search Processing Language (SPL) makes it easy to build tailored dashboards, identify threats, and quickly pinpoint the root cause of issues, significantly improving operational efficiency and threat detection accuracy.

While Splunk Enterprise Security works well overall, improvements could be made in user management—particularly around simplifying role-based access controls and troubleshooting user account issues. Additionally, future releases could benefit from:

Improved UI/UX: A more intuitive interface for new users and simplified dashboard customization.

Built-in Use Case Library: More out-of-the-box security use cases and alert templates to reduce setup time.

Cost Optimization Tools: Better native tools to monitor and manage licensing usage and storage costs.

Enhanced Cloud Integration: Streamlined and more secure integration with major cloud providers for hybrid environments.

These enhancements would make the platform even more user-friendly and efficient.

I have been working with Splunk Enterprise Security for about two years.

I previously used Dynatrace and open-source tools like SigNoz. While Dynatrace excels in application performance monitoring, it requires an additional license fee for server-side log collection, making it less ideal for centralized log management and SIEM use cases. SigNoz, being open-source, offers basic log management but lacks the depth, scalability, and advanced threat detection features of Splunk Enterprise Security. I switched to Splunk Enterprise Security because it provides a comprehensive, all-in-one solution for security monitoring, log aggregation, and real-time alerting, which better fits enterprise-level security needs.

The initial setup of Splunk Enterprise Security was straightforward. I followed publicly available documentation, which was clear and easy to understand. The installation and configuration process went smoothly without any major issues. From initial setup to full deployment—including log collection, rule configuration, and dashboard setup—everything was completed in about two days, demonstrating how well-documented and accessible the deployment process is for users with a solid technical background.

I would rate Splunk Enterprise Security an eight out of ten.

We use Splunk to monitor unusual user behaviors. For example, if any user onboards from a different domain, it will trigger an alert. We also get alerts and high traffic when the ADI server is down. Splunk will monitor that behavior or when users make repeated wrong login attempts.

My full-time job is managing the IAM product. Splunk is one of our security monitoring tools. Most of my work is on IAM tools like CyberArk and SailPoint, etc. 

Splunk manages all of our security and maintains a hundred percent availability. It improves business while securing the entire cloud environment. In terms of business, we don't need manual monitoring. It automatically monitors and notifies an administrator, so we can easily track and identify the particular issue. It saves our employees' time, and we can manage the environment without any impact on business service.

In the UK, hackers use automated software to make repeated login attempts. Splunk immediately identified these attempts and notified the admins, so the red team suddenly took action to block them.

It's nonstop monitoring that isn't affected by business hours. You don't need a manual administrator. Splunk will monitor everything, and a single administrator can monitor the alerts. Splunk will notify us if any unusual behavior happens, allowing us to take immediate action. There's no need for any further investigation and log analysis. It provides the exact result, what happened, and where it happened. 

Splunk helps us reduce alert volume. Whenever the same type of attack occurs repeatedly, we can change the environment and improve the security so the attack won't repeat. 

It speeds up our investigations through automation. Investigating manually takes a long time, and we sometimes cannot identify the exact issue. Splunk monitors the data and events, so we configured a range. If it triggers that area, it will provide the exact result. We can immediately identify and fix it. There's no need to investigate. It reduces the mean time to resolve by 80 percent. 

Splunk is user-friendly. We can easily customize the monitoring script. We support a multi-cloud environment covering Windows Server, AWS, and Google Cloud. We also use ForgeRock to monitor Linux machines. It sends us alerts when the disk size gets full. When an employee logs in from a different region, it triggers an alert. 

Splunk isn't appropriate for smaller companies. It's too expensive.

I have used Splunk for two years.

Splunk is a highly stable product. 

I rate Splunk nine out of 10. When we have any questions, we raise a ticket and they respond in two or three hours. 

Positive

Splunk provides the tenant, and we can directly integrate it into the cloud URL. For the hosting, we can deploy it to the EC2 instance. Splunk is integrated with Cypress, CyberArk, and Fastdesk. Splunk also supports SAML integration. Splunk is a SAML application, so we can use SAML protocol to enable it. 

I rate Splunk Enterprise Security nine out of 10. 

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.

The primary use case is computer network defense.

It is very important that Splunk ES provides end-to-end visibility in our environment. Part of the solution is bringing the user closer to the resolution.

The integration with other risk-based solutions, such as the risk matrix applications included with Splunk, is helpful. It helps us identify the risks without having to delve into other resources.

Splunk helped improve our company's ability to ingest and normalize data. That's the primary use of Splunk Enterprise or Core. For ingestion, we've been using Splunk Enterprise for about six or seven years before we had ES. So, that was the primary reason we got it.

In terms of the risk-based part, Splunk improved our ability to ingest and normalize data. Initially, we used Splunk Enterprise Core for aggregation and correlation. We didn't have the risk-based reporting.

I'm very impressed with Splunk's ability to identify and solve problems in real time. And I look forward to the new version improving the product.

We've been able to discover things we didn't see before. So, there's more that we discover now.

Splunk ES provides us with the relevant context to help guide our investigation. It goes back to the time to resolution. We have to do much less investigation because it's already built-in alerting. 

Risk-based reporting and anomaly detection are valuable features.

The biggest advantage is the reduced time to resolution. Before, it took us up to days to resolve issues, and with Splunk, we've been able to move that down to hours or even minutes in some cases.

I was just at the conference, and they spoke about and demoed a new version of Splunk. It looked like some pain points are resolved in the new solution, such as not having to go to so many different panels. Like to streamline or improve the UI. 

In terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

We purchased ES four years ago.

If properly built, I'm very impressed with the stability of Splunk ES. We initially stood it up on a single server, and to make it more robust, we had to break out of that single server concept to make it more resilient. 

The scalability is very good. That comes from our experience of having to scale out, and Splunk's documentation on scaling up is very good.

Every time we've used Splunk support, it's been very good. We don't have any in-house Splunk engineers, but headquarters has some they can send to assist us, so I can call on them. It's a very good support chain.

If there is some room for improvement, it is in terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

Positive

My company is very impressed with Splunk. We've used several SIEMs before, and Splunk has been the most efficient one.

There was one called Intelotactic, and another was called Secureworks. I believe both of those are gone now.

Initially, with Splunk, we had a steep learning curve. It went from a fairly low ingestion point to figuring out how much data we needed to get to a certain level. Even when we got to a level we were happy with; we found that we were ingesting a lot of noise in the data. We had to figure out ways to reduce that noise.

We bought the maintenance along with Splunk ES and used Splunk engineers to assist us in the setup. It was a very good process. It worked out very well for us.

The knowledge of the individual sent to us was impressive.

Deployment model: Ours is all on-prem currently, but we are headed towards a cloud solution.

I would rate it a nine out of ten. 

Our primary use case is to find brute-force attempts on our systems. 

We use it for security purposes, to find malicious activity, and to find misusage of our business platform.

The main benefits we have from Splunk Enterprise Security are the alerts with which we can manage the searches and the notables which can be good for documentation.

Identity management is the most valuable feature. 

Its ability to find any security event across any environment is useful if you use the risk parameter. If it can correlate with an identity or an asset, then correlations between such events are up to the analyst. 

Splunk Enterprise Security helped improve our organization’s ability to ingest and normalize data.

Splunk helped to reduce our alert volume by 53%. We work based on an on-call process. The analyst who is on call can use Enterprise Security to see what alerts they have and work from there.

If you load it correctly, Splunk will provide us with the relevant context to help guide our investigations. It made it easier. 

Splunk Enterprise Security helped improve our organization's business resilience.

In terms of its ability to create, identify, and solve problems in real-time, if the problem arises, we can go and look at Splunk, but if it's happening in real time and no one reports the issue, then it doesn't work in real time. 

It helps consolidate networking, security, and IT observability tools but it doesn't have such a big impact on our company. 

It should work better out of the box and have better use cases that would not require my intervention. For example, if I install an antivirus and endpoint protection on my computer, I don't need to do much. But to get any value from Splunk, I need to work hard on it. 

In the next release, they should include machine learning-based rules that would streamline the process of finding anomalies.

For real-time detection, I would not say that Splunk is the best. If you experience a problem and go to Splunk to look at the dashboard, then it's in real-time. Because of the way Splunk works, I wouldn't get an alert in real-time. 

I have been using Splunk Enterprise Security for five years. 

On newer servers, it can be stable. On our servers, it can take a while. We need to re-enter when we press selections. 

It is scalable. You can add more servers and analysts. 

Support depends on the issue. Sometimes they help but most of the time, I have to solve the issue on my own. 

I would rate support a six out of ten. Usually, it can take time until I get to someone who can help. The diagnostics aren't always accurate. I once had an issue where they replaced a certificate that we weren't using, so it didn't solve the problem. It can take a few iterations to solve the problem.

Neutral

The deployment is fine for me, but it is not really straightforward. I would suggest simplifying the process. For example, the whole certificate part is not secured by default. I would recommend fixing that.

We used EMET Computing for the integration. They are fine. 

We do see ROI. We can deduce the ROI from finding the damage that misusing our business platform is causing. 

I think that the price can be too high sometimes, especially for the cloud. We get a lot of logs that are meaningless. For example, if we are using a firewall, we get a message for every session or packet. A lot of those connections are the same. We pay a lot of money on the license and on logs that are the same. If there was a way to aggregate them, the cost of the license would be reduced.

I would rate Splunk Enterprise Security a six out of ten. It is useful but it doesn't add that much value on top of standard Splunk. Because of our use cases and environment, we don't use all of the features it has. Nevertheless, the value it provides isn't so different from Splunk Core.

We use it for alerting. It also helps our analysts triage.

It is our bread and butter and our day-to-day tool for the SOC. Besides alerting, just being able to do research and look through various logs to gather context around the alerts has been super valuable.

It is critical to us that Splunk Enterprise Security provides end-to-end visibility. The place that you cannot see is from where you are going to get attacked.

We have a hybrid cloud environment with AWS and Azure. I am pretty confident in its ability to help us find any security event across our environment. We have put in time to feed Splunk Enterprise Security the data that we want to look at.

I am pretty happy with its ability to ingest data. When it comes to normalizing, my company could improve on that a little because we need to do more tuning of some of the data that we are ingesting. That is not much of an issue with Splunk Enterprise Security. That is more of an issue with how we are using it. We need to possibly do a little bit better in terms of how we utilize this tool.

I am pretty confident in its ability to identify and solve problems in real-time. If it has the data and you implement it properly, it will tell you what is wrong.

With risk-based alerting, we are now getting the right context for investigations. It definitely helps and speeds up the investigation. With risk-based alerting, I can see the chain of events. I can see what caused this to occur. I do not have a percentage, but I know my analysts are not getting the alerts that they have not completed by the end of the shift. Previously, that was not the case, so I am pretty pleased.

Splunk Enterprise Security has helped improve our organization’s business resilience.

Splunk Enterprise Security helps to identify and solve problems in real-time, but I do not know if it can also predict the problems in real-time.

I am enjoying our implementation of risk-based alerting. That has helped very much with cutting out a lot of the noise that we have. It has reduced our alert volume significantly. There is about an 80% reduction.

I do not like the pricing model. It is expensive.

I have been using Splunk Enterprise Security for about five years.

I have not had issues with its stability.

It is pretty scalable. It also depends on what you are ingesting, but it does a good job with our data.

I do not use the support that often. Normally, when I am looking for help, I just search on the web. If I am trying to build something and I do not remember the command, it is pretty easy to find.

I have used logging solutions. I find Splunk easier to use than other solutions such as LogStack.

With any such tool, the alert quality that you will get is based on the data that you are feeding it. If you are parsing logs and doing a good job with that, the outcome is good.

I did not deploy this instance, but I deployed it in my last company. It was not as bad as I thought. It was comparable to some of the other product rollouts in the environment.

It is expensive, but it is a good tool.

It is worth the cost. I have worked with organizations that did not want to invest in a security tool. I am glad that we are taking security a little more seriously in this organization.

I would rate Splunk Enterprise Security a ten out of ten. I enjoy it. I like it.

We use Splunk Enterprise Security for our security analysts for them to be able to view incidents. They are not 100% dependent on Splunk Enterprise Security as their incident source. They do have other tools that they use and other things like whois data, threat intel, and lookups for our domain. They are able to quickly look at the activities done for the assets that we have.

I am not from the management or the leadership, but I do feel that it has been helpful for us Splunk engineers who are responsible for looking at all the data and logs. Splunk Enterprise Security quickly gives us a view of an endpoint or a user or identity. If I want to look for an identity or an asset, I just quickly go into Splunk Enterprise Security. I know where to go and get a quick analysis for a respective object. The analysts have their dashboards, and they have their action items. They use it differently. They follow all the common procedures.

We are on-prem. We are not on the cloud. As of now, Splunk Enterprise Security does not provide us with end-to-end visibility, which is one of the drawbacks of why we need to use other tools. It is not that Splunk Enterprise Security cannot do it. It is just the way it is configured right now. We are working with Splunk engineers. We have a lot of professional service hours that we spend with them bringing all parties into the picture and doing working sessions.

Right now, Splunk Enterprise Security is in the middle in terms of helping us find any security event across our environment. Based on the way the configuration is done in our environment, it would not be right to say that the incident would be reported accurately from Splunk Enterprise Security. That is because not a lot of data is being put into Splunk Enterprise Security to make something a notable event and report about it. If we configure it better and have more data models normalized, and then we use it, it will be more helpful. It has been a long-term goal, but we will reach there soon.

Splunk Enterprise Security has helped improve our organization’s ability to ingest data.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools. I am an engineer, and I am more into administration and creating user interfaces on Splunk Enterprise itself, not Splunk Enterprise Security. We have done some work on Splunk Enterprise Security and then left it with analysts. It is up to the analysts now. Splunk Enterprise Security is not 100% configured. Some basic data models have been set up. They are generating notables, and we are generating alerts out of it, but it is not 100% there. They do have to use other tools such as their networking tools to get a full picture for incident reporting.

One of the most popular features that I personally like is that in the case of an event, I should be able to run a desired action for that on a threshold, but that is not how we are using it right now, unfortunately. We have a pretty manual process. We have an operating procedure, and we follow that. I would like to see it automated. I do not want analysts to decide whether the action needs to be done or not. It should be done provided the policy says so. If the policy says it needs to be done, it should be an automatic process rather than a manual process.

At Splunk .conf24, I saw a demo for Splunk Enterprise Security 8. All the things that they have done in Splunk Enterprise Security 8 are what it can be better at. They have put Mission Control as a part of the notable or finding itself. The investigation shows the findings, and the findings allow us to do everything that we are doing in Mission Control right there on that same screen. That is what we want now. They said it is going to be released in two to three months. We are hoping that we will be able to use it. I was hoping that I would be able to see version 8 when I am here at Splunk .conf24, and when I go back, I would be able to help them implement it, but it is still 7.3.

I have been using Splunk Enterprise Security for two years.

It is pretty stable.

It is pretty scalable. We have a huge deployment. It is good.

We are a huge agency. It is in the public sector. We have 15 terabytes of data.

They are good. We have a huge team of Splunk engineers within our company. Some of them are contractors, and some of them are employees. They are pretty responsive.

Based on my interaction, I would rate them an eight out of ten. Some engineers do not understand what is there to solve, and they start pushing their perspective on the customer, which is not how it should be because it is not their environment.

Positive

We did not use any similar solution previously.

The deployment of Splunk Enterprise Security was very simple.

We have professional service hours. We worked with Splunk engineers, and we had live working sessions. We were doing it like that. We did it for over a period of time, but that did not give us the full power of Splunk Enterprise Security. For that, we need to be able to configure our own data models and normalize the data. That is not happening 100%.

It is quite expensive.

We did not evaluate any similar solutions.

At this time, I cannot assess Splunk Enterprise Security in terms of the ability to identify and solve problems in real time, but we do use regular Splunk to pinpoint a lot of problems. It helps us a lot. We are able to pinpoint a lot of things, whether they are vulnerabilities or pointing to some logs in the firewall or authentication logs. All the analysts use it very frequently to write searches.

Splunk Enterprise Security has not helped improve our organization’s business resilience because we are not 100% dependent on it. 

Splunk Enterprise Security can provide us with the relevant context to help guide our investigations. However, the input is not 100% perfect, so the output is not 100% perfect.

I would rate Splunk Enterprise Security a ten out of ten.

We use Splunk Enterprise Security to monitor our network environment for abnormal activities and threats.

We easily monitor multiple cloud environments with Splunk Enterprise Security.

Insider threat detection helps our security posture.

I use the threat intelligence management feature whenever I do a threat analysis.

When Splunk detects breaches and malicious activities it notifies our IT team so they can analyze the notifications and respond accordingly.

Splunk has helped our organization by allowing us to gain valuable insight through the analysis of large datasets.

The customizable dashboards are user-friendly and visually appealing.

It has helped reduce our alert volume.

It has helped speed up our security investigations.

The most valuable feature of Splunk Enterprise Security is website activity monitoring.

While Splunk Enterprise Security offers valuable features, its cost is high and could be more competitive.

I have been using Splunk Enterprise Security for around five months.

Splunk Enterprise Security is stable.

We frequently connect with the support team to review our options. They resolve our issues quickly.

Neutral

We also use IBM QRadar but Splunk Enterprise Security is more functional and user-friendly.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security eight out of ten.

For someone who wants to use the cheapest solution, I would tell them that this is the best solution and worth the cost.

I recommend Splunk Enterprise Security to others.

The primary focus of our work with Splunk is on security incident monitoring and security log monitoring. This involves utilizing it to analyze and respond to security events effectively. Additionally, compliance with regulatory requirements is another crucial aspect of your role. We also extend Splunk's functionality to custom applications by writing custom parsers and handling logs specific to those applications. This includes the development of unique dashboards tailored to the needs of each application.

Splunk's capabilities in insider threat detection are highly effective in assisting organizations in identifying unknown threats and anonymous user behavior. The sophistication of these features is notable, making them suitable and beneficial across a range of organizational sizes, from small businesses to large enterprises.

The threat topology and MITRE ATT&CK features are seamlessly integrated as complementary components within Azure.

It significantly accelerated security investigations, and I believe the improvement falls within the range of twenty to thirty percent.

The resilience provided by SIEM adds significant value; it is highly effective.

The most valuable features for us include its robust log management capabilities, which allow us to efficiently handle and retain logs for extended periods as needed. The flexibility to customize log retention periods is particularly beneficial. Additionally, we find the dashboard functionality and the advanced query language options to be highly valuable. These features, especially the powerful query language, are extensively utilized in our day-to-day operations.

I find that the learning curve for Splunk is relatively lengthy. To utilize it effectively, one needs a substantial amount of time for learning. I might appreciate a learning curve that comes with more out-of-the-box functionality, such as easily installable Splunk apps or user-friendly features.

I have been working with it for three years.

I find it to be highly stable, and I would rate it a solid ten out of ten.

I would rate its scalability capabilities ten out of ten.

Before using Splunk, I relied on the built-in tools of Linux operating systems, such as Syslog NG, but specifically the open-source versions. I haven't had experience with the commercial version of Syslog NG, which is a more advanced tool. In this category, Splunk is essentially my first exposure to such advanced features.

Setting up Splunk is quite straightforward, especially for basic configurations. The process is not overly complicated. While a cluster implementation may require more advanced steps, the basic setup is generally easy to handle.

I handled the deployment independently, but the required personnel depends on the organization's size and the expected outcomes. For larger organizations, especially when the new tool integrates with various departments like operations, development, and security, it becomes a collaborative effort. In such cases, it's not a one-person job and involvement from multiple departments is essential. However, for smaller companies, the process is less complicated. It involves coordinating with support and developer teams to communicate the implementation, and the focus is on providing the necessary outputs from the tool to support their ongoing work effectively.

I utilized it in a single, non-geographically dispersed location. My experience is limited to a single site, and I haven't worked on a multi-site installation.

While it can run stably for a certain period, eventually, there is a need to manage or archive logs, especially if your background storage is not unlimited, as is often the case in these scenarios.

The return on investment is quite favorable with Splunk, particularly for large enterprises that have made the initial purchase and possess the requisite expertise and technical support.

In terms of pricing, I believe Splunk is unreasonably costly for the majority of mid and small-sized companies. Its real advantages, or what sets it apart, seem to be more suitable for large enterprises.

For the market I focus on, which includes small to medium-sized companies, I would recommend Wazuh. It's an open-source security information and event management solution. The main consideration is that, in terms of both functionality and cost, Wazuh is sufficient for the requirements of smaller enterprises. Utilizing an open-source tool like Wazuh can effectively cover the necessary areas without the need for the higher costs associated with Splunk.

I would recommend that anyone considering implementing Splunk should first thoroughly assess their environment. It's crucial to determine whether Splunk is genuinely needed for your specific usage scenario or if a smaller software solution might suffice. Overall, I would rate it nine out of ten.