At a high level, its use cases are related to security monitoring, log aggregation, and a little bit of analysis related to incidents or fraud.
Cyber Security at a financial services firm with 5,001-10,000 employees
Integrates well, provides good visibility, and helps to identify things that can lead to a larger problem
Pros and Cons
- "Integration with the cloud is pretty important and good for us. We found the integration with a lot of tools, not all tools yet, valuable. It does make the transfer of data, log files, and other things easier for us."
- "Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market."
What is our primary use case?
How has it helped my organization?
Splunk Enterprise Security has created better visibility for us on the cybersecurity type of events and issues. We are still maturing, but where we have seen some growth is getting better data, knowing what data to look at, and how to understand that data.
It has end-to-end visibility into our cloud-native environment. This is extremely important for us because of the type of business we do. We have a lot of PII data and a lot of compliance data on which we have to maintain very tight controls, so it is extremely important that we are able to put that in the cloud and monitor and watch our environment very closely.
It has reduced our mean time to resolve, but we are still maturing. We have got a lot of maturing to do. We have got a lot of growing to do. We have also been limited on the staff to be able to get the full realization of what we can get out of it yet, so that is a place where we are continuing to grow.
It has improved our business resilience. We have been able to identify things that could have presented a larger problem for us financially or legally through various events. We have been able to leverage the data there. We have been able to maintain that data and support that data. It does the job. It meets the needs.
Splunk has not helped to predict problems in real time because we have not yet matured to that place, but we need to. Generally, it has been helpful, but we know that we have got a lot of growing up there. We still have not got everything identified and captured in the space we want to be able to do better analysis.
Its ability to provide business resilience by empowering our staff is really high. Empowerment is great, but we have a resource problem, so we have not quite realized where we could be.
We monitor multi-cloud environments. We have three of them. It is difficult to monitor them currently with Splunk. We are living in a highly regulated stack and a very little regulated stack and the ability to get a single pane of glass for all of that is very difficult.
What is most valuable?
Integration with the cloud is pretty important and good for us. We found the integration with a lot of tools, not all tools yet, valuable. It does make the transfer of data, log files, and other things easier for us.
What needs improvement?
Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market.
In terms of scalability, it is hard to forecast where you are going. There is room to improve there.
Buyer's Guide
Splunk Enterprise Security
September 2023

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
734,678 professionals have used our research since 2012.
For how long have I used the solution?
I have been using this solution for about five or six years.
What do I think about the stability of the solution?
I would rate it eight out of ten in terms of stability. Where there has been ambiguity for me is that I recently had system stability issues that were beyond my control. They were part of my solution, and I was not aware that Splunk was accountable for it. It got quickly resolved, but there was a gap there that created pain for my business.
What do I think about the scalability of the solution?
We have not had any issues. We also have not had any detriment, but it is hard to forecast based on where you are going from a business perspective, at least with the models and the account teams that I have been working with. There is room to improve there.
How are customer service and support?
It has been a rocky road. I have been through a road where I have had limited to little engagement or support. I am on the cusp of a large turnaround, meeting with my client team and dialoguing through it. Based on the history, I would probably rate their sales support a four out of ten. Going forward, I would rate their sales support an eight out of ten. They are in the right direction. I would rate their technical support a nine out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We have been using the same solution for five or six years. It was selected before I joined, so I do not know.
How was the initial setup?
I joined after it was implemented. What I am working on now is the technical depth. I am spending a lot of time with the teams there for direction strategy. Splunk has done a great job there, specifically in pulling the right resources to bear. I had executive briefings directly with executives today where we had an opportunity to talk about different components of our solutions and our stacks, and it has been very good.
What was our ROI?
We are in a growth state right now. We have seen an ROI, but anticipating any point in the future is a little difficult, so it is a mixed response. Our scale is not quite clearly defined to be able to put it to a metric or to tie it back to consumption use. There is a little bit of autonomy in there to over-adjust and still find that we can true-up in a better space. That has been good for us, but if you let that run away from you, then you start to get in trouble.
We have not seen any cost-efficiency. We have seen our usage and needs grow, so we have seen Splunk go up in cost for us. We have not quite realized any efficiencies yet. It is also indicative of our maturity model.
What's my experience with pricing, setup cost, and licensing?
The licensing is good, but the pricing absolutely needs some work. It is very high. One thing that they put in a contract, but they do not emphasize it enough is true-ups on usage based on the quarterly consumption. They do not follow that methodology. They let a customer use, use, and use, and then at some point, a true-up occurs, and it is a large cost. There is an opportunity to do a quarterly track type of true-ups as per the agreements out there. That would put them in a position where customers are able to plan on, forecast around, and work through volume adjustments that may occur in their environment.
The other place where Splunk could spend time is the scale-up and scale-down model. Scale-up is easy where you get more business, and it is easy to add more capacity, whether it is storage or SVUs, but when you need to scale down because of a change in a business, it does put customers in a position where they are locked in, and there is no way to maneuver around that.
Which other solutions did I evaluate?
We do an evaluation annually. It is important for us to do a market comparison and make sure we are looking at options in our work. What makes Splunk Enterprise Security competitive is the variabilities that they bring to the table for the overall solution. It has things like APIs that you can tie into. There is also the bonus functionality of being able to do analytics there. User behavior analytics is important for us.
What other advice do I have?
I would rate Splunk Enterprise Security an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Aug 20, 2023
Flag as inappropriate
Principal Enterprise Architect at Aurenav Sweden AB
Handles a high volume of data, collects information from multiple sources, and is very stable
Pros and Cons
- "The reporting aspect is good and it does what I need it to do."
- "If you monitor too much, you can lose performance on your systems."
What is our primary use case?
In our organization, Splunk is used in our data centers.
We have integration services and other types of systems in our new IoT architecture. We're using it to capture information.
We use Splunk as an aggregator for monitoring information from different sources, however, for our protection suite, we're using Comodo.
It's designed to collect data from different points. It has a lot of integrations built into it and that's why we're using it.
We use it for our enterprise more - such as for messaging. There's a lot of stuff we do on our integration services layer that we use Splunk for. For security purposes, we're using Comodo. Therefore we're not using Splunk for security purposes. We're using it for monitoring what's happening at our integration services layer.
How has it helped my organization?
Splunk indicates when we've got problems popping up somewhere or we're not getting the flow we expected. If there's a problem, we have those flagged and we use it for logging.
What is most valuable?
Splunk handles a high volume of data that we have, and it does it really well.
For what we're using it for, we're happy with its functionality.
The reporting aspect is good and it does what I need it to do.
From an operational standpoint, it helps us on the operations side and it also shows where we're having issues.
It connects to a lot of stuff. We can collect information from a lot of sources.
What needs improvement?
The interface or maybe some settings need to be improved a bit. It cannot be perfect, however, the issues may be related to the configuration or setup.
If you monitor too much, you can lose performance on your systems. You have to be careful what you're monitoring. If you monitor everything, everything stops working. You can go overboard in monitoring. You have to plan your monitoring pretty carefully.
It could be easier for beginners. As it is, right now, You have to have a good understanding of the solution in order to use it properly.
That said, as the user, I'm at a higher level of management on the architecture side in dealing with resilience. My concerns are different from other user concerns. Also, most of our clients are using it way more than we're using it.
For how long have I used the solution?
We've used the solution for more than a decade. It's been a long time.
What do I think about the stability of the solution?
We haven't had any problems with stability. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.
What do I think about the scalability of the solution?
We've never had an issue with scalability. If a company needs to scale, it can.
The danger of Splunk is that it can get too big too quickly and you have to be very careful with what you want to be monitoring due to the fact that if you monitor too much, you can slow down things and you can hurt your performance on your system. We have to be very careful of what we're logging.
We have about 12 users on the solution right now.
We do not plan to increase usage in the future.
How are customer service and support?
We don't use technical support very much. We've been using it for so long, we generally understand it and do not require assistance.
Which solution did I use previously and why did I switch?
We used to use Splunk a lot more, however, we've moved more to Comodo right now. I'd say we've moved to Comodo from Splunk in a lot of areas.
On the security side, we use Comodo. Not all of our clients even have Comodo. A lot of them are using Splunk, however, a lot of them are using Splunk for enterprise operations and network operations items. Some of them are using security and a lot of them aren't. Splunk is offered as a security option now, however, originally, when you used it, it was to collect enterprise operations information and know-how your systems are running.
How was the initial setup?
We've been using it for a long time, therefore, I don't even remember when we set it up or how it went. We do keep it updated and use the latest versions.
I only have one or two people doing maintenance on it.
What was our ROI?
ROI's a hard thing to pin down. We've had it for so long, it's part of our core operating infrastructure.
What's my experience with pricing, setup cost, and licensing?
Everything we do is either yearly or multi-year. I don't know if there is any additional cost to standard license fees.
What other advice do I have?
We use Splunk and we also sell and support it for our clients.
Normally our policy is to keep software updated to the latest version.
The main issue is that we do enterprise architecture and network and security operations. We recommend certain platforms to clients. We don't always sell Splunk directly to them due to the fact that, since we're being hired to help them make choices, we need to be neutral. In the cases where it doesn't make sense, we don't sell it. We just help clients make decisions.
I don't know which version of the solution we're using. I'm an architect; I'm not on the operations level. I'm not the one who actually uses it. Our operations use it. I get dashboard results and I do reports that are based on it, however, I'm not the one actually running it. We have a NOC and a SOC and others use it a lot more individually. They have a lot more interaction than I do. I'm getting reports out of it. Others are actually connecting to it, using it as a tool. I'm not a tool user. I'm an information user.
All Splunk is, is data collection and it can sort things out on a dashboard. However, a lot of what Splunk does is collect data and you have to decide what kind of information you're going to let it collect. When we're doing design operations we have to really pay attention to what we're doing, so we don't actually slow things down or impede things. The reason we use Splunk is we put a lot of data into it.
With Splunk, you need to really be careful about what you're monitoring and how you use it, to get keep the results working. It's a good tool if you know what you're doing and what you need to be logging. You need to be aware of what you're logging to ensure it isn't going to cause problems with your performance.
I wouldn't recommend it for somebody who's coming in new. Of the clients we have using it, I don't know if any of them don't have professional IT running it. It's important to really understand what's going on.
I'd rate the solution at an eight out of ten. In certain environments, it could be a bit complex. It's not something you could just drop into an organization, you need to be trained to use it. You need the experience to use it properly.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Splunk Enterprise Security
September 2023

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
734,678 professionals have used our research since 2012.
IT Specialist at a government with 10,001+ employees
Fair price, integrates well, and allows us to have everything in one tool
Pros and Cons
- "Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me."
- "It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit."
What is our primary use case?
I am the branch chief. I use Splunk Enterprise Security depending on how swamped the team is. I use it for anything from basic searches to DDoS attacks, which is a big thing right now. So, DDoS attacks and phishing emails are a lot of what I am using it for.
How has it helped my organization?
We had FireEye before and then we went to CrowdStrike. Splunk has definitely helped to have everything into the tool. It is a lot easier to complete the tickets. It saves, on average, a couple of hours a day. We just go to Splunk and then provide data and work with different people on the tickets, so it saves hours each day. We have been able to allocate these hours to other projects or things that are more of a priority. We are able to do different projects that were on the back burner. We can put those hours towards other things.
Splunk has improved our organization’s business resilience. We are able to give leadership updates through dashboards versus the actual metadata. It is easier for them to understand and provide leadership.
Splunk’s ability to predict, identify, and solve problems in real-time is very good. It is proven. Every couple of weeks, it catches some of the things that our SOC team did not catch and provides alerts, so its real-time capabilities are very good.
Our team has overall benefited from Splunk. We had FireEye before, which was not that good. We are able to benefit from Splunk not only in terms of instant response. We also have other teams doing vulnerability management using the Prisma systems. It is important that Splunk provides end-to-end visibility into our native environment. We use it for Prisma and instant response. Without Splunk, we would not be able to do some of the things that we need to do unless we went to individual tools, and we do not have the resources for that.
What is most valuable?
Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.
They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out.
What needs improvement?
I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit.
In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.
For how long have I used the solution?
I have been using Splunk Enterprise Security since 2016.
What do I think about the stability of the solution?
It is very good as long as you have the scope of how many servers, processors, and other things you need. There was a learning curve of making sure our servers were beefy enough to handle the data. We had four terabytes of data coming in every day. We were maxing out our systems a little bit, so we beefed that up, and we have had no issues since.
What do I think about the scalability of the solution?
Its scalability is easy. On-prem was very easy, and on the cloud, you have to learn and adapt a little bit, but scalability is perfect.
How are customer service and support?
I only reached out to our Splunk contacts, but my team reached out to Splunk's support team. I have not had any issues where they told me that they did not get the support they needed. They might take time to figure out what the issue is, but overall, I would rate their support a ten out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.
How was the initial setup?
I was involved in its deployment. I am the system owner of it. I am in charge of it, so I oversaw the project deployment. There is a learning curve with the hybrid setup with the cloud and on-prem, but overall, I am pretty satisfied with it.
We have an on-prem and a cloud environment depending on the platforms we are using in the system, so we have both environments. The challenging part was getting everything set up and fed into Splunk, but once it is set up, there is no difference in using it on-prem or on the cloud. We do not notice any real difference in it.
The initial setup could be improved a little bit. It depends on your local team, firewalls, and other things like that, so there was a learning curve for the teams to learn how to set it up. That part could be improved, but once you go through it, it is not an issue.
What about the implementation team?
We had the Splunk team, and they did wherever they needed to get everything deployed. Our experience with them was good. We have worked with Splunk for years now. Their support has been very beneficial. If I have a question, they jump right on and let me know. They walk me through it and give me updates, so I am pretty happy with Splunk.
What was our ROI?
We have seen an ROI in terms of the mean time to resolution and man-hours. We are able to allocate those hours to other things. We have not got there yet in terms of the upfront costs, but we will get there over time.
When it comes to the time to value, we are getting there. We have not got there yet, but over time, we will get to the time to value.
What's my experience with pricing, setup cost, and licensing?
Its price is fair. Like with anything else, if you go into the cloud, different providers cost more, and you are able to throttle back or throttle up. The cost is comparable with anything else.
Which other solutions did I evaluate?
We evaluated other options. We had to evaluate the pros and cons in terms of the cost and the capabilities of each tool. A lot of that went into the proof of concept. We did our due diligence and determined that Splunk was the best fit for us.
What other advice do I have?
I would rate Splunk Enterprise Security a ten out of ten. It gives us everything we need, and its capabilities keep on improving, so it is getting better.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Aug 9, 2023
Flag as inappropriateSr. Cybersecurity Engineer Splunk Architect at Coalfire Federal
Reduces troubleshooting time, but the interface and usability need to be improved
Pros and Cons
- "Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security."
- "Its interface and usability can always be improved."
What is our primary use case?
Being in an air-gapped environment, we pretty much look for insider threats and other notables related to improper configurations and against security best practices.
We are 100% on-prem and in an air-gapped environment, so there is no Internet connection.
How has it helped my organization?
There have been some improvements, especially related to centering. We added user behavioral analytics, so it imports everything. Any threat generated inside of that goes into Enterprise Security. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. However, it would be nice if I could select certain anomalies that would be helpful with notables. This way, I can track down security events before they become threats.
I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics.
Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. It probably saves them a couple of hours considering it is colocating everything in one location. It would be nice if there were better ways to search for the data. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in.
We are a small environment, so we do not get a lot of alerts. We work on the issues as we get them and I am sure it saves a couple of hours.
In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. The predictive analysis is more cloud-based. Trying to find ways to do it on-prem in an air-gapped environment with no Internet connection can be a pain. There are some ways to do risk-based analysis, but we are still hamstrung because we do not have the Internet connection and the larger data sets that they have.
What is most valuable?
Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.
What needs improvement?
Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.
For how long have I used the solution?
We have been using Splunk Enterprise Security for about five years.
What do I think about the stability of the solution?
The solution is not going anywhere. As long as they continue to support and develop it, and not make it a cloud solution, we will continue to purchase it.
What do I think about the scalability of the solution?
We have a total of 500 devices, and we ingest around 150 gigs a day.
The scalability is pretty easy. They recently enabled it to be able to go into a search head cluster. Previously, the only way to install this was on its own dedicated search and it could not be connected to a cluster. Over the last four or five years, they have been pushing harder and harder for clustering everything up for shared resources. Enterprise Security is one of the few apps where you were not allowed to do that. Having scalability with the search head cluster is nice, and it is one thing I am looking at implementing in the future.
How are customer service and support?
Splunk's support is pretty good. I contacted Splunk's support a couple of times. In total, they are helpful, and we are able to get the support where we need it, but unfortunately, it is self-inflicted because we are air-gapped. It takes me anywhere between 45 minutes to an hour and a half to get the logs required. I need to get them sanitized, approved, and transferred over so that I can get them to Splunk. I would rate them a nine out of ten because a couple of times, I found the answer before they did.
They have the best documentation in all of the tech sector, and it is not behind a paywall where you cannot find information. There is certain information in Splunk Knowledge Base under the support page that I believe should be searchable through Google.
How would you rate customer service and support?
Positive
What was our ROI?
The return on investment is very good because, with ELA, we purchased the products at a reasonable price. We did not have to pay significantly more for licensing than we could possibly use. We were able to combine and get it at a much lower cost point.
In terms of the time to value, it took us a couple of months to get used to the interface and get people trained. Unfortunately, we had some turnover during that time, so we had to constantly retrain or train new people. The newer versions of Enterprise Security that came along made things a little bit easier. Luckily, we had some free training provided to us because we have an enterprise license agreement.
What's my experience with pricing, setup cost, and licensing?
Luckily, we come under a large federal agency, and before the pandemic, they signed a large enterprise license agreement. It worked out great and to our advantage because we are a small organization. We got a 300 gig license, and we just did not have the buying power to be able to get products cheaply. Because we all partnered together under the agency umbrella, we were able to get Splunk Enterprise Security, UBA, and ITSI for cheap. This was good considering the fact that some of these premium apps require a minimum number of users, and we do not have the number of people needed to even justify buying it.
What other advice do I have?
I would rate Splunk Enterprise Security a seven out of ten. There is definitely some room for improvement. I have not installed the newer version. Once I get into it, I will see what new capabilities there are, but there is a decent lift that is needed for the setup. Professional services help with that, but the customer generally does not like paying for that more than once.
Because of the ELA, I am able to come to Splunk conferences for free instead of having to pay my own dime. That helps tremendously, especially considering the fact that education is included. I believe that is because of the enterprise license agreement with the government contract. That helps out a lot. I have been coming to conferences since 2017. There are a lot of good people and a great community.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jul 31, 2023
Flag as inappropriateDelivery Manager at a tech services company with 1,001-5,000 employees
Provides more versatile dashboard than other solutions and very fast search functionality
Pros and Cons
- "Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great."
- "Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported."
What is our primary use case?
The primary use case is security and data analytics. In general, we manage and maintain it for our customers.
What is most valuable?
Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.
What needs improvement?
I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.
For how long have I used the solution?
I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.
What do I think about the stability of the solution?
The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.
What do I think about the scalability of the solution?
It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.
How are customer service and support?
The technical support is good.
However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.
Still, the people I have worked with there are all an eight-plus out of 10.
How would you rate customer service and support?
Positive
How was the initial setup?
It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud.
The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.
The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing, or designing and handing it over to them.
If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.
Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.
What about the implementation team?
We do it ourselves.
What's my experience with pricing, setup cost, and licensing?
The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.
IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.
Which other solutions did I evaluate?
I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm.
If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.
Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search.
If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in.
Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jul 18, 2023
Flag as inappropriateData Center Architect at a outsourcing company with 201-500 employees
Rock-solid with flexible search capability, but gets expensive because of its cost model
Pros and Cons
- "The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard."
- "It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost."
What is our primary use case?
We typically use it for centralized log management and SIEM functionality.
I am using the most recent version of it.
How has it helped my organization?
As per government requirements, a lot of government sites have to have the active monitoring of logs. So, we use their security appliance add-on that essentially combs through the log. It pre-filters and brings out the critical events so that you can focus on those instead of having to create your own searches and whatnot. It helps simplify the process of monitoring security events in the logs for people.
What is most valuable?
The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard.
What needs improvement?
It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.
To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.
For how long have I used the solution?
I have been using Splunk for about seven years.
What do I think about the stability of the solution?
It has been very stable. It is pretty rock solid.
What do I think about the scalability of the solution?
It is as scalable as you can afford. We have a pretty small user base of 75 users, and it is mostly data center administration staff, application administrators, and security people. It is more of an in-house solution than a customer-facing solution.
Our usage is moderate. We're okay right now. We primarily use it as a SIEM and log aggregator. We could use it for other things, but the cost is what is preventing us from that at this point.
How are customer service and support?
We've had a few calls, and they're very responsive.
Which solution did I use previously and why did I switch?
We were using an assist log backend with Rsync and Kiwi prior to that. It was more of a co-solution than a cobbled-together solution. Splunk was a big improvement. The main reason for going for it was just the rate at which we were growing. We needed to have something that was more scalable than what we had before.
How was the initial setup?
It was pretty straightforward as compared to most applications. It had the ability to auto-deploy agents to end devices. Splunk infrastructure itself wasn't difficult to deploy or set up. They package that process, and it is pretty well-rounded. They even offer a jumpstart install service to help get it off the ground when you buy in, and those components work really well together.
It was all done within a day. Some of the endpoints took a little bit longer, but the basic install was done in the day.
What about the implementation team?
We used packaged professional services from a partner of Splunk. Our experience with them was very good.
In terms of maintenance, it is pretty simple. There are fewer patches than there would be for supporting a Windows device. There is not much labor to maintain it.
What's my experience with pricing, setup cost, and licensing?
It can be cost-prohibitive when you start to scale and have terabytes of data. Its cost model is based on how much data it processes a day. If they're able to create scaled-down niche or custom package offerings, it may help with the cost. Instead of the full-blown features, if they can narrow the scope where it can only be used for a specific purpose, it would kind of create that market for the product, and it may help with the costing. When you start using it as a central aggregator and you're pumping tons of logs at it, pretty soon, you'll start hitting your cap on what it can process a day. Once you've got that, you're kind of defeating the purpose because you're going to have to scale back.
They're kind of pushing everybody away from perpetual licensing into subscription-based models, which a lot of companies are doing too, but in most environments that I've been in, they prefer to go the perpetual license and then just pay maintenance on top of it. That's because it's easier for them to forecast the big expense up front.
What other advice do I have?
I would advise definitely taking advantage of their professional services and making sure that the administrators and whoever is going to be using the tool go through the training. The cost for the training, which depends on if you're commercial or government, is not that much, and there is a definite value there because if you're trying to learn it on your own with a book, it is going to take forever.
I would rate Splunk a seven out of 10.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Good monitoring and visibility with helpful threat detection capabilities
Pros and Cons
- "The solution helped reduce our alert volume."
- "When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time."
What is our primary use case?
I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.
How has it helped my organization?
It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.
It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.
What is most valuable?
Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand.
We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.
Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.
It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.
Splunk Enterprise Security provides visibility into different environments.
The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure.
The actionable intelligence provided in Splunk Enterprise Security is good.
It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it.
I have used the threat topology and attack framework feature, however, now I am more of an administrator.
Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.
The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.
The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions.
What needs improvement?
When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.
For how long have I used the solution?
I've been using the solution for three years now.
What do I think about the stability of the solution?
It is a stable product.
What do I think about the scalability of the solution?
There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.
The solution is scalable. In terms of data, it's very flexible.
How are customer service and support?
Technical support is good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.
How was the initial setup?
The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration.
We get logs from various sources from various clients.
It does require a bit of maintenance. It requires, for example, server upgrades and patching.
What's my experience with pricing, setup cost, and licensing?
I can't comment on pricing. I don't take care of that aspect.
What other advice do I have?
I'm a customer and end-user.
I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.
I'd rate the solution nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Last updated: Sep 7, 2023
Flag as inappropriateSOC Analyst at a tech services company with 10,001+ employees
Helps us to plan, know where to look, and what to look for when we have an incident
Pros and Cons
- "I haven't had the chance to properly sink my teeth into Enterprise Security but so far I like that they added the MITRE ATT&CK features."
- "The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training."
What is our primary use case?
Our primary use case is for cyber security, tracking logs, and incident response.
What is most valuable?
I haven't had the chance to properly sink my teeth into Enterprise Security but so far I like that they added the MITRE ATT&CK features.
This feature helps us know how to plan when we have an incident, know where to look, what to look for, and aspects like that.
The MITRE ATT&CK planning is valuable. When we see those incidents and those logs, having the information right there speeds up the process a bit.
We did not have a SIEM at the time, so we added Enterprise Security as our SIEM. We're hoping to learn more about it and grow as we progress.
What needs improvement?
They wanted us to do basic training, which was offered to our organization for free. That was great. However, ours is a cybersecurity focus. The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training.
For how long have I used the solution?
We upgraded to Enterprise Security a year ago but have been using general Splunk for longer.
What do I think about the stability of the solution?
Stability-wise, despite these issues, it's been solid. I haven't had any issues with access to it or anything like that. The only issue we did have was with the engineer. After informing him of those issues, he went back and tweaked them, and then everything worked fine.
What do I think about the scalability of the solution?
It seems pretty scalable. Our network isn't extremely large, so I don't think scalability will be an issue in our case, but I definitely see the opportunity to scale if needed.
We have around 8,000 devices, so it's a fairly small network. It's across several different networks.
How are customer service and support?
I have not used support yet mainly because I haven't delved into it as much because of the issues with our initial integration with our engineer not being so trained.
Which solution did I use previously and why did I switch?
We have different contractors and they have other solutions. Some of those solutions included Elastic. We want to use Splunk and our contractors want to use Elastic. We're hoping .conf23 will broaden our imagination, so we'll have more to bring back and push towards just using Splunk only.
I have not used Elastic myself. It does sound like it does a lot. There's a lot that Splunk offers that we haven't actually used. I want to play with Mission Control. We only use Enterprise Security but I do want Mission Control where everything is in one centralized application where you don't have to jump to different applications.
I would love to get Mission Control.
How was the initial setup?
My engineer had a little bit of an issue with it but it was because of his own lack of training. We were pushed to hurry up and get a SIEM. He did the best he could. I let him know what wasn't working, and then he would try to fix what he could on the backend so it could work. He was in talks with Splunk to fix those issues. The results are coming back a bit better, but I think that there is still room for improvement.
I was not involved with the setup. I came in afterward. One of our guys here was the one that was in the initial integration of Splunk. We ended up with Splunk as our main SIEM. I've never had any issues with it and I enjoyed it.
What was our ROI?
We will see cost efficiencies mainly just from saving time and the shortened time and response to those incidents that we see. The fact that everything's organized in one application, we should see a bit of an increase in efficiency.
What other advice do I have?
I do see the possibility and the opportunity to increase the meantime to resolution by a lot. We use several different applications to monitor logs. We have the vision.
I've seen some of the updates and changes like Splunk AI and Splunk Vision Control that look nice. I didn't manage to get on some of the hands-on, which would have been lovely. I would like to get more ideas on how we can integrate Splunk into our networks.
I would rate Splunk Enterprise Security a nine out of ten. I see the opportunity and I'm hoping with our engineer that we can get to where we can make the best use of Splunk. It really seems great. A lot of our staff here were all ready to use it. We're just hoping our engineer can get to the place where we can actually make use of it.
The biggest value I get from attending a Splunk conference is being able to see the updates, changes, the features they're adding, the Splunk AI, and Splunk Vision Control. That's been nice. I am looking forward to some of the sessions. I want to get more ideas on how we can integrate Splunk into our networks and things like that, especially focusing on cybersecurity. I would also like to see some of the stock sessions because it's a brand new stock. We're trying to stand it up. Seeing how they're using it for stocks would be great.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jul 30, 2023
Flag as inappropriate
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: September 2023
Product Categories
Security Information and Event Management (SIEM) Log Management IT Operations AnalyticsPopular Comparisons
Microsoft Sentinel
Elastic Security
IBM Security QRadar
Azure Monitor
LogRhythm SIEM
AppDynamics
VMware Aria Operations for Logs
ArcSight Logger
Fortinet FortiAnalyzer
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are some of the best features and use-cases of Splunk?
- What SOC product do you recommend?
- Splunk as an Enterprise Class monitoring solution -- thoughts?
- What is the biggest difference between Dynatrace and Splunk?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What are the advantages of ELK over Splunk?
- How does Splunk compare with Azure Monitor?
- New risk scoring framework in the Splunk App for Enterprise Security -- thoughts?
- Splunk vs. Elastic Stack
- What is a better choice, Splunk or Azure Sentinel?