Try our new research platform with insights from 80,000+ expert users
Security Consultant at Matiq
Consultant
Reduces manual intervention and enables comprehensive security monitoring with risk-based insights
Pros and Cons
  • "The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics."
  • "The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics."
  • "We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use."
  • "Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst."

What is our primary use case?

My usual use cases for Splunk Enterprise Security involve creating notables, use cases, and dashboards. We are creating the use cases as per the defense of depth in all the security layers, such as the network layer or data link layer, DLP protection, and network protection. We are using firewalls and proxy, as well as IPS, and we are using Defender as Cloud App Security of 365 and EDR. We are using Defender as a single pane of glass, collecting all the logs from all the security devices, writing the correlation rules, configuring the notables, and monitoring 360 degrees of the organization's security.

How has it helped my organization?

It is a comprehensive solution with many security-related features. The data enrichment feature helps identify any anomalies from devices and users. It helps identify any malicious activity patterns, risks, or login failures. 

We have implemented conditional policies where traffic from certain countries gets blocked. We are utilizing the Splunk Machine Learning Toolkit (MLTK) app to create models for automatic actions or remediation. We are trying to catch the true positive incidents and orchestrate a response. We have created two models to identify brute force attacks and user login failures.

What is most valuable?

The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics. Based on this feature, we can identify anomalies in any activity from the user or device. 

It serves as a single pane of glass for all the security-related events. It helps cross-correlate with minimal manual intervention, detect true positives, and take remediation steps in an orchestrated manner. It is very efficient. It's a top solution in Gartner Quadrants and Datamatics.

What needs improvement?

Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use. For any future enhancements or features, such as MLTK and SOAR platform integration, we need more visibility, training, and certification for the skilled professionals who are working.

Buyer's Guide
Splunk Enterprise Security
June 2025
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,579 professionals have used our research since 2012.

For how long have I used the solution?

I have been working with Splunk Enterprise Security for seven years.

What do I think about the stability of the solution?

This solution is stable. The platform and the applications we are dealing with are stable and maintain high availability both on-prem and cloud.

What do I think about the scalability of the solution?

Scalability-wise, we find it comfortable. It's convenient to scale up or scale down the licenses or the components in the cloud.

How are customer service and support?

When we require support from the Splunk Enterprise Security team, if we raise a request, they respond based on priority, providing recommendations or best practices as per the platform recommendations.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I work with multiple customers. They use different products, such as Trend Micro XDR. The customer I am working with right now is using Splunk Enterprise Security. It was chosen by the customer.

How was the initial setup?

For deploying Splunk Enterprise Security, we follow a cluster environment for high availability and high performance, maintaining an architecture with several search heads, indexers, and forwarders. Data is pushed from all forwarders to the indexers, which are heavy forwarders where indexing, parsing, and normalization are performed. Once it is done, we search the data through search heads, with a license master and deployment server present to push configurations to all components of Splunk Enterprise Security. It's a distributed and clustered environment we are maintaining.

What was our ROI?

We have seen a return on investment. We are getting more security. We are able to secure the environment from all security threats and maintain an environment that is free from threats and attacks, especially cyberattacks.

What's my experience with pricing, setup cost, and licensing?

Pricing and licensing are quite high compared to other tools or SIEM tools, but the features justify it.

What other advice do I have?

Overall, I would rate Splunk Enterprise Security a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Flag as inappropriate
PeerSpot user
SOC Analyst at Topcon Omni Systems, Inc.
Real User
Makes investigations much easier by providing us with the relevant context to help guide our investigations
Pros and Cons
  • "The most valuable features include the incident review and Dashboard Studio."
  • "Having analysts put their notes directly within the investigation feature in the incident review would be beneficial."

What is our primary use case?

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

How has it helped my organization?

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

What is most valuable?

The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

Incident review with my SOC job helps me check all the incidents and alerts coming in.

What needs improvement?

Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

For how long have I used the solution?

I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

Now at the current company, I've been here for about a year, so I've been using it here as well.

What do I think about the stability of the solution?

Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

Prior to Splunk's acquisition by Cisco, Splunk was really good. 

How are customer service and support?

Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

What about the implementation team?

We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

What was our ROI?

It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

Which other solutions did I evaluate?

We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

What other advice do I have?

Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
June 2025
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,579 professionals have used our research since 2012.
Manager of Security Operations Center at Wipro Limited
Real User
Helps ingest data, enhances business resilience and problem-solving capabilities
Pros and Cons
  • "The two features I appreciate most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard."
  • "They could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats."

What is our primary use case?

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

How has it helped my organization?

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.

What is most valuable?

The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.

What needs improvement?

I suggest that Splunk provide the same resources on its platform, as on other websites through Google. For instance, they could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats. These queries would be generated based on my specific data, saving me the time and effort of creating them manually. This would be incredibly beneficial and align with the AI capabilities already present in Splunk Enterprise Security.

For how long have I used the solution?

I have been using Splunk Enterprise Security for eight years.

What do I think about the stability of the solution?

In the eight years I have used Splunk Enterprise Security, I have experienced no stability issues. There has been no downtime or crashing. The only problems I have encountered were temporary interruptions in some features, lasting approximately 15 minutes.

What do I think about the scalability of the solution?

Splunk Enterprise Security is highly scalable. For example, I currently have one terabyte of data to deploy, and tomorrow, I need to deploy ten terabytes. In that case, the system can easily accommodate the increased load without compromising performance. It is extremely fast and efficient, ensuring no issues even as the input data volume grows. The system adjusts quickly to meet the demands of expanding data requirements.

How are customer service and support?

I have contacted Splunk technical support three times in the past fifteen days due to various issues encountered while using Splunk. Each time I reached out, they responded promptly and assisted me in resolving the problems.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have used several alternatives to Splunk, such as AppDynamics, Dynatrace, and Oracle Enterprise Manager. However, I have found Splunk Enterprise and Splunk Enterprise Security the most effective tools for my needs. These platforms are easy to use, allowing for flexible parameter customization and dynamic adjustments to meet specific requirements.

How was the initial setup?

The initial deployment of Splunk Enterprise Security was straightforward due to my prior experience learning and using various tools. I found it to be significantly easier to implement than similar software.

I set up my lab independently, being new to the environment at the time and eager to learn. I visited the Splunk website and discovered the free courses they offer. Using these courses, I successfully configured my lab. Splunk provides valuable assistance for setting up personal labs and offers a 60-day trial version. This version allows for direct log setup and hands-on practice of Splunk skills without cost.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security's pricing is competitive. For instance, the cost typically increases proportionally with the daily license volume. For example, purchasing a 100 GB license per day is less expensive than buying one GB per day. A discount is offered for larger volume purchases.

What other advice do I have?

I would rate Splunk Enterprise Security eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Ravi Nandasana - PeerSpot reviewer
Splunk Architect/DevOps Engineer at Data Elicit Solutions Pvt. Ltd.
Real User
Top 20
Saves a lot of time with powerful alerting and notification mechanism
Pros and Cons
  • "I would definitely recommend Splunk Enterprise Security because if you are really concerned about security and want to follow compliance rules, this product is really helpful."
  • "We can only increase the environment. For instance, with an ES server, we cannot make a cluster of ES. If you have two servers and want to make a cluster of these two servers for ES, that is not possible."

What is our primary use case?

Our purpose for using Splunk Enterprise Security is SIEM.

How has it helped my organization?

Machine learning has been incredibly beneficial in our efforts to detect various threats. For example, we pull all security logs and utilize the MLTK framework, which helps us identify potential risks effectively. So, overall, it's been quite helpful.

We use the risk-based alerting feature. For instance, when it detects a failed login attempt, it assigns a risk score to it. This allows us to utilize the risk-based alerting features effectively to prioritize incidents based on their severity.

Risk-based alerting generates notifications based on the level of risk associated with a transaction. This approach effectively assists in monitoring transactions, such as payments. It allows us to track the progress of a transaction, from initiation to completion, and identify any errors that may occur during the process. If there are numerous errors, we can assess the risk and determine whether the transaction might be a false positive.

Splunk Enterprise Security has been very helpful in this regard. However, I've noticed that improvement is still needed. We need to analyze the data more thoroughly. While this can be quite complex, finding a simpler solution would be beneficial.

What is most valuable?

The best features of Splunk Enterprise Security are the correlation rules and automation over the correlation rules. We can trigger alerts and notifications. The alerting and notification mechanism is really powerful and good. 

What needs improvement?

It needs more AI integration. The threat intelligence framework requires some AI functionality, which would be helpful.

For how long have I used the solution?

We have been using Splunk Enterprise Security for a couple of years, and I have been on the ES team for the last year. I have also used it in my previous company.

What do I think about the stability of the solution?

The stability of Splunk Enterprise Security rates at eight out of ten.

What do I think about the scalability of the solution?

It is scalable. We can only increase the environment. For instance, with an ES server, we cannot make a cluster of ES. If you have two servers and want to make a cluster of these two servers for ES, that is not possible. There is only one server, and if you want to increase scalability, you must increase the RAM and memory for that same server. The scalability is an eight out of ten.

We simply request Splunk support to increase our storage or make other adjustments as needed. We don't have access to AWS; all of that is managed by Splunk. We just need to reach out to them and say, "Please increase our storage by one terabyte," and they can handle that for us.

How are customer service and support?

Technical support for Splunk Enterprise Security is very good. We have daily calls. They are very helpful, rating at nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We tried LogScale in the past, but it has very limited functionalities and not a proper UI. It offers approximately 10% of Splunk Enterprise Security's capabilities. We haven't found any solution comparable to Splunk Enterprise Security.

How was the initial setup?

We utilize a combination of both cloud and on-premises setup. Specifically, we use Splunk Cloud for search indexes and other things. On the on-premises side, we have our heavy forwarders, standard forwarders, and user-defined forwarders. So, we effectively integrate both approaches.

The deployment for Splunk Cloud is very easy. They have predefined templates and setups on the AWS end. They utilize many AWS features. If you terminate any indexer, it will spawn up again. This type of automation exists with Splunk Cloud, making it really efficient.

It doesn't require any maintenance, but when we are doing batch upgrades, we need downtime, which is acceptable. It's four to five hours of downtime.

What about the implementation team?

Currently we have a team of seven people for Splunk Enterprise Security, with additional staff using Splunk Cloud and related services.

What was our ROI?

Splunk Enterprise Security helps to save a lot of time, which is our main purpose. Whenever something is wrong in our environment, we immediately get an alert. It saves time and costs. Compared to traditional methods, Splunk Enterprise Security saves approximately 40% to 50% of time.

What's my experience with pricing, setup cost, and licensing?

For small customers, Splunk Enterprise Security is quite expensive. For my team with a substantial budget, the cost is acceptable.

What other advice do I have?

I would definitely recommend Splunk Enterprise Security because if you are really concerned about security and want to follow compliance rules, this product is really helpful.

Splunk Enterprise Security helps save significant time and money, which most customers are looking for. It is easy to configure and manage. If you have certification or basic knowledge of Splunk Enterprise Security, it provides excellent job opportunities. The solution provides numerous helpful dashboards where you can directly check threats and other metrics. 

Overall, I would rate it an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer. partner
Flag as inappropriate
PeerSpot user
Eko Kurniawan - PeerSpot reviewer
IT Operations & Security at Veris
Real User
Top 10
We can manage all the logs from every device on a single dashboard
Pros and Cons
  • "Splunk can deliver more information by going deeper. By creating a dashboard, we can identify the root cause of the threat. Let's say I have a firewall from Check Point. Splunk will find the dashboard for Check Point, implement it in our environment, and connect it to the Check Point firewall logs, which are shown on the dashboard. If we request a custom dashboard, the engineer will take longer to complete the task."
  • "Splunk should align its security principles with those of other vendors like SentinelOne. Splunk has mature APIs that can communicate with various security applications and devices. Splunk can process more to produce an understandable dashboard."

What is our primary use case?

I work in the pharma industry, and I use Splunk to aggregate all my reporting logs for my firewall and Active Directory logs. We have anti-spam, web application firewalls, and other solutions to secure our perimeter. We use Splunk for log management and have a stack to transpose a log from the firewall to a VM. When we directly feed the firewall logs to Splunk, they become intermittent and freeze. 

How has it helped my organization?

The biggest benefit is that we can manage all the logs from every device on a single dashboard. I can put the log from the core system into Splunk to analyze for abnormal behavior and show that to the developer to improve it. Splunk can also analyze our security devices for security posture for CRM and ISO requirements, helping the organization obtain its ISO certificates.

We started to see the benefits of Splunk when we created our first dashboard. Based on the dashboard information, we can get deep insights from the log, where we define a security incident or event and assign a score to repetitive events. For example, we receive brute force attacks, where the hacker attempts to try a thousand or a million passwords. This will trigger alerts on the dashboard or email. We are not monitoring 24/7, so we can get alerts from Splunk. We can detect threats faster from firewalls and antivirus. 

The consolidation helps us identify the source of the threat faster. They can analyze the forensics to dig into information from the log and correlate the devices. A unified log from various devices can simplify the IT team's response and reduce the alert volume by 35 percent. 

What is most valuable?

Splunk can deliver more information by going deeper. By creating a dashboard, we can identify the root cause of the threat. Let's say I have a firewall from Check Point. Splunk will find the dashboard for Check Point, implement it in our environment, and connect it to the Check Point firewall logs, which are shown on the dashboard. If we request a custom dashboard, the engineer will take longer to complete the task. 

I can create a custom dashboard for the firewall, antivirus, or endpoint protection. This will take time to complete because they need to understand the log type and mitigation of the process from the system or API.

Splunk helps us manage our hybrid environment, including our email system. The main email system is Microsoft Exchange, which is deployed on-premise, and the second is Office 365. There isn't much security for the hybrid environment. We get logs from the web application firewall, the firewall, and the anti-spam solution. 

What needs improvement?

Splunk should align its security principles with those of other vendors like SentinelOne. Splunk has mature APIs that can communicate with various security applications and devices. Splunk can process more to produce an understandable dashboard.

Splunk's latest version is much better than before. It's more resilient and powered by AI. It can ingest more complex logs. It will be better because we're using the legacy one.

For how long have I used the solution?

I have used Splunk for around six years.

What do I think about the stability of the solution?

I rate Splunk 10 out of 10 for stability. We've had no problems as long as we ensure we have capacity planning for the log system, which is growing every second. 

What do I think about the scalability of the solution?

I rate Splunk nine out of 10 for scalability. 

How are customer service and support?

I rate Splunk support eight out of 10. Support was great, and they responded quickly. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Splunk is our first SIEM, but we'd like to explore Wazuh more.

How was the initial setup?

It's hard to say whether deploying Splunk was straightforward or complex because sometimes the consultant did the work for us. I handled the operations side, and the consultant did the project itself. It was completed in two days. 

What's my experience with pricing, setup cost, and licensing?

Splunk is expensive. It's based on the data inside the log. If you produce bigger logs, the cost goes up. We pay a license up to a set size, let's say 100 gigabytes, and if we have 101, they charge us for the overage. We pay about a billion Indonesian rupiah. 

There are many cheaper solutions. Microsoft Sentinel is also a little expensive, but there are cheaper ones like Wazuh, Graylog, and Rapid7.

What other advice do I have?

I rate Splunk Enterprise Security nine out of 10. If you want to use Splunk, you can try the free version, which goes up to half a gig. You can feed a log from the Active Directory. If you take that information directly from Active Directory, it will be hard to read. Splunk provides a good dashboard. 

Splunk is an excellent choice for an organization that needs a fully scalable and highly customizable solution. We can customize the dashboard to combine all the device logs. Unfortunately, others still need to learn how to do that. It depends on an organization's needs and resources because it's not cheap.

It's on the higher end of pricing, which can be a significant factor for small organizations with budget constraints. It's more appropriate for the enterprise level and companies with over 500 employees. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Information Security Architect at UMMS
Real User
Top 5
Incident reviews and machine learning capabilities help identify and prevent incidents
Pros and Cons
  • "The incident review in Splunk Enterprise Security seems to be the most helpful feature."
  • "Splunk Enterprise Security is more advanced compared to other solutions, which makes it stand out as a better option."
  • "It would be nice to have more advanced UEBA in Splunk Enterprise Security. Additionally, it would be beneficial if they offered more threat intel feeds for free."
  • "One thing that I probably dislike the most about the Splunk product is their support."

What is our primary use case?

We use Splunk Enterprise Security for security monitoring.

How has it helped my organization?

Advanced correlation capabilities help to identify the patterns of malicious activities.

Machine learning capabilities in Splunk Enterprise Security have been effective for identifying and preventing incidents. Through machine learning, they correlate all the data and create notable events, which helps us identify malicious or suspicious traffic.

We have used the risk-based alerting a little bit. So far, it's been just fine. We haven't gone deep into it. Our other operations team hasn't utilized it to its full capacity, but it makes a pretty good filter overall.

The impact of automated responses provided by Splunk Enterprise Security has been very good on the efficiency of routine security operations.

What is most valuable?

The incident review in Splunk Enterprise Security seems to be the most helpful feature. 

What needs improvement?

It would be nice to have more advanced UEBA in Splunk Enterprise Security. Additionally, it would be beneficial if they offered more threat intel feeds for free. 

Furthermore, incorporating Attack Analyzer into the main product instead of having it as a separate paid purchase would be an improvement.

For how long have I used the solution?

I have been using the solution for about three years.

What do I think about the stability of the solution?

I've had an issue only once with one of their products, but overall, it's been pretty good.

What do I think about the scalability of the solution?

Its scalability is pretty good.

How are customer service and support?

For Splunk Enterprise Security, it's been pretty good. For the regular Splunk Enterprise Platform, overall, it's like a C-minus. One thing that I probably dislike the most about the Splunk product is their support.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I previously used LogRhythm. Splunk Enterprise Security is more advanced compared to other solutions, which makes it stand out as a better option.

How was the initial setup?

I deployed Splunk Enterprise Security using professional services, and overall, it was good. My main responsibility was handling the coordination. The full implementation took about four months.

Approximately 90% of maintenance is done by Splunk.

What about the implementation team?

The implementation was handled by myself.

We purchased Splunk Enterprise Security through a reseller called AccessIT.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security is a bit expensive overall, but it provides good value.

What other advice do I have?

I would rate this solution an eight out of ten overall.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
reviewer2382405 - PeerSpot reviewer
IT Developer/Architect at a government with 10,001+ employees
Real User
Top 20
It integrates well, reduces alert volume, and we can customize the dashboards
Pros and Cons
  • "Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets."
  • "I've noticed that onboarding data from various multi-cloud sources and diverse products, such as security network devices, can be challenging."

What is our primary use case?

We use Splunk Enterprise Security for various security use cases, including writing correlation searches. This has significantly improved both our use cases and correlation searches. We can leverage existing resources, making modifications as needed, rather than starting from scratch each time. Splunk Enterprise Security provides diverse use cases across different environments, including AWS, Azure, and multi-cloud setups, while also integrating with Microsoft Sentinel. Additionally, we can integrate Splunk's service orchestration product for further automation. Overall, this allows us to automate tasks that security analysts previously performed manually, such as reviewing incident dashboards. We can fine-tune alerts based on analyst feedback. Splunk's research team ensures that use cases are updated with the latest security content, enabling us to understand and implement necessary steps while customizing them to fit our company's needs. This is what makes Splunk Enterprise Security so popular; it streamlines processes compared to legacy security products that often rely on manual scripts. Clients, including government agencies and banks, are transitioning to Splunk Enterprise Security due to its reduced training requirements and comprehensive features. Everything is consolidated, simplifying training and certification. Additionally, integrating Splunk's service orchestration product further automates tasks and improves response times. The substantial investment in Splunk indicates its staying power; no other product on the market currently offers comparable capabilities. Cisco's acquisition of Splunk reinforces its potential for success, combining APM, data logging, and security portfolios. In one financial project involving 600,000 users, we were able to monitor all incoming traffic, identify security activities, and distinguish between legitimate and malicious traffic, including phishing attacks and potential identity-based threats. Splunk enables tracking individual identities, crucial for detecting attacks where perpetrators hide behind compromised identities, often leading to data breaches and other security incidents.

We implemented Splunk Enterprise Security to assist with AWS security, which includes GuardDuty, CloudTrail, CloudWatch, and Inspector. These AWS components generate compliance and security alerts, which we correlate and use to create dashboard reports and identify security events for various use cases. We then enable the out-of-the-box use cases and send notable events to the dashboard. The implementation is currently in its early stages.

How has it helped my organization?

Splunk Enterprise Security operates based on incoming data, making monitoring multiple cloud environments relatively simple due to data availability and integration capabilities. Data from cCloudRail, CloudWatch, Azure, and other diverse environments can be incorporated. While occasional patching might be necessary, most integrations are readily available, offering extensive coverage without customization. Specific customizations might still be required, but most functionalities are pre-built, leveraging code developed by Splunk. This efficient approach involves analyzing data from vendors like Palo Alto and applying add-ons to apply code and automate parsing.

Our visibility into various environments depends on how much data we incorporate; therefore, the more we scan, the better our visibility.

Splunk Enterprise Security's insider threat detection capabilities act as a secondary approval and vetting process, helping our organization ensure there are no unauthorized users.

The MITRE ATT&CK framework allows us to identify criticality levels, helping us respond to incidents. We might integrate incident response with a REST API, where a notable event triggers the creation of a ServiceNow ticket. Information flows from ServiceNow back to Splunk, which then feeds other systems, enabling bidirectional incident management. These processes are largely out-of-the-box, as Splunk integrates well with ServiceNow, except for any customizations. We understand the data integration requirements and leverage Splunk's extensive integration capabilities.

Splunk Enterprise Security does a good job of analyzing malicious activities and detecting breaches. The amount of information the research and threat detection teams receive from Splunk enables faster threat detection of up to 60 percent, eliminating the need to consult numerous sources. This efficiency is a key benefit of Splunk, as its significant investment in security allows for expedited processes.

I have seen the older legacy product where they have this manual process to identify issues, run scripts, try to identify the output, and then go through ten systems to collect data. This could take days. Now, with Splunk, we have everything correlated with multiple use cases, and we have a correlation search between multiple systems, along with application data. Splunk Enterprise Security can stitch all this information together and show it in a single pane of glass, which makes decision-making faster and allows us to focus on the relevant issues instead of wasting time on non-relevant ones. They have done this well.

Splunk Enterprise Security significantly reduced our alert volume. The initial challenge was dealing with a legacy IBM system that generated a massive amount of unfiltered noise, making it difficult to identify relevant events to send to the incident dashboard. This process was time-consuming and inefficient, and the value of the system wasn't apparent. To address this, we fine-tuned both the SOAR system and Splunk by applying filters and conditions to focus on relevant data. Ultimately, Splunk reduced the alert noise from 1,000 events in two hours down to ten, which were then grouped into a single notable event. Despite potentially having hundreds of background events, Splunk condensed this information into a single, actionable item, allowing us to focus on investigating the most relevant issues.

Splunk Enterprise Security accelerates our security investigations by reducing noise, allowing us to focus on relevant use cases. Everything is categorized as high, medium, or low priority, and people immediately start investigating high-priority issues connected to PagerDuty. Sometimes, this leads to on-call situations, sometimes immediate action. Service orchestration and playbook scenarios enable automated responses, like instantly blocking unauthorized access to a system. The possibilities for security use cases with playbooks and service orchestration are vast, and I'm excited to explore them further in the coming days.

The dashboards and reporting capabilities help to aid our security analysis.

We have integrated Splunk Enterprise Security with various services to streamline our security operations. This integration allows us to leverage diverse data sources for creating lookups, data models, knowledge objects, and regular expressions. By automating the development of use cases and regular expressions, we can apply them to data more efficiently, enabling faster implementation and analysis. This approach enhances our ability to detect and respond to security threats effectively.

Splunk Enterprise Security has enhanced our organization's security posture by providing comprehensive security compliance dashboard reports.

What is most valuable?

I appreciate how Splunk Enterprise Security connects users to the research team and threat documentation, providing access to current events impacting other clients, security vulnerabilities, and relevant use cases. The platform's daily updates offer valuable insights for enhancing our security posture.

Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets. Those familiar with XML coding can further personalize dashboards to align with frameworks such as MITRE. Alternatively, we have the option to use the pre-built dashboards.

What needs improvement?

I've noticed that onboarding data from various multi-cloud sources and diverse products, such as security network devices, can be challenging. Although Splunk has simplified data onboarding with features like data managers, they need to improve their out-of-the-box parsing capabilities. While they've made significant progress, covering about 70 percent of common products, there's still a 30 percent gap where manual configuration is required. This forces us to spend time understanding and writing custom parsing rules instead of focusing on data analysis. With Splunk's recent acquisition by Cisco, I'm hopeful they will prioritize enhancing this functionality and increasing their coverage to 90 percent or more.

I want to see Splunk Enterprise Security dashboards incorporate more features, such as out-of-the-box AI and user behaviour analytics, which are accessible within a single dashboard.

The technical support response time has room for improvement.

For how long have I used the solution?

I have been using Splunk Enterprise Security for three years.

What do I think about the stability of the solution?

Splunk Enterprise Security has stability issues, especially with large data volumes, increased data intake, complex dashboards, custom models, and processing that significantly impact performance. Many customers experience this; even with demos using small datasets, performance degrades with millions of data points. This necessitates capacity planning, dedicated teams, and enforced best practices. These practices include restricting complex searches, blocking problematic users, and providing training to prevent performance degradation. Constant vigilance and proactive measures are crucial to maintaining a stable Splunk Enterprise Security environment. I would rate the stability of Splunk Enterprise Security five out of ten.

What do I think about the scalability of the solution?

I would rate Splunk Enterprise Security's scalability six out of ten. We need to add more shared CPU memory and increase the capacity, and scaling requires a lot of planning and effort.

How are customer service and support?

Splunk's support quality has declined in the past five years. Response times are now slower, and resolving an issue can take weeks. Submitting a ticket and connecting with the appropriate support agent often requires numerous emails and calls.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

To improve security coverage and user experience, we replaced our outdated legacy solution with Splunk Enterprise Security.

How was the initial setup?

Our Splunk Enterprise Security cloud deployment utilizes a DevOps approach with a fully automated CI/CD pipeline. This automation has significantly improved our deployment speed, reducing the process from a week to a few minutes. Changes are made in the development environment and then automatically pushed to production after a click-through approval process. This streamlined workflow eliminates the previous manual process and associated delays, resulting in a faster and more efficient deployment cycle.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security's pricing is based on data volume, which generally suits large enterprises.

What other advice do I have?

I would rate Splunk Enterprise Security eight out of ten.

Splunk is widely used across larger organizations. While large organizations often have extensive teams dedicated to Splunk projects and upgrades, smaller organizations can also use Splunk, taking advantage of more affordable pricing options like the free tier for limited data. Cost isn't a significant concern for larger organizations, who prioritize Splunk's security features and are willing to invest in its capabilities.

Splunk Enterprise Security is deployed across all departments, processing millions of data points. Over 500 people manage this data: building dashboards and reports, working with Enterprise Security, discussing use cases, and creating custom data models. This represents a massive effort for any large organization where every department utilizes Splunk.

Government departments are transitioning to Splunk, with daily onboarding increasing the current user base of 5,000.

Because the deployment is cloud-based, the Splunk DevOps team handles maintenance.

Splunk offers a resilient SIEM solution with comprehensive capabilities for research and a wide range of use cases. It is constantly updated, ensuring it remains a valuable and comprehensive SIEM package.

I recommend Splunk Enterprise Security. It is an excellent tool widely used by many organizations, making it a valuable choice for security information and event management.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
System Administrator at Galaxy Chemicals Egypt
Real User
Improves our security posture and offers good reporting capabilities
Pros and Cons
  • "The most valuable features of Splunk Enterprise Security are reporting capabilities. It is a good tool for checking systems and analyzing situations. I find it useful to check my systems and analyze situations."
  • "Splunk's support is better, and its reporting is easier and better."
  • "The documentation and training resources available for knowledge and training can be expanded. We need to learn more about Splunk Enterprise Security and new security attacks."
  • "The documentation and training resources available for knowledge and training can be expanded. We need to learn more about Splunk Enterprise Security and new security attacks."

What is our primary use case?

My usual use cases for Splunk Enterprise Security include normal reporting.

How has it helped my organization?

Splunk Enterprise Security has positively impacted my organization by increasing security defense. It provides a good environment for defense.

What is most valuable?

The most valuable features of Splunk Enterprise Security are reporting capabilities. It is a good tool for checking systems and analyzing situations. I find it useful to check my systems and analyze situations.

What needs improvement?

The documentation and training resources available for knowledge and training can be expanded. We need to learn more about Splunk Enterprise Security and new security attacks.

For how long have I used the solution?

I have been working with Splunk Enterprise Security during the last year.

What do I think about the stability of the solution?

I would rate Splunk Enterprise Security an eight out of ten for stability. In security, nothing is 100%.

What do I think about the scalability of the solution?

I would rate the scalability of Splunk Enterprise Security an eight out of ten. I have not tried anything to scale up or scale out as it is a new setup, but I believe it will be easy for that.

How are customer service and support?

I would rate the technical support of Splunk a seven out of ten. Sometimes there are delays. It is related to their giving a response after some time.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I used QRadar. The switch from QRadar to Splunk Enterprise Security was a management decision. We moved to Splunk Enterprise Security because of its benefits. Splunk's support is better, and its reporting is easier and better. There are also pricing advantages.

How was the initial setup?

It is a normal process. It isn't complex, but it is a new setup with new interfaces and a new way of thinking. It is always a challenge to use new software, and it takes some time to get familiar with it.

What about the implementation team?

I can install Splunk Enterprise Security myself, though some things require dealing with external assistance.

What was our ROI?

We have not calculated ROI in our environment. I have not received any assignment or recommendation to calculate ROI.

What's my experience with pricing, setup cost, and licensing?

The pricing of Splunk Enterprise Security is somewhat high, but comparing it with its benefits, it's acceptable. It depends on the type of business.

What other advice do I have?

Overall, I would rate Splunk Enterprise Security an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2025
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.