Splunk Enterprise Security Reviews

It's the primary place where I'd go to do an investigation if I want to see what's going on within an endpoint, or on a network, or with a user.

The flexibility of the solution is quite good.

The product is stable.

It offers good scalability if you are willing to pay.

The technical support on offer is responsive.

The solution has a high learning curve for users. It's a little complicated when you're trying to figure out all the features and what they do.

The solution needs a bit more functionality. For example, being able to save a search and select it when you're doing an investigation. I know you can create dashboards and things like that, however, sometimes being able to have a pre-saved search and just fill in whatever value you need would make everything so much easier.

I've been using Splunk for four years so far. It's been a while.

I haven't had any stability issues with it. It's pretty stable. There aren't bugs or glitches. It doesn't crash or feeze.

You can scale the solution, however, users need to be aware of the product increasing in cost as well.

The technical support is very good. We're quite satisfied with the level of service provided. They are knowledgeable and responsive.

When I came to the company, they were already using Splunk. It's only now that we're looking to possibly move to another vendor. The cost of Splunk is much too high.

I wasn't here when this solution was put into place, however, from looking at the documentation and things like that, the setup is pretty involved. I'd say it's a bit more complex than straightforward.

We find the solution to be quite expensive. Therefore, we're looking for other options.

I don't know of the exact costs, as licensing is handled by another department.

We're just users. We don't have a business relationship with Splunk.

We're on a variation of version seven. I'm not sure of the exact one. It's not quite the latest.

I'd advise new users, if they have the budget for it, to go and take the training that they offer. Or, for casual users, you just want to spend as much time watching YouTube videos as you can. It will help lessen the learning curve.

As a solution, it's still pretty much industry standard. I would give it a nine out of ten overall, even though I have my gripes with it.

We need something to collect all our logs in a centralized solution. We have several servers but we don't have any log collection system.

Without Splunk or a similar product, if I want to check the log files every day, I have to log in to the individual hardware components in our system. I have to log in to the firewall, I have to log in to Windows. There are so many devices I would have to manually log into, one-by-one. It would take a very long time for me. 

Also, we don't have a dashboard so we don't know which issues are critical. When we use a centralized log monitoring system we can see things on the dashboard and it is easier for the IT manager or an IT engineer to take corrective action in the system.

The most valuable feature of Splunk is the log monitoring.

If possible, we would like to have not only a log monitoring system but a network monitoring feature in this solution as well.

It's very stable.

Up until we trialed Splunk we did not have any solution. We used Splunk because we don't have anything to monitor our system. I contacted our local vendor in Vietnam, and they suggest using the trial version of Splunk to see how it works in our environment. This is the main reason I trialed Splunk. We just used the trial version in our office and, since it expired, we haven't used it.

For me, the initial setup was not too complex. For an IT person like me, it was okay.

Our local vendor knows Splunk very well. He had already implemented Splunk for another customer. I called him to our office to have him install the Splunk. It took a couple of hours for him to finish.

We used a consultant for the deployment, from KDDI Vietnam. Our experience with him was good.

Because it was a trial version, I was the only one who used it in our company.

I kept some snapshots from our trial with the Splunk system and we are preparing a proposal to submit to our manager in Vietnam. If in the near future we have enough money to purchase the system, we will invest in this system for our company.

The primary use case is for log analytics. Although, we have been using it as a hammer which hits all the nails. We have sort of overused it in some areas where it doesn't need to be used.

We have a one stop dashboard for health of some of our services where you can click in and it takes you to other dashboards that have custom near real-time metrics that show the application's health. From there, you can drill in to see the real deep dive example of what is happening in your environment. It has reduced our time to resolve incidents. 

The most valuable feature is its centralized log analytics.

The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer. Splunk is good about viewing data within the last seven or 14 days, but if you want to see a year-over-year trend, you have to do a lot of work to get to that point. If there was a better way to extract the data point and put it into a long-term viewing ability for a year-over-year analysis, then compare that to your other business metrics. That is what I am looking for, as an example, for a call center you want to see the time it takes for your customer to be handled on their need comparatively to the system performance that is happening, then overlay that data. 

Three to five years.

We put a lot of trust in it. It has been pretty rock-solid outside of a couple of changes that we made. Upgrades sometimes don't always go smoothly, but otherwise the system performs, and operates. 

When we were trying to implement an enterprise solution on-premise, we had scaling issues. It was very difficult to search the data retention beyond a few days. A lot of talent was given to the ability to go into AWS and scale with our need. We still had to do some administrative things to prevent consumers from trying to search all records for all time in very inefficient searches. This could sometimes bring our core system functionality to a halt, so we had to do some user administration in it.

I don't engage with the support directly. Another member of my team does. Any time that we have needed support, he hasn't had an issue opening a ticket and receiving the help that he needs.

The integration and configuration in the AWS environment was pretty good. They have a consumption method for pretty much every service. They might be able to do a little better at advertising different patterns for best practices for different service, but overall there's a method to get everything.

We have had a reduction in the time it takes to resolve issues and correlate what has failed. This has significantly helped.

We looked at the Elk Stack, Kibana, and Sumo Logic.

We chose Splunk because their cost is better, the maintenance factor is a little higher, and the core functionality is higher than what other products provide. The core functionality is out-of-the-box. E.g., with a Toyota Scion, you can customize the parts to make it whatever you want, but it's a lot of work to get there. Where if you buy a Cadillac, you pay the Cadillac's price, but it's a Cadillac. It will work right out-of-the-box.

It works well when searching logs. If you looked to try to do things beyond this, the problem that we ran into is that we treated it as the hammer which hits all nails. That is not really feasible, and there are other tools out there that can do more specialized things.

User administration is key. Trying to prevent users from being able search records all the time is a huge problem. You need a tight approval process on dashboards, making sure the dashboards are queried in the most efficient way possible. 

The on-premise version that we had was not scalable at all. It was very difficult to use. We have EC2 instances in the cloud with Splunk installed, which is more scalable and easier to use. It now works much better.

Great Log management capabilities with flexible and comprehensive search capabilities. Scalable and Easy to use.

Operational Workflow, Use Case Framework, and ticketing systems to make it suitable for SOC environments

3 years

Splunk is extremely scalable with the limit being the hardware in use.

If you get the right people engaged, support can be a bliss.

Setup is simple and straight forward.

http://infosecnirvana.com/splunk-enterprise-need-know/

Splunk – ease of searching large amounts of data. 

Splunk – real time alerts on critical indicators, compliance reports, troubleshooting and predictive abilities using trends. 

Splunk – 3 years 

Splunk – Had one issue requiring a support call regarding the configuration of the automated configuration deployment package. Quickly resolved. 

Splunk – None. 

Splunk – Not needed yet. 

Splunk – Splunk has a very knowledgeable support staff and the Splunk support website is outstanding. The message boards are very active and often using them will often prevent having to call support. 

Splunk – Easy, but can get very complex depending on the type of logs to ingest. While Splunk, out of the box, handles most common types. The extraction of data from custom logs can be problematic. Although Splunk does provide tools for accomplishing this. 

Both Splunk and LogLogic excel at their intended purpose. If you are looking for an appliance that you can stick in the rack, minimally configure and then forget about, you will like the LogLogic solution. If you need to regularly search different logs for different data you will like Splunk better.

We use it for security incident event management and for IT service intermediates.

We sell it to clients so clients benefit from Splunk in terms of live security monitoring of their parent IP infrastructure base. Their IP security and network application base is where we have a 24/7 monitoring interface.

Splunk has many good apps and has a contribution from all security vendors. That's where Splunk wins.

Splunk's cost is very high. They need to review the pricing. They have to go back and totally readdress the market.

Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud. 

Its costs are too high and it should be more cost effective because it's going to be a cloud offering. 

Stability is perfect. It's a good product. The market right now is moving towards cloud. We will use cloud in our option strategy. One thing that Splunk does not have is a partner consulting base so Splunk depends heavily on its own consulting, which I think should not be there. They should promote more partners for consulting. In fact, their education program is also very costly for all partners. For example, if you want to get your guys certified it's really costly. Because they have a good solution, they're completely inflexible with pricing. I don't see a lot of enablement from Splunk. 

The initial setup is simple, not very complex. Initial deployment takes around 10 to 15 minutes to set up the entire base for Splunk including all three tiers.

The client has to bear that cost plus the initial infrastructure, Splunk does not come in and install it. The client, retailer or the partner has to do it. Secondly, then comes the software installation part of Splunk wherein you go and install the Splunk components. Then you have the configuration part which includes the revenue use cases on the Splunk apps on the Splunk platform which is another big phase. You can build your project the way you want to. It's a life phase. Use cases are not something which cannot be quantified. Initial set up can be done through the Splunk apps and then, later on, you can modify the use cases as per what the client needs.

Pricing is one factor that hurts everybody on the market; the client, the reseller, everybody that touches it. Only Splunk makes money. It is hard to have it for the long term if it's a stretch for your budget. Pricing becomes a problem and people are just focused on numbers rather than creating a vision for the entire product. That is the biggest factor I found with Splunk, that they just want to make money and they don't care about anything else. They lost national, country-level projects because of this attitude.

I will rate it as a security product an eight out of 10. There's no product which is perfect unless you go back and you create a psychic of the solutions.

Our primary use case of Splunk is for log monitoring and infrastructure monitoring. If we want to diagnose any issue in our application, we just push our application logs. This is on any client server using the universal forwarder logs on the Splunk server. After indexing, we can create a base log, and create attractive dashboards that are simple to understand and use. I'm a system administrator and we are customers of Splunk. 

This is a straightforward solution, easy to configure and difficult to mess up. 

Splunk is a very costly solution and I think it's the most expensive in the market in terms of costing. Splunk provides an application for infrastructure monitoring. If we're monitoring the docker with containers, we can't see the container name, only the ID. That's a big drawback.

I've been using this solution for two years. 

This is a stable solution. Deployment takes one person, it can be a system admin or an engineer.

This is a scalable solution. We can do the clustering of it for large applications. We have around 15 users for this product. 

If I have any issues, I'll go to the community. I can generally get a response within a day. Although most of the documentation is good, some of it is unclear, particularly if you're new to the product. 

I think it takes around 10 minutes to install it on the server. On the client side, it takes around five minutes. I do the installation myself. 

If you're going with this solution, make sure that when implementing the ports are open. If they're not open, it creates problems with the server. Other than that, this is a very stable and very easy to configure product. We can easily deploy and easily use. Other similar solutions are difficult to configure, Splunk is the simplest. I've used three or four monitoring tools and Splunk is the easiest. If a company can afford it, this is a good product. We are planning to shift to another product because of the cost. We're searching for an open source or cheaper product.

I would rate this solution a nine out of 10. They lose one point for the price and lack of infrastructure support.

On-premises

With the use of Splunk, we were able to identify a brute force attack against a "switch" network device. An external attacker attempted to connect multiple times using multiple usernames. Splunk was able to detect these attempts and immediately blocked these attempts.

Splunk has facilitated the correlation of information security logs to look for incidents which could cause damage to the company's infrastructure, as well as financial losses from leaks.

Splunk's ability to receive all types of data and identify it correctly. It obtains a correlation of the logs and identifies incidents.

Splunk can improve regex/asset analysis as we do not want to crawl until it is done. I could not find a timestamp for when the log was processed and generated.

One to three years.