Splunk Enterprise Security Reviews

Its performance, scalability and most importantly the innovative way of collecting and presenting data.

Fast search! Imagine a scenario with an application environment where a couple of modules are based at a different servers. There is a system issue and a check needs to be completed in a timely manner. Traditionally engineers would have to login to the servers, navigate to different folders and load the log files to check for errors. Splunk can give this at a glance for all of the systems at once! Furthermore a “trap” of known errors could be saved and a real time alert setup to send an email in a meaningful way with relevant details (e.g. priority, affected systems) and instructions what needs to be done next.

Helpful for systems support, monitoring of the operations and deliveries, analysing trends and performance. Great for making sense of the application log’s events for business needs - e.g. requests per day, completed tasks per user, exceptions, KPI etc.

It can be easier to setup and adding new sources which Splunk are improving with every new version.

I have used it for two years.

No issues encountered.

It's running great given the information it processes.

Really scalable solution. Could be split into soft/hard forwarders if needed and even completed in an HA setup.

Splunk have dedicated staff trying to change the world for the better.

Splunk have introduced their own certification path which guarantees that the technical support will have the needed expertise.

I am familiar that there are other solutions out there but I haven't used them. Started with Splunk.

The initial setup requires some good analysis - what would be collected, from where, how to group the incoming data in virtual folders and indexes so it make sense and ease/scope the search later on. Apart from that the initial application setup is straightforward.

Implemented in house with the support of the vendor with high level of expertise.

I'm not sure about the money but in saved time and a new kind of visibility for the system/business process this product has been revolutionary in the working environment. The demand for deeper integration and more details hasn't stopped since the initial implementation and we have moved on from just technical and business reports, KPI reports from other systems and we keep building new alerts, dashboards and reports as per new requirements.

Not sure about the cost but I have heard it can get pretty costly for an Enterprise grade scale as the environment I work in. For home it is free up to 500Mb a day. Day-to-day cost for the product itself is costing just system resources, however the development work that needs to be completed for new requests and keeping the old one up-to-date can raise the budget according to the expertise needed.

Go for it and be brave. Experiment, add, remove, modify. Keep what is not working until it is working how you want and then delete the rest. Make a library of useful search queries and a diagram of systems and related files included in the indexes. Do not allow access for everyone to run DB queries as per the other forms of DB access. Install 3rd party modules and play with them. Collect system events for the OS and relate it to application performance. Trap the errors you have identified, create alerts and follow name convention for email subject (e.g. priority, type, system, description).

We are a solution provider and Splunk is one of the products that we distribute.

The primary use case is for SIEM and we have approximately 35 customers.

The fact that Splunk is a platform and not just a SIEM solution is a key benefit.

Our customers like that they can use Splunk to optimize their security.

The Splunk licensing model should be more flexible.

The support that is included with the standard licensing fee is very bad.

We have been working with Splunk since 2017.

Stability-wise, it's perfect. We haven't had any problem with Splunk. It's good software.

One of the key benefits and differences with this software is that the customer can scale up as much as they need to. Our largest Splunk customer is using between three and four petabytes of data per day.

If you don't pay extra for technical support then it is very bad. If you pay extra for it, then the technical support is normal.

I am familiar with other products and Splunk can handle much more data than IBM QRadar or any other competing product.

Direct competitors are more flexible when it comes to licensing.

We have not had any problems installing Splunk.

For a standard case, it takes between one and two weeks to install correctly and deploy. This is for situations where the client has less than 50 gigabytes of data per day.

Problems during the implementation are typically due to something on the customer's side. For example, if the client does not have somebody that is responsible for the deployment, helping to speed up the various procedures, then this is a key problem for us.

It takes two people to deploy and maintain.

Splunk is not a cheap solution and the license is billed annually. The licensing model should be improved and the price should be lower, in general.

You can purchase additional technical support, which is much better than the support that is included.

I would rate this solution an eight out of ten.

We are resellers. We provide solutions to our clients.

Splunk is primarily used for developing CM solutions that are based on the Splunk platform for future security operation center development.

We are concentrating on assisting in the development of a security monitor as well as analysis.

If I am not mistaken, it's a standard CM system for identification, security verification, and event monitoring.

In my opinion, it is too expensive for our projects.

It is very competitive for small and medium businesses. Perhaps some should be set aside for developing markets. To begin with, similar to the current market, there may be some special conditions for large transactions.

In the next releases, I would like to see more pricing flexibility. It's a subscription-based service, and they don't sell professional licenses.

In some cases, particularly with large projects, we are not competitive in terms of pricing when compared to IBM QRadar and other solutions; even if we offer the maximum discount available, our prices remain uncompetitive.

We have been selling Splunk for approximately five years.

The scalability is good. It can be added on-demand in increments of one gigabyte or ten gigabytes. It's a per-gigabyte license, and you can add whatever you need at the time.

Our projects are sized per our current IT infrastructure.

Splunk is used by 10 of our customers.

Our team provides technical support.

I have not communicated with technical support.

We no longer resell Checkmarks. 

We were unable to assist in establishing their business on-premises because It could have been too expensive for our clientele.

Installing Splunk is not difficult, but it can be complicated in some cases.

The issue is the integration with the customer's system, as well as the configuration of the rules for correlation, log collecting, and analysis.

It has good documentation and guides, but the main works should be focused on customer needs and customer resources for monitoring.

It can take three months to complete the installation.

We have a team of three certified engineers who will deploy and maintain this solution.

The licensing fees and pricing models could be reduced.

It's a yearly subscription.

They don't sell professionally because it's a subscription service. As a result, it is only a subscription service that is dependent on the customer's IT infrastructure.

We do not sell Compliance Control Limited solutions because our focus is on auditing and independent security assessments. We put an end to our selling program with Checkmarks.

I would recommend this solution to others. Splunk is appropriate for small to medium-sized projects, and it should be calculated for large projects.

It's one of the best CM solutions on the market for monitoring, and correlation, as well as IT monitoring security.

I would rate Splunk an eight out of ten.

I use this solution for data visualization.

The most valuable features of the solution are it is straightforward to use and the documentation is good for finding out how to get the data you are looking for.

The solution could improve by making it more business analysis oriented. The way it is now is designed more for developers.

I have been using Splunk for two weeks.

The solution is stable, I have not experienced any bugs or glitches.

The solution is scalable and it is a requirement of my company to have scalable solutions.

I have used previously Qlik Sense and Kibana.

I did the training with Slunk and once I had the training the installation was easy.

I have evaluated Tableau.

My advice to others is not to be intimidated by the solution and to give it a try. It will become easier over time.

I rate Splunk an eight out of ten.

I'm the CSSP manager and we are customers of Splunk. 

Splunk is good at log collection and log management.

I'm a security manager and Splunk is not a good solution for my needs and not as good as other products I've used. I really think they just overreached and are marketing the solution as something that it really isn't. It's really not an SIEM product. It's really not a monitoring solution. If Splunk wants to get into SIEM, they need to make a totally new product. They should just leave SIEM, it's not their thing, not what they do. They're good at log collection and indexing. Stick to it. There are some things with log collection and log retention capabilities that they could actually improve instead of trying to create products for all these other different areas. I don't want their next release, I would rather just kind of scale back on some of the extras, and just really focus on log collection and log retention. I'd like to have more options on how I can perform those features with their products. I'd like to see a lot more integration with other products.

I've been using this solution for three years. 

Once you set up the solution, you don't really have to worry about it. It's very stable. I like the fact that you can pretty much just patch the OS, and it doesn't really affect how Splunk runs. With a lot of products, you almost have to wait for that company to implement a new patch or version of the product before you can upgrade the server it's on, or anything like that. Or you can't upgrade, you just have to go with whatever they give you, because they're giving you an appliance or something. I like the fact that Splunk allows you to integrate and still run as Splunk and still be compliant with most vulnerabilities out there without affecting functionality.

The solution is extremely scalable. We probably have about five or six users, so all our system administrators use it, they're the ones that implement it. Right now, just the CIO, the CTO, and there's a ISSM who has access. There are plans to add more people once we fully implement the Enterprise Security solution. We have admins responsible for maintenance.

The initial setup is kind of complex but I think it's an issue we have and not connected to the solution. We're still deploying. The company didn't have an implementation strategy, they're kind of just flying by the seat of their pants which wasn't a great plan. We're doing it ourselves, we didn't use an integrator. 

We have a 100 gig annual license. I'm not sure of the cost. Their licensing is based on the amount of data you collect. There is an additional cost for Enterprise Security. If there are any other kind of applications, the APIs that we created that we want to add, there are costs for most of those as well. Their pricing structure really could use a revamp. They really need to review and look at that and see if there's a better way that they can do it. Elasticsearch is a little cheaper and a better product in my view. 

It's important to prepare. You can't just get a solution and start to implement it. A big part of that needs to be preparation, and in IT, we're not great at that. I would go with Elastic, a similar product but better. The licensing is a little different but it gives you a little more freedom to do things. It's really flexible with what you can do and versatile in how you can use it. Splunk is still top when it comes to log collection. If you wanted anything more than that, you should probably look into using several different products. There isn't really one product that you're going to find that's going to give you that coverage and I just like the versatility of using several different products. There are some other things you can use that actually do a better job at the correlation part. 

I would rate this solution a seven out of 10. 

Log collection and search.

The search and query feature is very fast but due to the log size limit (in trial version), we did not get the full benefit.

Selecting the relevant events and records.

Due to the size limit, we could not see the full product.

We use it mostly for log monitoring, and also for trying to raise alarms.

It has helped with troubleshooting, making it easier. Now, we have one place where we can find logs and errors. There is no need to go to the actual server to search for the log file. 

It provides logs in one place, so they are easy to find. It collects the logs from multiple places, then you have just one place where you see the whole flow from the front-end to the back-end. This is the best thing.

The search could be improved. Now, it is a bit difficult to write search queries because they become quite long, then maintaining those long search queries is a quite challenging.

I have not had any issues with it, and we have the whole banking infrastructure running on it.

The scalability is okay as far as I have seen and used it. We have dozens of different environment environments using the same Splunk instruments, and it has been able to scale.

I have not used technical support.

Splunk's website is quite useful. You can find a lot of information on it. I would recommend to use it and try to figure out the product's features and what you can actually do with Splunk. You can do a lot of things with Splunk, but you need to know what to do first.

I have used both the AWS and on-premise versions, but in two different environment, so I am unable to compare the versions.