Splunk Enterprise Security Reviews

Our primary use case was really as a client organization, like the government and the IT industries, we are in the telecoms sector. We analyze security reports. We use Splunk to order them and put them in a system and we use the various kinds of integration with Oracle Cloud which is helpful.

Every tool has a drawback. Some aspects of this solution are secure but getting clean data from the cloud takes time. Looking towards the future, I'm looking for a tool that is the most secure in the cloud environment. 

It's very flexible. If you look from the cloud implementation it is there. Reports are made quickly. Unlike other tools, it caters to all kinds of technical information on the front very easily. There's no need to put in any technical information. You can pull up the reports very easily, take action, and notify stakeholders.

I would like to see them develop integration with the help of a rack rest API. Which is an API that helps to secure communication with oracle cloud and pull down records from there.

This integration is currently missing in current version of splunk. I'm looking forward to see this feature getting implemented  in next version of Splunk and so that organizations can get benefit of this  feature in future.

Stability is very good. 

Scalability is good. It's scalable enough. You can play around with this tool. Scalability is one of the main criteria we look for when considering solutions. 

The setup depends on the organization. It is very simple here. You can easily install all of the businesses in the company network. Previously, it was suggested that this solution is not flexible enough. It does not give us permission to implement on-premise so we implement them on the cloud. 

We also looked at HP ArcSight and two other solutions. 

I would rate this solution a nine out of ten. I rated it a nine because every tool will have its drawbacks but ultimately it's a very good tool in comparison to HP ArcSight. If we can add on a scalability feature it would significantly improve the solution. 

I would advise someone considering this solution to use it at least for a year to get a hands-on and technical understanding because it's a good product. Then decide whether or not to move forward with Splunk - but I would advise to stick with Splunk. 

• SIEM
• Security information 
• Event management

The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication.

What they need to do more than anything else is, they need to take a serious look at purpose-built modules like the SIEM and put a lot more effort into making them more robust. If they did that I think they would have a better chance on the market. The base tool was great, and if the organization that they're looking to sell into requires a good, solid logging solution then they would have a very good sales statement to make because you could get the logging solution you need that could give you the SIEM at the same time.

It's extremely scalable. It's a very robust solution and certainly has the capability of handling far bigger data requirements than a lot of the other tools. Generally what ends up happening with me is that my clients tend, for the most part, to be mid-tier organizations where the cost of that solution would be accompanying requirements for people just becomes way too prohibitive. Especially considering the model that they use for costing, which is based on the volume of data. Of course, they're going to put everything including the Coke machine as the ability to collect data off of it, because of course the more they can put through the tool the more money they make.

• AlienVault
• LogRhthym
• ArcSight
• QRadar

I've used a whole bunch of different solutions. For a SIEM based solution, they are more purpose-built for that function. Where Splunk is purpose-built for a general logging and data capture solution so you'd be able to capture a lot of different information.

Anything that's not out of the box requires codding. Even up until recently when they finally released their SIEM or their security add-on. Before then there was not security stuff at all. I would actually have to go in and code that within the system to able to do the necessary searches to pull that information. Where a lot of the other tools, they already have those preconfigured which means I don't have to go and recreate the wheel. Now, we finally figured that out to a certain degree, and started putting the new tool in a place that gives you some SIEM functionality.

As a logging solution, I would say it's probably an eight or nine. If you're talking about the SIEM I'd say it's probably about a five. For logging, I think they would have to change the costing model. The costing model is way out of line. It's built for very large organizations.

100%. VMware needs log information to troubleshoot; it's not easy finding problems.

Downloading and uploading logs have become an issue.

• In-depth logs
• Add-ons 
• The ability to ingest data from other tools
• The detailed log view
• It's easy to read

• The amount of time it takes to troubleshoot not-easily-available data
• Also, hours on the phone with VMware techs.

Splunk is our central locale for cybersecurity and protection.

Once we onboarded all of the required needs, it created a lot of visibility for us.

It is quite extensible. It is a platform that we can build our use of each case instead of each case being limited or restricted to each capability. This is probably the best feature.

I would like to see future development in terms of ML (Machine Learning). 

It is a stable product.

It can be scaled quite easily in comparison to other products on the market.

The tech support response time could be a bit better. Sometimes I need to wait more than 24 hours for a response to my tickets.

I was not involved with the initial setup.

The price could be improved.

In the beginning, we just wanted to collect the logs from the different devices, like the nano storage, Linux, Windows, and VMware. We tried to get the uniform solution to collect and analyze all of the system logs.

Our current companies need this solution. We need it to highlight the old logging events. Based on the different device and systems, we have Splunk and we can clearly explain the everyday field logging of events in the different IT environments.

In the past, we used a different application to collect logs. We used SurfWatch and VMware to do so but we found that the Splunk has more capacity to do more in less time. They provide a faster speed to index all the events which is a huge asset.

The user can apply for all kinds of device systems, no matter whether he/she is using Windows or Linux. It can easily collect the logs. In addition, the user can have an index which can help us to collect and analyze all kinds of logs and find the outstanding issues.

Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market.

It is stable.

Scalability could be improved.

We used SurfWatch and VMware in the past.

I was not involved with the initial setup. 

I am not personally involved with the pricing of the solution.

We also looked at Selopene SIEM. It is a premier logging site.

We use it for logging and troubleshooting.

Every team immediately created their own Splunk dashboard, and all the product owners were ecstatic about this. We were able to create a catalog of dashboards and have a holistic view at all levels. We could understand our business much better. Real-time errors, which were buried in emails before now, surfaced up on dashboards. Even our executives could understand this, and it changed the way teams thought about alerting and reporting. It allowed us to send out real-time notifications to integrate with Opsgenie, and it changed the way IT works.

The dashboards are the most valuable feature. We like the ability to drill in and see what queries are under the dashboard, build new visualizations, edit the querying, and see the reports. The dashboards are very intuitive and similar to SQL. They are easy to set up and get running.

The query language is pretty slick and easy, but it is not consistent in parts. Some of it feels a little esoteric. Personally, some of my engineers are coming from SQL or other languages. Some things are a little bit surprising in Splunk and a little bit inconsistent in their querying, but once you get use to it and once you get use to the field names and function names, you can get the hang of it. However, if it was a bit more standardized, it might be quicker to get it up and running.

I would like additional features in different programming models with the support for writing queries in SQL or other languages, such as C#, Java, or some other type of query definitions. I would also like a better UI tool for enhancements of advanced visual query editors.

It is pretty stable, though it has gone down from our usage. We do need to keep an eye on our query volumes. Right now, it is too easy for a user to write a query, run it, make it available in polling mode (real-time mode), and bring down the server. Some more safety alerting would help and be beneficial.

We do have to educate developers on how to not blow it up. It is a little to easy to write an expensive query and overly stress the system. This could be improved. Overall, once you have people who know what they are doing, it is very stable.

Our environment is on-premise, and it is big. We have a couple hundred users. However, it was slow and unavailable at times before we trained all the engineers on how not write a long, constantly polling query.

Our internal tools team did work with the Splunk support team extensively. I was not directly involved, but from my point of view, they were able to fix and resolve issues within a day or less, so they have been okay

It is early days right now to evaluate the integration and configuration of Splunk in our AWS environment. We are just starting to integrate it with regular stuff. While I think it is okay so far, I really do not have enough information.

Most of our return on investments have been through faster error resolutions. Our meantime to recovery has dropped for issues. We can often fix things before the customer notices them. Whereas, when logging was done custom by each team in non-standard ways, it would take days to resolve issues that are now resolved in sometimes minutes.

We knew we were going to go with Splunk. It was the leader and the one we liked. We didn't consider any others since Splunk met our needs.

We chose Splunk because of the ease of the UI, querying, and creating dashboards. It has a standardized query language, which a lot of the IT staff were already familiar with it. It was the market leader from our prospective for our needs.

Go with Splunk. A lot of people know how to use it because they have experience with it. It works well. While it has some pain points, it provides reports and data visibility.

It integrates great with Opsgenie, PagerDuty and Slack. We love the Slack integration, as works great with the Slack alerts.

We use the on-premise version in our data centers and we use the AWS version. We are just starting to migrate to the AWS hosted version, and I have not seen a difference.

We use it for log aggregation. 

If you have a large number of devices, you need to aggregate log data to make more sense of it for parsing, troubleshooting, and metrics. This is all we use it for.

If I need to track logs for certain application, I will push all of those logs to Splunk so I can run reports on those logs. It is more about what you are trying to do with it and what you need from it.

We use it primarily for troubleshooting. We had an issue with SaltStack recently and were able to look for the same log entry on a thousand servers simultaneously, making the process easy.

The ability to create dashboards.

You can run reports against multiple devices at the same time. You are able to troubleshoot a single application on a thousand servers. You can do this with a single query, since it is very easy to do.

When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved.

I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier.

It's been very stable for us. Most of our stress in not from Splunk, but from disk I/O, like input and output for the disk that you are writing logs to. We have had more issue with our own hardware than Splunk. 

You have to make sure if you're writing an enormous amount of data that you have your I/O sorted out beforehand. 

It scales fine. We haven't had any issues scaling it. Our current environment is about 30,000 devices. 

The integration of this product in our AWS environment was very simple. We just forwarded our logs to it, and that was about it. 

It has agent-base log forwarding, so it is very simple, not complicated at all. This process is the same from on-premise and AWS.

If you have a large number of servers, even a few hundred servers, then you need to track specific data and log information from a lot of servers. You can either go to each server individually or set up jobs to ship those logs somewhere with rsync or Syslog. The other option is use Splunk and push them all to Splunk, then from Splunk you can just create alerts and run reports against all that data in one place with a single query rather than having to do all that work repeatedly. It saves us a lot of time, just in man-hours, and being able to look at hundreds or thousands of servers simultaneously.

Splunk has no real competition. It is just Splunk, and that is it.

Build your environment a lot bigger than you think you will need it, because you fill it up quickly. We log somewhere in the neighborhood of two to four terabytes a day per data center.

We use both AWS and SaaS versions. With the SaaS version, you don't have as much control, but it functions the same, so there is no real difference. Though, the AWS version is probably easier to scale, because it is AWS. 

We use it for searching logs in a production environment.

It has reduced the time to resolution, time to investigate, and time to troubleshoot for debugging issues. 

Being able to search across all the different production environments at the same time, then being able to do search queries to scope out specific environments, specific components, or specific logs from different languages, such as Java or C++. Thus, being able to have really fine grain control on log searching is really good.

Out-of-the-box, it seems very powerful.

The search query seems slow, but I am not sure if that is just because it is searching millions upon millions of lines of text. Also, I just started using it, so I might have no idea what I am doing. I could probably speed up the queries by improving my search skills.

My company could benefit from doing more Splunk training with Splunk consultants teaching us how to use it. It is possible that we have already done this and I haven't participate, but this type of training would be helpful.

It is always up when I need to search. I am probably not using it that much. I will maybe search a couple times a day for something specific, so I am not using it too much. I know plenty of the people who are doing a lot more for debugging, and who use it a lot all day.

It seems like it scales well. We have hundreds of production and development environments, and we are searching on all of them. Therefore, it seems like the scale is good. 

We have hundreds of production environments, and each production environment has ten to 20 host machines. Each production environment can manage tens of thousands of customers.

Maybe going to AWS and scaling it better would be more cost-effective for our company. However, I am not involved in those decisions.

I have not used technical support.

We have other log searching tools, but we have standardized on Splunk. 

It is a great product. We have a lot of different tools to do this type of debugging. Yet, it is one of the first ones that I will reach for, and I think that is a good sign.

It works well and is the industry standard for log searching. It probably has other features too. Therefore, if you use it, I would recommend the training, so you know what you are doing. 

I am using the on-premise version.