My main use case for this solution is to detect threats.
Information Security Officer at Freeport LNG Development, L.P.
Analysts detect threats efficiently through scheduled alerts and customizable searches
Pros and Cons
- "It's similar to having a car. It's a necessity. I don't have to prove to the business executives that it provides return on investment. It's a necessary function and a must-have."
- "The features I appreciate the most in Splunk Enterprise Security are the scheduled alerts and the search function."
- "I would evaluate customer service and technical support as frustrating at times."
- "If we want to filter alerts, currently it's a very manual process. We identify IP addresses and usernames and must manually filter them."
What is our primary use case?
What is most valuable?
The features I appreciate the most in Splunk Enterprise Security are the scheduled alerts and the search function.
The other SIEMs were more menu-driven, similar to Yahoo in the past. With Yahoo, you would navigate to find restaurants in San Francisco. Splunk Enterprise Security operates more with a 'tell us what you want and we'll find it' approach versus directing users to look in specific directions. It is very hunt-friendly.
We are able to prevent breaches with Splunk Enterprise Security.
Integration supports our security operations since our analysts operate within Splunk.
What needs improvement?
Additional features could be included in the next release. The specific functionality I'm looking for relates to alerts and false positives. If we want to filter alerts, currently it's a very manual process. We identify IP addresses and usernames and must manually filter them. It would be beneficial if we could simply click a checkbox to filter and automatically add it to the search, then save it immediately, instead of the time-consuming process of cutting and pasting, which isn't efficient.
The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is maintaining balance in search parameters. Creating searches that aren't too narrow to miss threats, yet not too wide to generate excessive false positives is crucial. When determining recurring false positives for filtering, junior analysts who aren't coders must edit code-like elements. This introduces unnecessary risk when they could simply check a box to filter.
For how long have I used the solution?
I have been working in my current field for 33 years.
Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,933 professionals have used our research since 2012.
What do I think about the stability of the solution?
I would assess the stability and reliability of Splunk Enterprise Security to be generally acceptable. Some performance issues occur with historical, long-distance searches spanning three to six months, however, these are very rare searches that we perform.
What do I think about the scalability of the solution?
Splunk Enterprise Security scales effectively with the growing needs of my organization because we've never had an issue with it. I don't know if the technology team expands usage significantly, but we've used Splunk Enterprise Security for a long time. The expansion process is so smooth it's barely even a process.
How are customer service and support?
I would evaluate customer service and technical support as frustrating at times. It was similar to experiences with other companies, where they would explain why issues occurred instead of solving them. It took time to reach the right individual who would solve the problem, however, these instances were infrequent.
Which solution did I use previously and why did I switch?
Prior to adopting Splunk Enterprise Security, I worked at a previous job where they had a different SIEM that was inadequate, so we implemented Splunk Enterprise Security. At my next job, they already had it installed. If they didn't have it, I would have brought it in during the first month. I cannot name the previous solution as it was approximately 15 years ago and was a second-tier provider, not QRadar or other well-known solutions from that time.
How was the initial setup?
My SecOps team has never had a previous solution to compare how long it takes to remediate security incidents in Splunk Enterprise Security. When I arrived, they had a developer license and decided to use it going forward for all security purposes. My team has no experience with other solutions.
What was our ROI?
I have not seen a return on investment with Splunk Enterprise Security. It's similar to having a car. It's a necessity. I don't have to prove to the business executives that it provides return on investment. It's a necessary function and a must-have.
What's my experience with pricing, setup cost, and licensing?
I am aware of the pricing, setup cost, and licensing for it. I don't handle pricing because the primary user is the cyber team. The owners of all technology are the technology team. I inform them we need this solution, and they handle acquisition and management.
What other advice do I have?
We use multiple best-of-breed products to provide data to Splunk Enterprise Security for correlation and malicious activity determination.
My organization does not use risk-based alerting in Splunk Enterprise Security. We use third parties for threat detection features.
Splunk Enterprise Security's impact on business resilience is unclear as we use it exclusively for cyber purposes.
My advice to other organizations considering Splunk Enterprise Security is to use it.
On a scale of one to ten, I rate this solution a nine.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cybersecurity Consultant (Enterprise Projects & Detection Engineering) at Lighthouse Technology
Centralized monitoring has transformed detection workflows and now improves proactive defense
Pros and Cons
- "Splunk Enterprise Security Essentials has contributed to a reduction in analyst burnout or fatigue, improved the daily work experience and retention in my security team, and using structured workflow management, it improves my operational coordination, accountability, and the visibility into the remediation process across multiple security initiatives."
- "Splunk Enterprise Security can improve in the UI UX interfaces, but for the rest, I am very comfortable with the reporting, dashboard, alerting, search, and reporting features."
What is our primary use case?
I have worked extensively with Splunk Enterprise Security for centralized log ingestion, security monitoring, and detection engineering. My objective is to improve enterprise visibility, reduce alert fatigue, and operationalize attack detection that is capable of identifying authentication abuse with lateral movement, PowerShell misuse, and privilege misuse in Linux environments and suspicious network activity.
My recent project focused heavily on enterprise security engineering and detection engineering, IAM Governance Analysis, which is identity and access management, cloud security operation, and resilience validation. This platform aligns directly with the areas I am actively expanding deeper into. At the end of all my logs and documentation, I link them to MetaTask, ISO 27001, and SOC 2. I have a couple of frameworks I use to analyze all of these topologies.
I was able to reduce unmanaged firewall exposure from over five thousand rows to eight hundred and fifty significantly. This was one of my enterprise projects I did on Zero Trust Security, all documented on my LinkedIn portfolio.
What is most valuable?
I appreciate the reporting features of Splunk Enterprise Security, where it enables me to document each of my telemetry. If I have an alert for a brute force attack, I can document a report on those logs and send it via email or any platform I want to share it on. I appreciate the reporting process and the alert features. Recently, I worked on onboarding Windows event logs and was able to correlate these logs with six months of telemetry, Linux authentication logs, firewall telemetry, and DNS activities into Splunk Enterprise Security. I developed correlation searches and behavioral detection that I used to align to MITRE attack techniques, including good fall detection, privilege collection monitoring, suspicious authentication analysis, and DNS abnormality detection. I also created detection to reduce false positives and improve operational reliability while integrating a reasonable workflow using Python automation for faster incident tracking. I was able to create those logs, and everything was displayed on my dashboard. The improvements reduced false positive investigation workloads significantly, improving security operation center visibility across my enterprise environment, and reducing the mean time to detect to ten minutes in a simulated enterprise environment scenario. Those are the results I have had so far in my enterprise environment.
I have solved issues during one of my enterprise security tasks where I identified excessive firewall rules, which are documented on my LinkedIn portfolio, and an unmanaged access pathway that created unnecessary attack surface exposure across my environment. The challenge was to identify still rules to validate legitimate traffic requirements and reduce unnecessary exposure without disrupting my operational workflow.
Splunk Enterprise Security has helped me detect threats faster. It has helped me reduce my team's average mean time to resolve metric. I estimate it has improved detection speed by eighty-five percent because ninety percent of my projects are essentially on Splunk, making it one hundred percent effective for my team. Splunk Enterprise Security Essentials has contributed to a reduction in analyst burnout or fatigue.
It has improved the daily work experience and retention in my security team. Using structured workflow management, it improves my operational coordination, accountability, and the visibility into the remediation process across multiple security initiatives. It has improved my ability to preemptively block threats in vulnerability management workflow and governance activities, including documenting investigations and findings, and how I assign remediation ownership. It has increased my risk ownership, improved tracking escalation status, and monitoring completion timelines.
It has changed my approach to proactive defense across both consulting and enterprise operational projects, affecting how I track remediation activities and investigation workflows, which are important for maintaining operational visibility and accountability. It has improved my operational understanding of TCP and IP behavior, attack traffic reconstruction, segmentation validation, and network-based detection engineering across the enterprise environments I have worked with. It has improved productivity in how I perform packet-level analysis using Wireshark and PXS telemetry to inspect XMB traffic, RDP sessions, DNS activities, authentication flows, and simulated lateral movement patterns.
What needs improvement?
Splunk Enterprise Security can improve in the UI UX interfaces, but for the rest, I am very comfortable with the reporting, dashboard, alerting, search, and reporting features. From the rating perspective, it could be enhanced.
For how long have I used the solution?
I have used Splunk Enterprise Security for two years.
What do I think about the stability of the solution?
Splunk Enterprise Security is stable; I have not troubleshot anything since it has worked for me. When I perform actions such as brute forcing my machine, it logs correctly, and queries I run return logs as fast as one minute ago.
What do I think about the scalability of the solution?
I believe Splunk Enterprise Security has all the features any organization could need. If the engineer knows what they are doing, it can adapt to scale, generating and importing logs without issues for different sizes of enterprises.
How are customer service and support?
I have not communicated with the technical support of Splunk Enterprise Security.
Which solution did I use previously and why did I switch?
I tried Google Sentinel before choosing Splunk Enterprise Security, but it did not suit my needs, so I had to try something else. When I got to Splunk Enterprise Security, I found it satisfactory enough not to switch to another option.
How was the initial setup?
I participated in the initial setup of Splunk Enterprise Security.
I had to go to the website first, create an account with my email, and then download either the enterprise version or Splunk Forwarder. In my Active Directory, I have my forwarder installed, and on my server machine, I have the enterprise installed. With one account, I was able to configure my port number and destination port, hosting it on localhost. I connected other components to the service with the appropriate configurations.
From a technical perspective, the initial setup was not difficult for me to navigate through.
What about the implementation team?
For a non-technical person, it may be challenging, but for a technical person, it is straightforward. The process is effective.
What was our ROI?
For return on investment, I think a large corporation would not have an issue with that. For small-scale enterprises, they may need to review those areas more, particularly related to user rates.
Which other solutions did I evaluate?
I used to analyze and log manually as a SOC analyst would before using Splunk Enterprise Security.
What other advice do I have?
Splunk Enterprise Security represents a fair price for what it can accomplish. I would rate this product a ten out of ten.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Jun 19, 2026
Flag as inappropriateBuyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,933 professionals have used our research since 2012.
Cyber Security Associate at SAP
Improves business resilience and reduced incident remediation time through real-time risk identification
Pros and Cons
- "The ability to identify risks as they come in is quite good."
- "Better education for users would be beneficial as they often don't know what they don't know or how to look for certain features."
What is our primary use case?
My main use cases for Splunk Enterprise Security include detection engineering tasks. I work with the SIM team handling various responsibilities, specifically ensuring uptime availability and correct log ingestion.
How has it helped my organization?
Splunk Enterprise Security has helped improve my organization's business resilience. We have definitely been able to get significant value out of it.
What is most valuable?
As an administrator, I mainly ensure other people can use the system effectively rather than using it extensively myself.
My impressions of Splunk's ability to predict, identify, and solve problems in real time are solid. I definitely notice when it makes predictions and helps with what we're trying to find in general. The ability to identify risks as they come in is quite good.
The integration of disparate security solutions supports our security operations by providing multiple methods to handle things. We have 21 lines of business with different Splunk pods, each requiring different solutions.
Personally, the integration creates some challenges, particularly when trying to standardize processes and migrate to Splunk Cloud. Managing different Splunk pods on-premises and separate stacks leads to confusion and time inefficiencies.
The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security works adequately. While I don't write the detections myself, I work closely with those who do, and it doesn't seem to be an issue.
Our Security Ops team's incident remediation time has improved significantly. Previously, it took approximately 11 hours, but now it takes a few hours, though we're still working to reduce this time further through our migration to Splunk Cloud.
What needs improvement?
There are ways Splunk Enterprise Security can be improved, though I might be speaking specifically about my organization's implementation. Better education for users would be beneficial as they often don't know what they don't know or how to look for certain features.
Regarding ease of use, Splunk Enterprise Security is adequate. The challenge arises when we have multiple users trying to differentiate between the regular search head and the Enterprise Security search head. While users can accomplish their tasks, the main issue stems from education rather than the platform itself.
For how long have I used the solution?
I have been using Splunk Enterprise Security for three years, with a six-month break in between. I have been using it extensively for the last year.
What do I think about the stability of the solution?
The stability and reliability of Splunk Enterprise Security is very good. While we've experienced some downtime, crashes, and performance issues, these were caused by end users running poorly optimized queries rather than system problems.
What do I think about the scalability of the solution?
Splunk Enterprise Security scales effectively with our organization's growing needs. We haven't encountered any problems with scalability.
How are customer service and support?
I would rate customer service and technical support from Splunk at nine out of ten. I have had nothing but good experiences with Splunk support, receiving timely and helpful replies. In one instance, when I needed immediate support, I received a call within ten minutes of submitting the ticket, and we resolved the issue promptly.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I am uncertain if my organization used another solution prior to adopting Splunk Enterprise Security. I believe we have been using Splunk the whole time, but this predates my joining the team.
How was the initial setup?
The deployment is fine. I don't really have much of a problem with that end of things.
What was our ROI?
I have seen a return on investment with Splunk Enterprise Security.
What's my experience with pricing, setup cost, and licensing?
I am not familiar with the pricing of Splunk Enterprise Security. Regarding licensing, we face some challenges. The management of different pods makes it confusing and complicated, but it gets resolved by our senior team members.
Which other solutions did I evaluate?
I use disparate security solutions that integrate or import data into Splunk Enterprise Security. We utilize many different tools.
What other advice do I have?
I would advise other organizations to consider Splunk Enterprise Security as it's an easy solution to implement and effective for its intended purpose.
On a scale of one to ten, I rate Splunk Enterprise Security an eight.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Splunk Certified Architect at Data Elicit Solutions Pvt. Ltd.
Data insights have improved security operations and now streamline threat detection and response
Pros and Cons
- "Summing up everything from a SIEM and security point of view, I think Splunk is by far the best product that I have been using since my work experience."
- "One improvement I want to foresee is that the AI or agent needs to be fed with accurate data, not false data, so that whenever it performs automation on your behalf, it doesn't misconfigure anything."
What is our primary use case?
When we talk about Splunk Enterprise, I have seen clients using it for their data analysis, collecting the logs and preparing meaningful insights out of it, like having dashboards created from the data that they ingest into Splunk. Apart from that, there is a SaaS platform that Splunk provides which is called the Splunk Cloud platform; it provides similar functionality, but the end-to-end config management is handled by Splunk directly. You just have access to the Splunk search head where you log in and can search the data you ingest into Splunk Cloud. Regarding Splunk Enterprise Security, I have seen customers using it for security use cases and to ensure that the environment or organization is not impacted by any SOC threats; basically, they use it for detection and mitigation both.
Customizing and developing new detections in Splunk Enterprise Security are quite simple since I have got experience with it for more than four years. I am quite familiar with it and enjoy working through that as well.
I do use disparate security solutions that integrate or import data into Splunk Enterprise Security.
The security operations are supported on a very great scale because let's say we have written n number of detections; we also need to ensure that we don't get alerted or notified on false positives. There is a dashboard in Splunk Enterprise Security that displays all the detections identified as a potential risk or alert to the environment. From there, you can triage the work to investigate deeper into it, and from the dashboard, you can drive it towards closure, with different drill-down options to investigate how a particular event was identified as a risk event and whether it was a false positive. If it wasn't a false positive, you can dive deeper into it using different response actions as well; all these customizations can be done and they support any third-party response actions that you want to apply to the Splunk Enterprise Security detection you have.
What is most valuable?
What I like about Splunk Enterprise Security is the way it is able to correlate or ingest any kind of data from any product or source, alert and adapt the whole data as it is, and then provide it in a single visualization format. It handles and provides you options for customizations and different options for alerting as well. Summing up everything from a SIEM and security point of view, I think Splunk is by far the best product that I have been using since my work experience.
Splunk Enterprise Security has indeed helped improve the organization's business resilience. I don't have specific numbers for sharing purposes, but on a quarterly basis, I have seen Splunk helping the resilience and assisting the business greatly in terms of avoiding SOC threats.
What needs improvement?
You need to adapt to new changes constantly and be sure of new learnings in Splunk Enterprise Security; that is the only challenge I would say. However, I don't see it as a problem because if resources are available for you to understand new changes and how detections are managed or how to incorporate advanced threat intelligence frameworks, there is no huge challenge in integrating it with Splunk Enterprise Security. You need to know what things you want to click on the UI; if you are aware of that, there is no challenge. It is just constant learning that you have to give yourself to learn and grow for your own better self.
One improvement I want to foresee is that the AI or agent needs to be fed with accurate data, not false data, so that whenever it performs automation on your behalf, it doesn't misconfigure anything. Trust in the product relies on the AI being reliable and trustworthy, ensuring 100% accuracy and avoiding false positives.
I would say Splunk's ability to predict, identify, and solve problems in real time is near accurate; I cannot confirm that it is 100% since none of the systems are. It definitely alerts you on what particular time you need to be notified. However, to achieve near 100% accuracy, how you handle the searches running in your environment and stagger them is important to avoid overwhelming server resources. Splunk provides features to adjust time zones and write custom schedules; there is no challenge with that. However, there will always be delays, so it is about how you ingest the data; if the source is behind the Splunk server's timezone, that could impact results.
For how long have I used the solution?
I have been working with Splunk for almost six years now.
What do I think about the stability of the solution?
So far, we have not faced any downtime or performance issues with Splunk; there can be outages, but we are automatically notified when they occur, and the team works on resolution. Since we are using Splunk Cloud, we receive notifications directly from them.
What do I think about the scalability of the solution?
I would say Splunk is quite scalable, and we are definitely making the most out of it. Our company was involved in delivering sessions at splunk.conf last year, showcasing how we utilize Splunk and the solutions provided, indicating that we are scaling quite effectively.
How are customer service and support?
I would rate the Splunk support team an eight or nine out of ten; this rating is based on my experience of being part of the partner team that delivered Splunk support. The support depends on the partner, and I appreciate having a dedicated account manager for our customer account, ensuring effective handling of operations and issues. No one can have 100% knowledge, and while there might be delays in response, the support team effectively isolates problems and finds solutions, adhering to an escalation policy that keeps customers updated and satisfied.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Since I have worked more with Splunk, I am somewhat biased but I would say understanding and writing queries to analyze your ingested data is simpler in Splunk and in other products such as Sumo Logic as well. However, no product can match the level of customization and visualization that Splunk can build; you can create reports, dashboards, and present these in a business fashion, which is unmatched.
How was the initial setup?
Deploying Splunk is a piece of cake for me; since I have got so much experience, deploying any kind of environment is not a challenge. I am still in the evolving phase as I started my professional journey with Splunk in 2019. I have made numerous deployments for different testing purposes, replicating customer challenges in our test environment to address their issues directly.
What was our ROI?
That is a bit subjective, I would say because in the Indian market, people often look for alternative solutions to avoid spending more. However, I have seen great satisfaction levels among companies that have utilized Splunk, including the one I am working for now, which has been renewing Splunk licenses over the past decade. If Splunk were not that great, people would not keep renewing it over the years; there is an option for good return on investment, but eventually, people try to find alternatives to save on expenses for R&D or other purposes.
What's my experience with pricing, setup cost, and licensing?
I am not very much aware of the licensing since we are service providers for Splunk or Cribl or DataDog, but I do know Splunk provides licensing in two different ways: SVC-based licensing and ingest-based licensing. The old model charged based on the volume of data ingested on a daily basis, while the current SVC-based model charges based on the compute utilized for searching that data, regardless of volume.
Which other solutions did I evaluate?
All over the globe, it is the AI and agent era, and Splunk is also a part of it having introduced Splunk AI as part of its cloud platform features, eventually to be released in on-prem solutions as well.
What other advice do I have?
I usually do not manage or investigate the alerts that have been triggered; I work on building and managing the use cases, optimizing them. The analyst team works on the incidents but from what I have heard, before I joined the current organization there were a lot of changes required to be made internally in the product itself and the way we were writing optimizations. But afterwards, we defined a clean process and the mean time to closure or mean time to resolve had reduced drastically by almost 60 to 70% compared to what it was previously.
It is not that we are limited to risk-based alerting in Splunk Enterprise Security; we are using threat intelligence and we have recently configured SOAR as I just mentioned. Additionally, we are using UBA for user behavioral analytics.
We have definitely seen benefits from the threat detection and threat intelligence capabilities in Splunk; we apply risk scores and threat scores to our detections and to the attributes we want to identify or flag as potentially high-risk or high-threat objects. This helps us prioritize the tasks we want to start our daily task with; it definitely helps with understanding the priority tasks to be worked upon. We also make sure to update our threat feeds regularly since we need to stay on top of all the threat findings globally, ensuring we identify all malicious IP addresses or any file hashes that have been tracked as a threat and are publicly available.
I would advise organizations considering Splunk to stick to the fundamentals; as long as you understand how Splunk operates and the functions of its different components, you won't face challenges in troubleshooting or understanding errors. I would rate this review a ten out of ten overall.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSP
Last updated: Feb 25, 2026
Flag as inappropriateSr Manager Global Security Operations at a financial services firm with 10,001+ employees
Standardized investigations and fraud detection have improved team efficiency significantly
Pros and Cons
- "It's standardized and easy to use, so you don't have to have a lot of top-tier analysts to do the same job."
- "Splunk Enterprise Security can be improved by bringing back some of the operational use cases."
What is our primary use case?
My main use case for Splunk Enterprise Security is security eventing.
What is most valuable?
The features of Splunk Enterprise Security provide a standardized platform for investigating.
The content libraries are helpful. In our organization, we don't use them a lot. We will use them as ideas and rebuild them into what our needs are.
It's standardized and easy to use, so you don't have to have a lot of top-tier analysts to do the same job.
The investigations plane and use case library have been beneficial.
We utilize Splunk Enterprise Security for our fraud team using pure ES. We use all the fraud features, and that's been incredibly helpful.
The detection rate and prevention rate has gone up 30 times compared to when they were working on a spreadsheet. The fraud team loves it.
Once we move over to 8.2, we're going to utilize more of the built-in features.
I appreciate the visual control and the investigations plane, though that will be a major migration for us.
What needs improvement?
Splunk Enterprise Security can be improved by bringing back some of the operational use cases. When Splunk developed ITSI, they took a lot of information or use cases out of ES, where operational use cases can also be security use cases. Those two products need to be more migrated to each other. In the next release of Splunk Enterprise Security, there should be more reporting options.
For how long have I used the solution?
I have been using Splunk Enterprise Security for nine years.
What do I think about the stability of the solution?
I would assess the stability and reliability of Splunk Enterprise Security as excellent. I've had no problems with downtime, crashes, or performance issues.
What do I think about the scalability of the solution?
Splunk Enterprise Security scales with the growing needs of my organization just fine. The licensing for ingest is a different story.
How are customer service and support?
I would evaluate customer service and technical support for Splunk Enterprise Security as lacking. The service engineers that we've been getting as part of our weekly or bi-weekly calls with our salesperson, where they've assigned an engineer, have decreased tremendously in quality and expertise over the last few years. People on the team that really know Splunk know a lot more than they do, and it's evident because they don't try anymore. We can still get expert help when we need it.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.
How was the initial setup?
I would describe my experience with deploying Splunk Enterprise Security as easy. The KV store setup was straightforward.
What was our ROI?
I have seen ROI with Splunk Enterprise Security.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing for Splunk Enterprise Security has been fine. We've renewed since Cisco took over.
What other advice do I have?
My advice to other organizations considering Splunk Enterprise Security is to follow the documentation and not build your own stuff.
On a scale of one to ten, I rate this solution a nine.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
DevOps&Cloud Engineer Mentee at CertDirectory.io
Reduces alert fatigue, and it's well-documented and well-designed
Pros and Cons
- "Splunk Enterprise Security is fast and well-documented, and user interface and user interaction are well-designed compared to other SIEM solutions."
- "Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use."
What is our primary use case?
My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.
How has it helped my organization?
Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.
What is most valuable?
The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.
One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs.
Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.
What needs improvement?
AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.
Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.
For how long have I used the solution?
I have been using the solution for approximately one year. I used it for 12 months in the company.
What do I think about the stability of the solution?
It's stable. I would rate it a ten out of ten for stability.
What do I think about the scalability of the solution?
The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.
How are customer service and support?
I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.
How was the initial setup?
Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.
Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience.
The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.
Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it.
What was our ROI?
From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.
The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing.
Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.
As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.
What other advice do I have?
I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.
I have not used the risk-based alerting feature. It is more for log management and checking the log flow.
Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.
I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.
I would rate Splunk Enterprise Security an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Soc Manager at a real estate/law firm with 1,001-5,000 employees
Investigation efforts have improved while search complexity still requires attention
Pros and Cons
- "The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents."
- "Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations."
What is our primary use case?
Our main use cases for Splunk Enterprise Security include security, detection, and incident response.
How has it helped my organization?
The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.
What is most valuable?
The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.
The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.
Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.
I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.
We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.
I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.
One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.
What needs improvement?
Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.
For how long have I used the solution?
We are still at the beginning, just four months into using Splunk Enterprise Security.
What do I think about the stability of the solution?
I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.
What do I think about the scalability of the solution?
Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.
How are customer service and support?
I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.
How was the initial setup?
The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.
What about the implementation team?
We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.
What was our ROI?
The return on investment from Splunk Enterprise Security is still to come.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.
What other advice do I have?
I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cyber Security Engineer at Underdefense
Risk-based alerts have transformed our incident response and reporting to executives
Pros and Cons
- "Overall, Splunk Enterprise Security has reduced our MTTR by approximately 30%."
- "Beyond support, the pricing tier of Splunk Enterprise Security could be better, as it is an expensive solution; however, the cost reflects the value delivered."
What is our primary use case?
Splunk Enterprise Security serves as our security tool, specifically functioning as a SIEM product.
What is most valuable?
Splunk Enterprise Security's best features include scalability, reliability, and extensive integrations.
The RBA in Splunk Enterprise Security helps us considerably because there are rules that we cannot turn off, but they are spammy rules that we can whitelist. We group them as intermediate findings, making this risk score useful. It saves us time because instead of working on 1,000 alerts per day, we focus on two or three alerts and simply review their impact on our organization.
With Splunk Enterprise Security and our SOC team, we have developed custom rules that adjust the risk scores based on our observations, not merely Splunk's recommendations. It helps considerably because it groups the alerts, gives us information about related alerts, and provides excellent features such as drill-down searches and dashboards, which save our time and decrease mean time to respond and mean time to detect.
Overall, Splunk Enterprise Security has reduced our MTTR by approximately 30%. That reduction applies to both response and detection.
Our dashboards and visualizations in Splunk Enterprise Security communicate our security posture to executives effectively, as they are more interested in numbers and money saved rather than technical details. The visualizations allow us to present why they spend money on this solution, and we can create engaging visual stories for them based on the dashboards.
What needs improvement?
The area for improvement with Splunk Enterprise Security is support.
The knowledge base could also be improved.
Beyond support, the pricing tier of Splunk Enterprise Security could be better, as it is an expensive solution; however, the cost reflects the value delivered.
For how long have I used the solution?
I have been using Splunk Enterprise Security for more than eight years.
What do I think about the stability of the solution?
For stability, I give it a ten.
What do I think about the scalability of the solution?
In terms of scalability, I also rate it a ten.
How are customer service and support?
On a scale from 1 to 10, I rate support for Splunk Enterprise Security at a six.
How was the initial setup?
My experience deploying Splunk Enterprise Security is straightforward; I am a certified Splunk architect, which is the highest certification. Based on the documentation, it is easy for non-distributed deployments, but it can be challenging for others with larger infrastructures.
In terms of deployment time for Splunk Enterprise Security, it takes approximately 15 minutes.
What about the implementation team?
For my clients, there are over 200 people using Splunk Enterprise Security.
In my company, we have approximately 30 specialists.
Regarding Splunk Enterprise Security deployment, we utilize both on-premises and cloud setups.
What was our ROI?
The return on investment we see from Splunk Enterprise Security is not straightforward, as it depends on the company; some may not have alerts or impacts, while others, when detecting critical alerts or threats, may realize it has saved them a million dollars. Overall, I estimate the ROI to be approximately 20% to 30%.
Which other solutions did I evaluate?
When comparing Splunk Enterprise Security with other security solutions, I find it to be the best as it consolidates everything in one place. They have updated it with endpoint security and admission control capabilities, allowing you to see every comment and action during an incident, which I have not seen in other solutions such as Elastic, Sumo Logic, or LogRhythm.
What other advice do I have?
Since we do not work with UEBA in Splunk Enterprise Security, I cannot comment on any improvements in threat hunting and investigations. I have seen demos of it, and while it is a remarkable solution, I cannot personally answer that question. I provide this review with an overall rating of 10.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company has a business relationship with this vendor other than being a customer. MSP
Last updated: Apr 14, 2026
Flag as inappropriateSenior Vice President Cyber Security at Mindsprint
Risk-based monitoring has improved threat detection speed and supports custom SOC use cases
Pros and Cons
- "Regarding the impact on threat detection capabilities, it provides a faster mean time to detect."
- "We have seen that the pricing has gone higher and the support quality has not kept up or was not as good as it was earlier."
What is our primary use case?
Splunk Enterprise Security is used for our SOC, the Security Operations Center, which provides 24/7 monitoring. I am using disparate security solutions to integrate or import data into Splunk Enterprise Security. We use Splunk Enterprise Security to ingest the logs and do the monitoring.
As for alerting, especially risk-based alerting, it works well. It supports the use cases that we are looking for. Splunk Enterprise Security supports my SOC in terms of developing any new use cases. If we have any custom integration requirements or any custom use cases, we can easily develop that in Splunk Enterprise Security, and that's how we are able to leverage Splunk Enterprise Security for any custom use cases.
What is most valuable?
The biggest advantage for me in Splunk Enterprise Security is all the ready-made integrations and the connectors that are available. Integration is the strongest part; the connectors and the built-in connectors are the strongest part which allow the integration.
My impression of processes such as customization, developing, testing, deploying, and refining detections is that it works as designed for all the detections and all the new capabilities that we can leverage. It works very well.
Integration supports my security operations. When it comes to remediation, we are not using it for remediation with Splunk Enterprise Security; Splunk Enterprise Security is purely for detection. Remediation has to be done by the respective teams using their own tool sets.
Regarding the impact on threat detection capabilities, it provides a faster mean time to detect. The team is able to respond faster because we are using Splunk Enterprise Security and we are able to ingest all the logs from various sources. Any threats which are emerging across the world and across different types of log sources, our team is able to detect them faster. Overall dwell time of an attacker or any kind of attacks that we see, we are able to respond much faster because we are able to detect it in the first place much faster.
What needs improvement?
There is something in Splunk Enterprise Security which is not perfect. What we are seeing is more not on the technology side, but on the pricing and support point of view once Cisco has taken over. We have seen that the pricing has gone higher and the support quality has not kept up or was not as good as it was earlier. These are the two things we see as areas for improvement.
Regarding the issue with support, it takes longer for support to come back to us and then it goes through multiple layers of escalation before we get to the right person.
I would like to see some additional features, more on the AI detection and automatic detection using AI capability. Although Splunk Enterprise Security has some amount of AI capability, what we would like to see is more on the detection side, how AI can help and how Splunk Enterprise Security can introduce those features as part of the built-in platform itself.
For how long have I used the solution?
I started working with Splunk Enterprise Security about six or seven years ago.
What do I think about the stability of the solution?
Splunk Enterprise Security is very reliable and stable. Reliability is also very good.
What do I think about the scalability of the solution?
Regarding scalability for Splunk Enterprise Security, scalability is very good. We have scaled it about four times over the past six years in terms of the log size. Scalability is very good.
How are customer service and support?
As for the issue with support, it takes longer for support to come back to us and then it goes through multiple layers of escalation before we get to the right person.
What other advice do I have?
Splunk Enterprise Security is a worth buying product if you are able to leverage all the features and the capabilities or if the team is strong to leverage all of them.
The percentage of savings depends on what we are comparing. It is straightforward; if the team is experienced with Splunk Enterprise Security, it is quite straightforward and quite fast.
Regarding business resilience, Splunk Enterprise Security does improve business resilience because I am able to protect my assets and hence improve the resilience. I am able to solve problems in real time, to predict, and to identify threats. It helps my detection to be faster, which is about 40 percent faster. The overall review rating for this product is 8 out of 10.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Jun 16, 2026
Flag as inappropriateSenior Client Partner at KyndleIT Consulting
Security operations have unified threat detection and response across diverse data sources
Pros and Cons
- "Splunk collects much more data as compared to traditional SNMP related tools, and log traces will eventually provide you much better and true information on which you can take actionable actions on top of it."
- "Cost is something which is a major factor."
What is our primary use case?
The clients who are using Splunk Enterprise Security are primarily using it for security as a SIEM solution, or they are also using Splunk Observability.
Generally, when you have the complete set of solutions such as EDR or DLP and then on top of it, if you have a solution such as SIEM, which is collecting logs and everything and then correlating that particular data, it takes somewhere around five to ten minutes to identify and start working on that particular issue.
What is most valuable?
The biggest advantage, if I talk about for observability, is ease of use. The customers use OTEL collectors, and since this is an open OTEL collector, it is not bound to Splunk itself. That is something which is good.
Customization requires good effort, but it is doable. We being into professional services, we do this particular part. Splunk Enterprise Security provides flexibility to write those rules and regular expressions and other tools, wherein you can filter the traffic based on different kinds of policies.
It definitely helps because when you use different sets of solutions which work on SNMP, they will only poll that data and then they will collect and provide you some information on top of it. Splunk collects much more data as compared to traditional SNMP related tools. Log traces will eventually provide you much better and true information on which you can take actionable actions on top of it. With respect to unified security operations, it helps to consolidate both SIEM and SOAR so that you can quickly detect, investigate and neutralize cyber threats. They can integrate with third-party SOAR solution as well as they have internal capabilities for SOAR.
What needs improvement?
Cost is one major factor. The reason is because they primarily work on the ingestion of data, wherein it becomes a choice for large customers who have deep pockets to spend money on Splunk Enterprise Security. If the customer does not have that much budget, then obviously they will not go for Splunk Enterprise Security. They will go for a similar set of solution such as Elastic in that case. Cost is something which is a major factor.
In integrations, a good amount of integrations are already available, but integration with newer AI components or tools and upcoming tools such as Claude or ChatGPT will obviously take some more time to evolve perfectly so that these tools become more easy to use and align to an organization's environment.
For how long have I used the solution?
I have been using the solution for somewhere around four years.
What do I think about the stability of the solution?
Splunk Enterprise Security is a stable product.
What do I think about the scalability of the solution?
Splunk Enterprise Security is scalable. You can horizontally expand it with forwarders and universal forwarders. It's scalable.
Which solution did I use previously and why did I switch?
We have been in business for the last eight years. Before partnership with Splunk, we have been working with Broadcom. Now we are also working with Elastic.
How was the initial setup?
The initial setup is straightforward and not that complex. Initially, you will struggle, but once you are done with one or two installations, then it is pretty straightforward.
What about the implementation team?
I am an implementation partner and not a direct customer of Splunk. I do implementation work.
What was our ROI?
With respect to Splunk Enterprise Security ROI, it is a costly solution. It is not something which can be adopted by every organization. Splunk Enterprise Security needs to come up with something different. When we speak to Splunk representatives, they boast about being a costly solution, but that does not make any sense because if you are not able to fit yourself with the customer and Datadog or Elastic is competing with you, then that is one part which they need to address. Rather than positioning themselves as a costly solution, they should work on something which can actually fit the customers as well as provide implementation partners like us with opportunities to work on certain projects. With respect to ROI, it takes a good amount of time because by the time you get the product installed in your environment, you start using it and you realize how much data needs to be ingested and then you fine-tune them. I think it takes a good amount of time because by that time, Splunk will take a good amount of licensing cost from the customer.
Which other solutions did I evaluate?
We are using other security tools. We are using API security, Symantec products for different customers, or CrowdStrike EDR. We generally ingest logs from all these different solutions, logs, metrics and traces from these solutions into Splunk Enterprise Security.
We are also using Elastic. The main part is for smaller customers or a limited set of customers, Elastic provides the community version. You can go and install the community version and seventy to eighty percent of the features are available, and the customer can start using it. They don't intend to use Splunk Enterprise Security in that case because that's free, and only a nominal services fee will be charged from these kinds of customers. Elastic also has the observability as well as the ELK stack, Kibana, dashboards and other tools. That part does not make too much of a difference. The major difference between both of the products is obviously pricing.
What other advice do I have?
Splunk Enterprise Security is the most significant challenge. I rate this product at nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Integrator
Last updated: May 26, 2026
Flag as inappropriateBuyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Product Categories
Security Information and Event Management (SIEM) Log Management IT Operations AnalyticsPopular Comparisons
CrowdStrike Falcon
IBM Security QRadar
Splunk AppDynamics
Microsoft Sentinel
Elastic Security
IBM Turbonomic
Palantir Foundry
WhatsUp Gold
Elastic Observability
LogRhythm SIEM
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which would you recommend to your boss, IBM QRadar or Splunk?
- What are some of the best features and use-cases of Splunk?
- What SOC product do you recommend?
- Splunk as an Enterprise Class monitoring solution -- thoughts?
- What is the biggest difference between Dynatrace and Splunk?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What are the advantages of ELK over Splunk?
- How does Splunk compare with Azure Monitor?
- New risk scoring framework in the Splunk App for Enterprise Security -- thoughts?
- Splunk vs. Elastic Stack





















