No more typing reviews! Try our Samantha, our new voice AI agent.
Solomon Henry - PeerSpot reviewer
Cybersecurity Consultant (Enterprise Projects & Detection Engineering) at Lighthouse Technology
Real User
Top 5Leaderboard
Jun 19, 2026
Centralized monitoring has transformed detection workflows and now improves proactive defense
Pros and Cons
  • "Splunk Enterprise Security Essentials has contributed to a reduction in analyst burnout or fatigue, improved the daily work experience and retention in my security team, and using structured workflow management, it improves my operational coordination, accountability, and the visibility into the remediation process across multiple security initiatives."
  • "Splunk Enterprise Security can improve in the UI UX interfaces, but for the rest, I am very comfortable with the reporting, dashboard, alerting, search, and reporting features."

What is our primary use case?

I have worked extensively with Splunk Enterprise Security for centralized log ingestion, security monitoring, and detection engineering. My objective is to improve enterprise visibility, reduce alert fatigue, and operationalize attack detection that is capable of identifying authentication abuse with lateral movement, PowerShell misuse, and privilege misuse in Linux environments and suspicious network activity.

My recent project focused heavily on enterprise security engineering and detection engineering, IAM Governance Analysis, which is identity and access management, cloud security operation, and resilience validation. This platform aligns directly with the areas I am actively expanding deeper into. At the end of all my logs and documentation, I link them to MetaTask, ISO 27001, and SOC 2. I have a couple of frameworks I use to analyze all of these topologies.

I was able to reduce unmanaged firewall exposure from over five thousand rows to eight hundred and fifty significantly. This was one of my enterprise projects I did on Zero Trust Security, all documented on my LinkedIn portfolio.

What is most valuable?

I appreciate the reporting features of Splunk Enterprise Security, where it enables me to document each of my telemetry. If I have an alert for a brute force attack, I can document a report on those logs and send it via email or any platform I want to share it on. I appreciate the reporting process and the alert features. Recently, I worked on onboarding Windows event logs and was able to correlate these logs with six months of telemetry, Linux authentication logs, firewall telemetry, and DNS activities into Splunk Enterprise Security. I developed correlation searches and behavioral detection that I used to align to MITRE attack techniques, including good fall detection, privilege collection monitoring, suspicious authentication analysis, and DNS abnormality detection. I also created detection to reduce false positives and improve operational reliability while integrating a reasonable workflow using Python automation for faster incident tracking. I was able to create those logs, and everything was displayed on my dashboard. The improvements reduced false positive investigation workloads significantly, improving security operation center visibility across my enterprise environment, and reducing the mean time to detect to ten minutes in a simulated enterprise environment scenario. Those are the results I have had so far in my enterprise environment.

I have solved issues during one of my enterprise security tasks where I identified excessive firewall rules, which are documented on my LinkedIn portfolio, and an unmanaged access pathway that created unnecessary attack surface exposure across my environment. The challenge was to identify still rules to validate legitimate traffic requirements and reduce unnecessary exposure without disrupting my operational workflow.

Splunk Enterprise Security has helped me detect threats faster. It has helped me reduce my team's average mean time to resolve metric. I estimate it has improved detection speed by eighty-five percent because ninety percent of my projects are essentially on Splunk, making it one hundred percent effective for my team. Splunk Enterprise Security Essentials has contributed to a reduction in analyst burnout or fatigue.

It has improved the daily work experience and retention in my security team. Using structured workflow management, it improves my operational coordination, accountability, and the visibility into the remediation process across multiple security initiatives. It has improved my ability to preemptively block threats in vulnerability management workflow and governance activities, including documenting investigations and findings, and how I assign remediation ownership. It has increased my risk ownership, improved tracking escalation status, and monitoring completion timelines.

It has changed my approach to proactive defense across both consulting and enterprise operational projects, affecting how I track remediation activities and investigation workflows, which are important for maintaining operational visibility and accountability. It has improved my operational understanding of TCP and IP behavior, attack traffic reconstruction, segmentation validation, and network-based detection engineering across the enterprise environments I have worked with. It has improved productivity in how I perform packet-level analysis using Wireshark and PXS telemetry to inspect XMB traffic, RDP sessions, DNS activities, authentication flows, and simulated lateral movement patterns.

What needs improvement?

Splunk Enterprise Security can improve in the UI UX interfaces, but for the rest, I am very comfortable with the reporting, dashboard, alerting, search, and reporting features. From the rating perspective, it could be enhanced.

For how long have I used the solution?

I have used Splunk Enterprise Security for two years.

Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,067 professionals have used our research since 2012.

What do I think about the stability of the solution?

Splunk Enterprise Security is stable; I have not troubleshot anything since it has worked for me. When I perform actions such as brute forcing my machine, it logs correctly, and queries I run return logs as fast as one minute ago.

What do I think about the scalability of the solution?

I believe Splunk Enterprise Security has all the features any organization could need. If the engineer knows what they are doing, it can adapt to scale, generating and importing logs without issues for different sizes of enterprises.

How are customer service and support?

I have not communicated with the technical support of Splunk Enterprise Security.

Which solution did I use previously and why did I switch?

I tried Google Sentinel before choosing Splunk Enterprise Security, but it did not suit my needs, so I had to try something else. When I got to Splunk Enterprise Security, I found it satisfactory enough not to switch to another option.

How was the initial setup?

I participated in the initial setup of Splunk Enterprise Security.

I had to go to the website first, create an account with my email, and then download either the enterprise version or Splunk Forwarder. In my Active Directory, I have my forwarder installed, and on my server machine, I have the enterprise installed. With one account, I was able to configure my port number and destination port, hosting it on localhost. I connected other components to the service with the appropriate configurations.

From a technical perspective, the initial setup was not difficult for me to navigate through.

What about the implementation team?

For a non-technical person, it may be challenging, but for a technical person, it is straightforward. The process is effective.

What was our ROI?

For return on investment, I think a large corporation would not have an issue with that. For small-scale enterprises, they may need to review those areas more, particularly related to user rates.

Which other solutions did I evaluate?

I used to analyze and log manually as a SOC analyst would before using Splunk Enterprise Security.

What other advice do I have?

Splunk Enterprise Security represents a fair price for what it can accomplish. I would rate this product a ten out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Jun 19, 2026
Flag as inappropriate
PeerSpot user
Adam Santilli - PeerSpot reviewer
Cyber Security Associate at SAP
Real User
Top 5
Sep 12, 2025
Improves business resilience and reduced incident remediation time through real-time risk identification
Pros and Cons
  • "The ability to identify risks as they come in is quite good."
  • "Better education for users would be beneficial as they often don't know what they don't know or how to look for certain features."

What is our primary use case?

My main use cases for Splunk Enterprise Security include detection engineering tasks. I work with the SIM team handling various responsibilities, specifically ensuring uptime availability and correct log ingestion.

How has it helped my organization?

Splunk Enterprise Security has helped improve my organization's business resilience. We have definitely been able to get significant value out of it.

What is most valuable?

As an administrator, I mainly ensure other people can use the system effectively rather than using it extensively myself. 

My impressions of Splunk's ability to predict, identify, and solve problems in real time are solid. I definitely notice when it makes predictions and helps with what we're trying to find in general. The ability to identify risks as they come in is quite good.

The integration of disparate security solutions supports our security operations by providing multiple methods to handle things. We have 21 lines of business with different Splunk pods, each requiring different solutions.

Personally, the integration creates some challenges, particularly when trying to standardize processes and migrate to Splunk Cloud. Managing different Splunk pods on-premises and separate stacks leads to confusion and time inefficiencies.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security works adequately. While I don't write the detections myself, I work closely with those who do, and it doesn't seem to be an issue.

Our Security Ops team's incident remediation time has improved significantly. Previously, it took approximately 11 hours, but now it takes a few hours, though we're still working to reduce this time further through our migration to Splunk Cloud.

What needs improvement?

There are ways Splunk Enterprise Security can be improved, though I might be speaking specifically about my organization's implementation. Better education for users would be beneficial as they often don't know what they don't know or how to look for certain features.

Regarding ease of use, Splunk Enterprise Security is adequate. The challenge arises when we have multiple users trying to differentiate between the regular search head and the Enterprise Security search head. While users can accomplish their tasks, the main issue stems from education rather than the platform itself.

For how long have I used the solution?

I have been using Splunk Enterprise Security for three years, with a six-month break in between. I have been using it extensively for the last year.

What do I think about the stability of the solution?

The stability and reliability of Splunk Enterprise Security is very good. While we've experienced some downtime, crashes, and performance issues, these were caused by end users running poorly optimized queries rather than system problems.

What do I think about the scalability of the solution?

Splunk Enterprise Security scales effectively with our organization's growing needs. We haven't encountered any problems with scalability.

How are customer service and support?

I would rate customer service and technical support from Splunk at nine out of ten. I have had nothing but good experiences with Splunk support, receiving timely and helpful replies. In one instance, when I needed immediate support, I received a call within ten minutes of submitting the ticket, and we resolved the issue promptly.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I am uncertain if my organization used another solution prior to adopting Splunk Enterprise Security. I believe we have been using Splunk the whole time, but this predates my joining the team.

How was the initial setup?

The deployment is fine. I don't really have much of a problem with that end of things.

What was our ROI?

I have seen a return on investment with Splunk Enterprise Security.

What's my experience with pricing, setup cost, and licensing?

I am not familiar with the pricing of Splunk Enterprise Security. Regarding licensing, we face some challenges. The management of different pods makes it confusing and complicated, but it gets resolved by our senior team members.

Which other solutions did I evaluate?

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. We utilize many different tools.

What other advice do I have?

I would advise other organizations to consider Splunk Enterprise Security as it's an easy solution to implement and effective for its intended purpose.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
June 2026
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
903,067 professionals have used our research since 2012.
Tejas Shah - PeerSpot reviewer
Splunk Certified Architect at Data Elicit Solutions Pvt. Ltd.
Real User
Top 5
Feb 25, 2026
Data insights have improved security operations and now streamline threat detection and response
Pros and Cons
  • "Summing up everything from a SIEM and security point of view, I think Splunk is by far the best product that I have been using since my work experience."
  • "One improvement I want to foresee is that the AI or agent needs to be fed with accurate data, not false data, so that whenever it performs automation on your behalf, it doesn't misconfigure anything."

What is our primary use case?

When we talk about Splunk Enterprise, I have seen clients using it for their data analysis, collecting the logs and preparing meaningful insights out of it, like having dashboards created from the data that they ingest into Splunk. Apart from that, there is a SaaS platform that Splunk provides which is called the Splunk Cloud platform; it provides similar functionality, but the end-to-end config management is handled by Splunk directly. You just have access to the Splunk search head where you log in and can search the data you ingest into Splunk Cloud. Regarding Splunk Enterprise Security, I have seen customers using it for security use cases and to ensure that the environment or organization is not impacted by any SOC threats; basically, they use it for detection and mitigation both.

Customizing and developing new detections in Splunk Enterprise Security are quite simple since I have got experience with it for more than four years. I am quite familiar with it and enjoy working through that as well.

I do use disparate security solutions that integrate or import data into Splunk Enterprise Security.

The security operations are supported on a very great scale because let's say we have written n number of detections; we also need to ensure that we don't get alerted or notified on false positives. There is a dashboard in Splunk Enterprise Security that displays all the detections identified as a potential risk or alert to the environment. From there, you can triage the work to investigate deeper into it, and from the dashboard, you can drive it towards closure, with different drill-down options to investigate how a particular event was identified as a risk event and whether it was a false positive. If it wasn't a false positive, you can dive deeper into it using different response actions as well; all these customizations can be done and they support any third-party response actions that you want to apply to the Splunk Enterprise Security detection you have.

What is most valuable?

What I like about Splunk Enterprise Security is the way it is able to correlate or ingest any kind of data from any product or source, alert and adapt the whole data as it is, and then provide it in a single visualization format. It handles and provides you options for customizations and different options for alerting as well. Summing up everything from a SIEM and security point of view, I think Splunk is by far the best product that I have been using since my work experience.

Splunk Enterprise Security has indeed helped improve the organization's business resilience. I don't have specific numbers for sharing purposes, but on a quarterly basis, I have seen Splunk helping the resilience and assisting the business greatly in terms of avoiding SOC threats.

What needs improvement?

You need to adapt to new changes constantly and be sure of new learnings in Splunk Enterprise Security; that is the only challenge I would say. However, I don't see it as a problem because if resources are available for you to understand new changes and how detections are managed or how to incorporate advanced threat intelligence frameworks, there is no huge challenge in integrating it with Splunk Enterprise Security. You need to know what things you want to click on the UI; if you are aware of that, there is no challenge. It is just constant learning that you have to give yourself to learn and grow for your own better self.

One improvement I want to foresee is that the AI or agent needs to be fed with accurate data, not false data, so that whenever it performs automation on your behalf, it doesn't misconfigure anything. Trust in the product relies on the AI being reliable and trustworthy, ensuring 100% accuracy and avoiding false positives.

I would say Splunk's ability to predict, identify, and solve problems in real time is near accurate; I cannot confirm that it is 100% since none of the systems are. It definitely alerts you on what particular time you need to be notified. However, to achieve near 100% accuracy, how you handle the searches running in your environment and stagger them is important to avoid overwhelming server resources. Splunk provides features to adjust time zones and write custom schedules; there is no challenge with that. However, there will always be delays, so it is about how you ingest the data; if the source is behind the Splunk server's timezone, that could impact results.

For how long have I used the solution?

I have been working with Splunk for almost six years now.

What do I think about the stability of the solution?

So far, we have not faced any downtime or performance issues with Splunk; there can be outages, but we are automatically notified when they occur, and the team works on resolution. Since we are using Splunk Cloud, we receive notifications directly from them.

What do I think about the scalability of the solution?

I would say Splunk is quite scalable, and we are definitely making the most out of it. Our company was involved in delivering sessions at splunk.conf last year, showcasing how we utilize Splunk and the solutions provided, indicating that we are scaling quite effectively.

How are customer service and support?

I would rate the Splunk support team an eight or nine out of ten; this rating is based on my experience of being part of the partner team that delivered Splunk support. The support depends on the partner, and I appreciate having a dedicated account manager for our customer account, ensuring effective handling of operations and issues. No one can have 100% knowledge, and while there might be delays in response, the support team effectively isolates problems and finds solutions, adhering to an escalation policy that keeps customers updated and satisfied.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Since I have worked more with Splunk, I am somewhat biased but I would say understanding and writing queries to analyze your ingested data is simpler in Splunk and in other products such as Sumo Logic as well. However, no product can match the level of customization and visualization that Splunk can build; you can create reports, dashboards, and present these in a business fashion, which is unmatched.

How was the initial setup?

Deploying Splunk is a piece of cake for me; since I have got so much experience, deploying any kind of environment is not a challenge. I am still in the evolving phase as I started my professional journey with Splunk in 2019. I have made numerous deployments for different testing purposes, replicating customer challenges in our test environment to address their issues directly.

What was our ROI?

That is a bit subjective, I would say because in the Indian market, people often look for alternative solutions to avoid spending more. However, I have seen great satisfaction levels among companies that have utilized Splunk, including the one I am working for now, which has been renewing Splunk licenses over the past decade. If Splunk were not that great, people would not keep renewing it over the years; there is an option for good return on investment, but eventually, people try to find alternatives to save on expenses for R&D or other purposes.

What's my experience with pricing, setup cost, and licensing?

I am not very much aware of the licensing since we are service providers for Splunk or Cribl or DataDog, but I do know Splunk provides licensing in two different ways: SVC-based licensing and ingest-based licensing. The old model charged based on the volume of data ingested on a daily basis, while the current SVC-based model charges based on the compute utilized for searching that data, regardless of volume.

Which other solutions did I evaluate?

All over the globe, it is the AI and agent era, and Splunk is also a part of it having introduced Splunk AI as part of its cloud platform features, eventually to be released in on-prem solutions as well.

What other advice do I have?

I usually do not manage or investigate the alerts that have been triggered; I work on building and managing the use cases, optimizing them. The analyst team works on the incidents but from what I have heard, before I joined the current organization there were a lot of changes required to be made internally in the product itself and the way we were writing optimizations. But afterwards, we defined a clean process and the mean time to closure or mean time to resolve had reduced drastically by almost 60 to 70% compared to what it was previously.

It is not that we are limited to risk-based alerting in Splunk Enterprise Security; we are using threat intelligence and we have recently configured SOAR as I just mentioned. Additionally, we are using UBA for user behavioral analytics.

We have definitely seen benefits from the threat detection and threat intelligence capabilities in Splunk; we apply risk scores and threat scores to our detections and to the attributes we want to identify or flag as potentially high-risk or high-threat objects. This helps us prioritize the tasks we want to start our daily task with; it definitely helps with understanding the priority tasks to be worked upon. We also make sure to update our threat feeds regularly since we need to stay on top of all the threat findings globally, ensuring we identify all malicious IP addresses or any file hashes that have been tracked as a threat and are publicly available.

I would advise organizations considering Splunk to stick to the fundamentals; as long as you understand how Splunk operates and the functions of its different components, you won't face challenges in troubleshooting or understanding errors. I would rate this review a ten out of ten overall.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSP
Last updated: Feb 25, 2026
Flag as inappropriate
PeerSpot user
Jeffrey Bain - PeerSpot reviewer
Sr Manager Global Security Operations at a financial services firm with 10,001+ employees
Real User
Top 5
Sep 13, 2025
Standardized investigations and fraud detection have improved team efficiency significantly
Pros and Cons
  • "It's standardized and easy to use, so you don't have to have a lot of top-tier analysts to do the same job."
  • "Splunk Enterprise Security can be improved by bringing back some of the operational use cases."

What is our primary use case?

My main use case for Splunk Enterprise Security is security eventing.

What is most valuable?

The features of Splunk Enterprise Security provide a standardized platform for investigating.

The content libraries are helpful. In our organization, we don't use them a lot. We will use them as ideas and rebuild them into what our needs are.

It's standardized and easy to use, so you don't have to have a lot of top-tier analysts to do the same job.

The investigations plane and use case library have been beneficial.

We utilize Splunk Enterprise Security for our fraud team using pure ES. We use all the fraud features, and that's been incredibly helpful.

The detection rate and prevention rate has gone up 30 times compared to when they were working on a spreadsheet. The fraud team loves it.

Once we move over to 8.2, we're going to utilize more of the built-in features.

I appreciate the visual control and the investigations plane, though that will be a major migration for us.

What needs improvement?

Splunk Enterprise Security can be improved by bringing back some of the operational use cases. When Splunk developed ITSI, they took a lot of information or use cases out of ES, where operational use cases can also be security use cases. Those two products need to be more migrated to each other. In the next release of Splunk Enterprise Security, there should be more reporting options.

For how long have I used the solution?

I have been using Splunk Enterprise Security for nine years.

What do I think about the stability of the solution?

I would assess the stability and reliability of Splunk Enterprise Security as excellent. I've had no problems with downtime, crashes, or performance issues.

What do I think about the scalability of the solution?

Splunk Enterprise Security scales with the growing needs of my organization just fine. The licensing for ingest is a different story.

How are customer service and support?

I would evaluate customer service and technical support for Splunk Enterprise Security as lacking. The service engineers that we've been getting as part of our weekly or bi-weekly calls with our salesperson, where they've assigned an engineer, have decreased tremendously in quality and expertise over the last few years. People on the team that really know Splunk know a lot more than they do, and it's evident because they don't try anymore. We can still get expert help when we need it.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

How was the initial setup?

I would describe my experience with deploying Splunk Enterprise Security as easy. The KV store setup was straightforward.

What was our ROI?

I have seen ROI with Splunk Enterprise Security.

What's my experience with pricing, setup cost, and licensing?

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security has been fine. We've renewed since Cisco took over.

What other advice do I have?

My advice to other organizations considering Splunk Enterprise Security is to follow the documentation and not build your own stuff.

On a scale of one to ten, I rate this solution a nine.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
DevOps&Cloud Engineer Mentee at CertDirectory.io
Real User
Top 20
Jun 27, 2025
Reduces alert fatigue, and it's well-documented and well-designed
Pros and Cons
  • "Splunk Enterprise Security is fast and well-documented, and user interface and user interaction are well-designed compared to other SIEM solutions."
  • "Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use."

What is our primary use case?

My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.

How has it helped my organization?

Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.

What is most valuable?

The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.

One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs. 

Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.

What needs improvement?

AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.

Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.

For how long have I used the solution?

I have been using the solution for approximately one year. I used it for 12 months in the company.

What do I think about the stability of the solution?

It's stable. I would rate it a ten out of ten for stability.

What do I think about the scalability of the solution?

The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.

How are customer service and support?

I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.

How was the initial setup?

Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.

Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience. 

The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.

Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it. 

What was our ROI?

From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.

The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing. 

Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.

As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.

What other advice do I have?

I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.

I have not used the risk-based alerting feature. It is more for log management and checking the log flow. 

Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.

I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.

I would rate Splunk Enterprise Security an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Soc Manager at a real estate/law firm with 1,001-5,000 employees
Real User
Top 10
Sep 13, 2025
Investigation efforts have improved while search complexity still requires attention
Pros and Cons
  • "The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents."
  • "Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations."

What is our primary use case?

Our main use cases for Splunk Enterprise Security include security, detection, and incident response.

How has it helped my organization?

The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.

What is most valuable?

The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.

The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.

Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.

We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.

I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.

One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.

What needs improvement?

Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.

For how long have I used the solution?

We are still at the beginning, just four months into using Splunk Enterprise Security.

What do I think about the stability of the solution?

I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.

What do I think about the scalability of the solution?

Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.

How are customer service and support?

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.

How was the initial setup?

The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.

What about the implementation team?

We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.

What was our ROI?

The return on investment from Splunk Enterprise Security is still to come.

What's my experience with pricing, setup cost, and licensing?

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.

What other advice do I have?

I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Yevheniy Moyko - PeerSpot reviewer
Cyber Security Engineer at Underdefense
Real User
Top 5
Apr 14, 2026
Risk-based alerts have transformed our incident response and reporting to executives
Pros and Cons
  • "Overall, Splunk Enterprise Security has reduced our MTTR by approximately 30%."
  • "Beyond support, the pricing tier of Splunk Enterprise Security could be better, as it is an expensive solution; however, the cost reflects the value delivered."

What is our primary use case?

Splunk Enterprise Security serves as our security tool, specifically functioning as a SIEM product.

What is most valuable?

Splunk Enterprise Security's best features include scalability, reliability, and extensive integrations.

The RBA in Splunk Enterprise Security helps us considerably because there are rules that we cannot turn off, but they are spammy rules that we can whitelist. We group them as intermediate findings, making this risk score useful. It saves us time because instead of working on 1,000 alerts per day, we focus on two or three alerts and simply review their impact on our organization.

With Splunk Enterprise Security and our SOC team, we have developed custom rules that adjust the risk scores based on our observations, not merely Splunk's recommendations. It helps considerably because it groups the alerts, gives us information about related alerts, and provides excellent features such as drill-down searches and dashboards, which save our time and decrease mean time to respond and mean time to detect.

Overall, Splunk Enterprise Security has reduced our MTTR by approximately 30%. That reduction applies to both response and detection.

Our dashboards and visualizations in Splunk Enterprise Security communicate our security posture to executives effectively, as they are more interested in numbers and money saved rather than technical details. The visualizations allow us to present why they spend money on this solution, and we can create engaging visual stories for them based on the dashboards.

What needs improvement?

The area for improvement with Splunk Enterprise Security is support.

The knowledge base could also be improved.

Beyond support, the pricing tier of Splunk Enterprise Security could be better, as it is an expensive solution; however, the cost reflects the value delivered.

For how long have I used the solution?

I have been using Splunk Enterprise Security for more than eight years.

What do I think about the stability of the solution?

For stability, I give it a ten.

What do I think about the scalability of the solution?

In terms of scalability, I also rate it a ten.

How are customer service and support?

On a scale from 1 to 10, I rate support for Splunk Enterprise Security at a six.

How was the initial setup?

My experience deploying Splunk Enterprise Security is straightforward; I am a certified Splunk architect, which is the highest certification. Based on the documentation, it is easy for non-distributed deployments, but it can be challenging for others with larger infrastructures.

In terms of deployment time for Splunk Enterprise Security, it takes approximately 15 minutes.

What about the implementation team?

For my clients, there are over 200 people using Splunk Enterprise Security.

In my company, we have approximately 30 specialists.

Regarding Splunk Enterprise Security deployment, we utilize both on-premises and cloud setups.

What was our ROI?

The return on investment we see from Splunk Enterprise Security is not straightforward, as it depends on the company; some may not have alerts or impacts, while others, when detecting critical alerts or threats, may realize it has saved them a million dollars. Overall, I estimate the ROI to be approximately 20% to 30%.

Which other solutions did I evaluate?

When comparing Splunk Enterprise Security with other security solutions, I find it to be the best as it consolidates everything in one place. They have updated it with endpoint security and admission control capabilities, allowing you to see every comment and action during an incident, which I have not seen in other solutions such as Elastic, Sumo Logic, or LogRhythm.

What other advice do I have?

Since we do not work with UEBA in Splunk Enterprise Security, I cannot comment on any improvements in threat hunting and investigations. I have seen demos of it, and while it is a remarkable solution, I cannot personally answer that question. I provide this review with an overall rating of 10.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company has a business relationship with this vendor other than being a customer. MSP
Last updated: Apr 14, 2026
Flag as inappropriate
PeerSpot user
Senior Vice President at Mindsprint
Real User
Top 20
Jun 16, 2026
Risk-based monitoring has improved threat detection speed and supports custom SOC use cases
Pros and Cons
  • "Regarding the impact on threat detection capabilities, it provides a faster mean time to detect."
  • "We have seen that the pricing has gone higher and the support quality has not kept up or was not as good as it was earlier."

What is our primary use case?

Splunk Enterprise Security is used for our SOC, the Security Operations Center, which provides 24/7 monitoring. I am using disparate security solutions to integrate or import data into Splunk Enterprise Security. We use Splunk Enterprise Security to ingest the logs and do the monitoring.

As for alerting, especially risk-based alerting, it works well. It supports the use cases that we are looking for. Splunk Enterprise Security supports my SOC in terms of developing any new use cases. If we have any custom integration requirements or any custom use cases, we can easily develop that in Splunk Enterprise Security, and that's how we are able to leverage Splunk Enterprise Security for any custom use cases.

What is most valuable?

The biggest advantage for me in Splunk Enterprise Security is all the ready-made integrations and the connectors that are available. Integration is the strongest part; the connectors and the built-in connectors are the strongest part which allow the integration.

My impression of processes such as customization, developing, testing, deploying, and refining detections is that it works as designed for all the detections and all the new capabilities that we can leverage. It works very well.

Integration supports my security operations. When it comes to remediation, we are not using it for remediation with Splunk Enterprise Security; Splunk Enterprise Security is purely for detection. Remediation has to be done by the respective teams using their own tool sets.

Regarding the impact on threat detection capabilities, it provides a faster mean time to detect. The team is able to respond faster because we are using Splunk Enterprise Security and we are able to ingest all the logs from various sources. Any threats which are emerging across the world and across different types of log sources, our team is able to detect them faster. Overall dwell time of an attacker or any kind of attacks that we see, we are able to respond much faster because we are able to detect it in the first place much faster.

What needs improvement?

There is something in Splunk Enterprise Security which is not perfect. What we are seeing is more not on the technology side, but on the pricing and support point of view once Cisco has taken over. We have seen that the pricing has gone higher and the support quality has not kept up or was not as good as it was earlier. These are the two things we see as areas for improvement.

Regarding the issue with support, it takes longer for support to come back to us and then it goes through multiple layers of escalation before we get to the right person.

I would like to see some additional features, more on the AI detection and automatic detection using AI capability. Although Splunk Enterprise Security has some amount of AI capability, what we would like to see is more on the detection side, how AI can help and how Splunk Enterprise Security can introduce those features as part of the built-in platform itself.

For how long have I used the solution?

I started working with Splunk Enterprise Security about six or seven years ago.

What do I think about the stability of the solution?

Splunk Enterprise Security is very reliable and stable. Reliability is also very good.

What do I think about the scalability of the solution?

Regarding scalability for Splunk Enterprise Security, scalability is very good. We have scaled it about four times over the past six years in terms of the log size. Scalability is very good.

How are customer service and support?

As for the issue with support, it takes longer for support to come back to us and then it goes through multiple layers of escalation before we get to the right person.

What other advice do I have?

Splunk Enterprise Security is a worth buying product if you are able to leverage all the features and the capabilities or if the team is strong to leverage all of them.

The percentage of savings depends on what we are comparing. It is straightforward; if the team is experienced with Splunk Enterprise Security, it is quite straightforward and quite fast.

Regarding business resilience, Splunk Enterprise Security does improve business resilience because I am able to protect my assets and hence improve the resilience. I am able to solve problems in real time, to predict, and to identify threats. It helps my detection to be faster, which is about 40 percent faster. The overall review rating for this product is 8 out of 10.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Jun 16, 2026
Flag as inappropriate
PeerSpot user
Manish Arora - PeerSpot reviewer
Senior Client Partner at KyndleIT Consulting
Real User
Top 5
May 26, 2026
Security operations have unified threat detection and response across diverse data sources
Pros and Cons
  • "Splunk collects much more data as compared to traditional SNMP related tools, and log traces will eventually provide you much better and true information on which you can take actionable actions on top of it."
  • "Cost is something which is a major factor."

What is our primary use case?

The clients who are using Splunk Enterprise Security are primarily using it for security as a SIEM solution, or they are also using Splunk Observability.

Generally, when you have the complete set of solutions such as EDR or DLP and then on top of it, if you have a solution such as SIEM, which is collecting logs and everything and then correlating that particular data, it takes somewhere around five to ten minutes to identify and start working on that particular issue.

What is most valuable?

The biggest advantage, if I talk about for observability, is ease of use. The customers use OTEL collectors, and since this is an open OTEL collector, it is not bound to Splunk itself. That is something which is good.

Customization requires good effort, but it is doable. We being into professional services, we do this particular part. Splunk Enterprise Security provides flexibility to write those rules and regular expressions and other tools, wherein you can filter the traffic based on different kinds of policies.

It definitely helps because when you use different sets of solutions which work on SNMP, they will only poll that data and then they will collect and provide you some information on top of it. Splunk collects much more data as compared to traditional SNMP related tools. Log traces will eventually provide you much better and true information on which you can take actionable actions on top of it. With respect to unified security operations, it helps to consolidate both SIEM and SOAR so that you can quickly detect, investigate and neutralize cyber threats. They can integrate with third-party SOAR solution as well as they have internal capabilities for SOAR.

What needs improvement?

Cost is one major factor. The reason is because they primarily work on the ingestion of data, wherein it becomes a choice for large customers who have deep pockets to spend money on Splunk Enterprise Security. If the customer does not have that much budget, then obviously they will not go for Splunk Enterprise Security. They will go for a similar set of solution such as Elastic in that case. Cost is something which is a major factor.

In integrations, a good amount of integrations are already available, but integration with newer AI components or tools and upcoming tools such as Claude or ChatGPT will obviously take some more time to evolve perfectly so that these tools become more easy to use and align to an organization's environment.

For how long have I used the solution?

I have been using the solution for somewhere around four years.

What do I think about the stability of the solution?

Splunk Enterprise Security is a stable product.

What do I think about the scalability of the solution?

Splunk Enterprise Security is scalable. You can horizontally expand it with forwarders and universal forwarders. It's scalable.

Which solution did I use previously and why did I switch?

We have been in business for the last eight years. Before partnership with Splunk, we have been working with Broadcom. Now we are also working with Elastic.

How was the initial setup?

The initial setup is straightforward and not that complex. Initially, you will struggle, but once you are done with one or two installations, then it is pretty straightforward.

What about the implementation team?

I am an implementation partner and not a direct customer of Splunk. I do implementation work.

What was our ROI?

With respect to Splunk Enterprise Security ROI, it is a costly solution. It is not something which can be adopted by every organization. Splunk Enterprise Security needs to come up with something different. When we speak to Splunk representatives, they boast about being a costly solution, but that does not make any sense because if you are not able to fit yourself with the customer and Datadog or Elastic is competing with you, then that is one part which they need to address. Rather than positioning themselves as a costly solution, they should work on something which can actually fit the customers as well as provide implementation partners like us with opportunities to work on certain projects. With respect to ROI, it takes a good amount of time because by the time you get the product installed in your environment, you start using it and you realize how much data needs to be ingested and then you fine-tune them. I think it takes a good amount of time because by that time, Splunk will take a good amount of licensing cost from the customer.

Which other solutions did I evaluate?

We are using other security tools. We are using API security, Symantec products for different customers, or CrowdStrike EDR. We generally ingest logs from all these different solutions, logs, metrics and traces from these solutions into Splunk Enterprise Security.

We are also using Elastic. The main part is for smaller customers or a limited set of customers, Elastic provides the community version. You can go and install the community version and seventy to eighty percent of the features are available, and the customer can start using it. They don't intend to use Splunk Enterprise Security in that case because that's free, and only a nominal services fee will be charged from these kinds of customers. Elastic also has the observability as well as the ELK stack, Kibana, dashboards and other tools. That part does not make too much of a difference. The major difference between both of the products is obviously pricing.

What other advice do I have?

Splunk Enterprise Security is the most significant challenge. I rate this product at nine out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer. Integrator
Last updated: May 26, 2026
Flag as inappropriate
PeerSpot user
R Nandasana - PeerSpot reviewer
Senior Information Technology Security Consultant at Mideast Data Systems
Real User
Top 5Leaderboard
May 7, 2026
Advanced risk-based alerts have automated threat detection and reduced investigation time
Pros and Cons
  • "Once you complete this setup, the product is amazing and will do all of the work."
  • "The main dislikes about Splunk Enterprise Security are that we need more highly skilled people and the license for Splunk Enterprise Security is costly."

What is our primary use case?

I have been using Splunk Enterprise Security for the last five years, mainly building use cases for the SOC team. My role involves analyzing logs and writing vulnerability alerts based on what I observe. When security alerts are triggered, the security team receives notifications and takes appropriate action.

For the initial deployment of Splunk Enterprise Security, I cannot say this is easy. It is somewhat complex because when you purchase the product, you have a lot of data. You need to align all of your data so that it fits Splunk Enterprise Security standards. Splunk Enterprise Security has custom data models and custom correlation searches that are already defined. You need to modify or set your data according to Splunk Enterprise Security standards. Once you complete this setup, the product is amazing and will do all of the work.

What is most valuable?

The most valuable aspect of Splunk Enterprise Security is that SIEM compliance is one of the best features. I can say this not only because it is Splunk Enterprise Security specific, but also because it is Splunk specific. All data coming in needs to be placed in the SRC field. All data will be normalized with the SRC field. Whether you are collecting data from a firewall or from numerous products, all data with the same name will be automatically collected by Splunk Enterprise Security alerts. Based on that, you can get all alert triggers and perform any kind of investigations. If something goes wrong, such as someone wrongly accessing servers, you will get everything very quickly based on the authentication data model. The alert part and security investigation part are very good.

Threat intelligence is very helpful because there is a threat intelligence model in Splunk Enterprise Security. It will identify threats from around the world and bring them into Splunk Enterprise Security. AI also helps us. When a wrong IP is detected, an incident will be created in Splunk Enterprise Security. Once you click on the "get more info" button, it will bring all information about where this IP belongs, including location and coordinates. Based on that, you can trigger security incidents and alerts.

I am very familiar with risk-based alerting in Splunk Enterprise Security. Everything in Splunk Enterprise Security is on a risk-based model. When I found an unknown IP detection one time, everything is assigned with a risk score. If I found an unknown IP one time in one hour, the risk score might be five or ten. If the same thing repeats in one hour, for example if an unknown IP tries to log in twenty times in one hour, the score should be higher. Risk-based alerting will check the notables and increase the score. When you have one hit, the risk score will be two. Whenever you have more hits, the risk score increases and the alert severity and alert priority also go high, becoming a P1 or P2 incident for the analyst. Risk-based alerting is a very good feature in Splunk Enterprise Security.

MITRE ATT&CK is helpful for Splunk Enterprise Security. I take reference from this framework whenever I want to create alerts. The first thing I do is check the MITRE ATT&CK framework and read the documentation. In MITRE ATT&CK, there are tables with many rows and columns. I check these tables and review all the alerts. MITRE ATT&CK shows the security framework and the maximum possible things that can be done to secure our platform. From that MITRE ATT&CK reference, I create alerts.

What needs improvement?

The main dislikes about Splunk Enterprise Security are that we need more highly skilled people and the license for Splunk Enterprise Security is costly. Beyond this, the infrastructure cost is too high. Since we have an on-premises deployment, it is costly for us because we need a lot of storage and a big server.

From a maintenance perspective, Splunk Enterprise Security sometimes requires maintenance because it continuously monitors all alerts and continuously creates incidents. Sometimes the data volume is high and some searches will be skipped automatically. We might have 1,000 searches and sometimes experience a lot of skipped searches. Sometimes if we modify any macro, there can also be issues. We need at least one person for maintenance who can continuously ensure that Splunk Enterprise Security is running fine.

Regarding support for Splunk Enterprise Security, we reach out many times. Initially, we purchased hardware that was not capable enough. Sometimes our server became choked and Splunk was not able to run some searches on Splunk Enterprise Security. These issues were due to hardware limitations. We called a consultant from Splunk who analyzed the platform and fixed the issues. Sometimes we upgraded our platform twice by adding additional disk space and RAM.

We have not upgraded to version 8.0 yet for Splunk Enterprise Security and are currently on version 7.0. Recently, we have a demo scheduled from the Splunk team to learn about Splunk Enterprise Security 8.0 features. However, in version 8.0 they changed everything. Initially, we had an incident review dashboard and risk management dashboard that I was very familiar with. In Splunk 10X, all the names changed and everything was restructured. Currently, I am still learning which old features correspond to the new ones. They changed many things, which is also one of the disadvantages, as the changes were extensive.

What do I think about the stability of the solution?

Splunk Enterprise Security has never crashed. However, sometimes there was lagging, but this was due to our infrastructure because we have an on-premises deployment. I used it in the cloud three or four years ago, and the cloud version is very stable with no scalability issues.

What do I think about the scalability of the solution?

Overall, I can give a rating of nine for the scalability of Splunk Enterprise Security.

How are customer service and support?

Splunk Enterprise Security support deserves a rating of nine.

Which solution did I use previously and why did I switch?

I have never used any alternative to Splunk Enterprise Security. Before Splunk Enterprise Security, we were using Splunk for monitoring purposes, writing queries and preparing alerts. However, this is not what Splunk Enterprise Security does. A normal traditional alert can be scheduled based on Cron or similar methods. Splunk Enterprise Security collects threats from around the world and includes a threat intelligence data model. It manages identity and asset information separately, which cannot be done with our traditional approach.

How was the initial setup?

For the initial deployment of Splunk Enterprise Security, I cannot say this is easy. It is somewhat complex because when you purchase the product, you have a lot of data. You need to align all of your data so that it fits Splunk Enterprise Security. Splunk Enterprise Security has custom data models and custom correlation searches that are already defined. You need to modify or set your data according to Splunk Enterprise Security standards. Once you complete this setup, the product is amazing and will do all of the work.

What other advice do I have?

The mean time to resolve in Splunk Enterprise Security will increase. On other platforms, whenever you create alerts, you only need to see what is there and then troubleshoot everything. In Splunk Enterprise Security, when you create an alert, you can add many additional things. For example, once an unknown IP is detected, it will send an email, create an incident, and create a notable inside the security system. It can do many things and you can add more information. You can check a lookup, check an IP, or follow specific steps. You can add multiple steps to follow as well. All of this will be included with the alert, which resolves a lot of mean time. People do not need to go searching to find how to do things. This significantly reduces the time needed and alerts are immediate. Whenever something goes wrong, you will be notified quickly.

With Splunk Enterprise Security, we detect threats frequently. I work with a major client in the Emirates, and we find a lot of attacks happening and many phishing emails. Sometimes we have two firewalls, one is a DC firewall and one is a Palo Alto firewall, with many compliance requirements. People attempt to access these systems and sometimes send vulnerability emails. For all of these things, we are blocking and detecting with Splunk Enterprise Security and immediately notifying the candidate to not open emails or notifying our team via email.

It reduced the analyst's workload in Splunk Enterprise Security. However, after purchasing Splunk Enterprise Security, we hired more people to analyze the data. By purchasing this product, we came to understand that we can implement additional features and security rules. Our team is continuously and actively working, checking the MITRE ATT&CK framework, finding detections, and implementing them on our platform to make it more secure.

MITRE ATT&CK helps detect patterns that have occurred before.

ES Essentials is in our environment for Splunk Enterprise Security, though I have never focused much on working with it and do not know much about what it does.

Overall, I would rate this review as a nine.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: May 7, 2026
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2026
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.