We use the solution to find systems acting strange or having strange services and security attacks.
Senior Splunk engineer at a manufacturing company with 10,001+ employees
Helps with the aggregation of all the logs in one place
Pros and Cons
- "The solution's most valuable feature is the aggregation of all the logs in one place, using enterprise securities built-in or ESCU use cases to find them."
- "The solution's case management system could be further improved to make it easier for analysts to manage cases."
What is our primary use case?
How has it helped my organization?
Splunk Enterprise Security helps us sift through tons of data to find relevant information we're looking for as far as activity goes.
What is most valuable?
The solution's most valuable feature is the aggregation of all the logs in one place, using enterprise securities built-in or ESCU use cases to find them.
The end-to-end visibility Splunk Enterprise Security provides in our environment is very important because we might not see everything or miss something without it.
Once you have it set up correctly, Splunk Enterprise Security works great for helping us find any security event across multi-cloud, on-premises, or hybrid environments.
Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. The ability to identify and solve problems in real-time is pretty robust.
Splunk Enterprise Security has helped reduce our alert volume with RBA and has helped reduce our mean time to resolve. With correlation searches in risk-based alerting, you don't have to sift through information; it is presented to you.
What needs improvement?
The solution's case management system could be further improved to make it easier for analysts to manage cases. The only limiting factor is the amount of data you're sifting through and the overall size of the number of correlations you're looking for.
Buyer's Guide
Splunk Enterprise Security
June 2025

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,632 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Splunk Enterprise Security for seven to eight years.
What do I think about the stability of the solution?
I rate the solution’s stability an eight out of ten.
What do I think about the scalability of the solution?
I rate the solution ten out of ten for scalability.
How are customer service and support?
The solution's technical support is awesome, and I love it.
How would you rate customer service and support?
Positive
How was the initial setup?
I've deployed the solution a few times. The deployment is very labor-intensive and takes a lot of work.
What's my experience with pricing, setup cost, and licensing?
Splunk Enterprise Security is an expensive solution.
What other advice do I have?
I would recommend the solution to other users.
Overall, I rate the solution a nine out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Head of Digital, Log Monitoring at a manufacturing company with 10,001+ employees
Reduces MTTR, improves efficiency, and centralizes everything
Pros and Cons
- "It is lovely to have everything we need in one tool. Everything is quite centralized."
- "Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk."
What is our primary use case?
Our SOC is using Splunk Enterprise Security as a SIEM. There are multiple use cases because it is the main tool for SOC analysts. We have plenty of use cases. It is being used for IT security monitoring. We also have some custom use cases for securing applications, and then we have some of our internal customers developing their own use cases, but the main purpose is for the SOC.
We also have additional work that is much more tricky. It is related to using AI to detect insider threats.
How has it helped my organization?
We are incredibly increasing our coverage as per the NIST framework that we are using for our operations. We are always extending. That really took off after implementing Splunk. It was a big moment. I have been there from the very beginning when we started implementing Splunk. Like everything new, there was a little bit of difficulty, but after we implemented it, there was an incredible increase in our SOC efficiency.
Splunk Enterprise Security helped reduce our mean time to resolve based on my knowledge, but I do not know how much because I left the department one year ago. On the security monitoring side, we have very good MTTR globally due to Splunk and the processes that we have implemented. We have other kinds of tools. Compared to the other tools that we have, our MTTR is far better with Splunk. Compared to last year, it was reduced by half. It was already good, but it got reduced a lot again.
What is most valuable?
It is lovely to have everything we need in one tool. Everything is quite centralized.
What needs improvement?
AI is everywhere, and I feel we need to discover AI for cybersecurity. For the last five years, I myself have been setting up a product and evaluating AI, but I did not do it directly in Splunk because there was some fear about the performance on the platform. That is why we chose to build our own platform based on S3 and AWS to execute and run all the algorithms and send the data back into Splunk. We now have a good base with innovation. We have a better base to directly include machine learning use cases in Enterprise Security, but they need to provide more capability and autonomy to the customers because there is so much to do. When you are lucky enough to have a team of data scientists, they want to have free hands, so a balance has to be found between giving a lot of autonomy and putting enough control so that they do not do something stupid on the platform, which can impact the performance of the standard use cases as well. There is a compromise there. However, AI is growing so fast that you absolutely need to give autonomy to the team to manage and utilize AI. This means providing easy access to a new library to build machine learning. They need to give us some flexibility, and it seems that with the new toolkit, it would be okay. Data scientists love to have freedom.
Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk. That is something that can be implemented. For instance, when it comes to data loss prevention, it is known that somebody who is about to leave the company is much more likely to take data. If you have this information soon enough, because the person will tell HR in advance, you can increase the level of risk for data loss for that user, but you do not always get to know that in advance. In such cases, some indicators in the behavior of the users who are leaving could be connected to AI. For instance, if you are using natural language programming, you can grab emails with words like farewell. There are plenty of keywords that you can catch that would give you an indication that the person is about to live. When you have internal and external partners, they can leave at any time. You do not always get the information in advance, but there are always farewell parties or goodbye emails. You can use this kind of information to raise their risk on the specific alert. It is efficient in the sense that you decrease your false positive rate. To me, AI is something that can help them accelerate and improve on what they are already doing.
Splunk Enterprise Security is very costly. Pricing is probably its weakest spot.
For how long have I used the solution?
I have been using Splunk Enterprise Security for five years.
What do I think about the stability of the solution?
It is difficult for me to answer this because I am no longer in charge now, but it has been stable from my point of view.
What do I think about the scalability of the solution?
Its scalability is good provided you have the right license agreements.
How are customer service and support?
It depends on the situation. The problem at our end that is causing an issue with Splunk support is that we have a customized environment. All the problems that we submit are specific, and they can be a bit difficult to solve. Sometimes, their support is efficient, and at other times, we have to wait a bit too much. I would rate their support a seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I arrived at the time of transition. We were probably using RSA. We switched to Splunk Enterprise Security because we needed to jump to another scale. At that time, there was a complete change in the organization. We went from the old-school cyber to Cyber 2.0. We had a lot more visionary managers who came from other companies where they were using Splunk. We had good guidance.
How was the initial setup?
It was a bit difficult. The team that was developing the use cases did not have access to the real data because it was not ready yet. Developing a SOC use case without the data is something difficult. That is why it was difficult at the start, but it was not because of the tool. It was more of a matter of project management. After we moved on from the difficult stage, we were able to set up this use case factory where some of the users were themselves in a bit of self-service mode. This was a very good opportunity to enlarge our capability to cover all the applications in the best way.
For Splunk, we use AWS. We have a private cloud. We have difficulty using cloud-managed services.
What's my experience with pricing, setup cost, and licensing?
Pricing is probably its weakest spot. As compared to some competitors, Splunk is really expensive. The problem is that Splunk is like Rolls-Royce. It, for sure, is the best one. Gartner says it, and the customers say it, but sometimes, you do not need a Rolls-Royce to get to the supermarket.
The problem is that the licenses that we have are based on the volume of data that we ingest in a day. The data that we ingest is only growing. We have initiatives right now for better management of data. It makes sense in terms of storage and sustainability. The pricing model, especially for Europe, is difficult. I am just out of the negotiation for the renewal of the license. We bought it for three more years. This is good news for Splunk and us as well, but it was difficult to discuss with the sales and explain that we do not want to increase the cost because it is already too high, and if it could decrease, it would make sense. It is very difficult to have this understanding from the salesperson. It was difficult for my Splunk account partner, but we succeeded in the negotiation. It was a win-win situation.
They need to be fair and adjust the price as per the usage. If the price goes too high, we would just have a no-go from the top level of the company, which would be a pity. It can happen. It has happened in the past. At some point, we had a big contract with Microsoft for Office, and we are now with Google. It was a shock for the partners and people inside the company, but we did it. We now have Google and we are happy with it. We still have a bit of Microsoft. It is important to keep the balance.
We are looking at the data usage with Splunk's team. We are looking at whether the data onboarded and dashboards that were developed are really being used to avoid wastage. If any data is not necessary in Splunk, we just stop onboarding it. We have other data to onboard anyway. My idea is to be much more efficient in the way we are managing the data and not to go the way we did it in the past.
Which other solutions did I evaluate?
I did not evaluate other solutions but the company surely did.
What other advice do I have?
Splunk's unified platform has not helped consolidate networking, security, and IT observability tools, but it is not due to the tool. It is due to our company's structure. I have been part of the two teams. Previously, I was a part of the cybersecurity team, so I was mainly using Splunk Enterprise Security. Now I am leading the monitoring team, so I am much more on the SOC side of it. My team provides service to the cybersecurity team that is using Splunk Enterprise Security. In the end, we would like to have one solution, which would be Splunk. I would like to have IT monitoring and observability with ITSI in the future. This centralization would bring efficiency. One log being used for cybersecurity purposes can also be used for other purposes. Everything centralized would give us the most efficient way to access the data and limit duplication. It would be helpful for efficiency, cost control, and data governance.
It is absolutely crucial for us to have end-to-end visibility. For our cybersecurity needs, we should be able to reach anything. We even have this concept of Watch the Watcher, so visibility is absolutely key. We have the opportunity to audit the activities of even cyber analysts, so visibility at every stage is absolutely key. For example, all the SIEMs could be under attack, which would be a nightmare. Imagine it being an insider threat where the attacker knows what exactly we are monitoring. With AI, these kinds of risks are even higher. That is why we are all in for AI for Cyber and Cyber for AI. We need absolute visibility, but we also need protection.
Splunk Enterprise Security has not helped us reduce our alert volume. We are not at that level of maturity at this point. It is still growing.
I would rate Splunk Enterprise Security a nine out of ten. It is a good product. It needs some progress with AI, but based on what I have seen in the presentation for version 8, it seems promising.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Splunk Enterprise Security
June 2025

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
860,632 professionals have used our research since 2012.
Senior Director, Detection Engineering Cyber Defense Services at a insurance company with 5,001-10,000 employees
Offers users with a single-point-of-view dashboard for incident response
Pros and Cons
- "It is a very stable solution. I never really had a hiccup with the tool."
- "The area of concern revolves around the fact that Splunk is an expensive product."
What is our primary use case?
I use the solution in my company, and most of the use cases are security-specific. My company uses it to transfer from our detection engineering team to our incident response team. For observability, our company is looking for security events within the tool, and we are logging all the critical security infrastructure and security-relevant logs to a platform for security operations.
How has it helped my organization?
The tool has helped to streamline our company's mean time spent in understanding security-relevant events and mitigating those risks.
What is most valuable?
Some of the tool's best features are RBA and UBA. I also like the tool's single point-of-view dashboard for incident response. The case management area is one of its good features.
The tool has reduced the mean time needed to resolve. The reason is that the dashboard offers a single point of view, especially in areas where people aren't spread out. Our company is getting all the relevant data in there, and we are able to identify the problem instead of having to go to multiple tools or different interfaces.
It is very important for our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. It is our company's way of understanding what is going on in our environment, and then it is our way of handling security events, relevant events, mitigating risk, understanding risk, quantifying risk, producing metrics, and everything else.
Splunk Enterprise Security provides our company with the relevant context to help guide our investigations. The tool has allowed us to gain better visibility and accuracy into security events.
The tool has helped our company improve the resiliency of our security operations. This is based on the fact that we don't have full adoption of the tool for all users in our organization, especially not Splunk Enterprise Security.
My company uses the tool for security operations, and we have built our security operations around Splunk based on what it can do and its performance.
What needs improvement?
I think Splunk is already improving its products. Some of the features that Splunk has been bringing out, like Splunk Attack Analyzer, while covering some of the other areas, like regulatory compliance and asset security, are good. It is just a matter of the customers being able to see the new features introduced by Splunk and get a demo to see if it makes sense for their work.
I already have Splunk Enterprise Security set up. My company is interested in seeing Splunk Attack Analyzer, and that is why we are dealing with Splunk's point of contact right now.
The area of concern revolves around the fact that Splunk is an expensive product. Splunk's expensive nature is an aspect where improvements are needed.
For how long have I used the solution?
I have been using Splunk Enterprise Security for six to seven years.
What do I think about the stability of the solution?
It is a very stable solution. I never really had a hiccup with the tool. Even for migrations or anything, our company has never had to use Splunk's partners, and it has been a seamless process.
What do I think about the scalability of the solution?
The tool's scalability has been good, but it depends on the organization and how Splunk is being adopted there.
How are customer service and support?
The solution's technical support can be hit or miss, but it is mostly positive. I can't give you all the scenarios, but the one thing that I do like about Splunk is that if there ever is a hiccup, a simple phone call from our end can ensure that Splunk's technical team takes care of our problems. I rate the technical support a ten out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I have used many products in the past, but they were not in my present organization. It has been a long time since I used some products, as it was done back during my engineering days. I used to use HPE ArcSight. I have been through McAfee products, such as McAfee Nitro, back in the day. I have been an active Splunk business owner for almost a decade now.
How was the initial setup?
The product's initial setup phase has been perfect since our company uses the cloud services offered by Splunk.
The solution is deployed on the cloud services offered by Splunk.
What about the implementation team?
The reseller that my company gets in touch with to help with the implementation part is called GuidePoint Security. My company's experience with GuidePoint Security has been good.
What was our ROI?
I think that based on my experience in the organizations that I have been in with Splunk, the tool definitely fetches a return on investment because it allows us to streamline security-relevant events that we need to take care of quickly. Overall, the tool saves us from any impact on our finances and business.
What's my experience with pricing, setup cost, and licensing?
Most of Splunk's customers are trying to find ways to keep the pricing from the ingest licensing model of Splunk down. What that comes down to is that we have to manage the platform. For our company, being a security enterprise and using it for security-relevant data allows us to streamline and control the ingest licensing model because we don't put in a lot of stuff in the tool. We have other things that we output to different data lakes. Splunk has always been on the expensive side.
What other advice do I have?
The ease of deploying the tool, its great customer service, and the development you can do within the tool is very seamless, so I would recommend the product to my peers since it is a great solution.
I rate Splunk Enterprise Security a ten out of ten.
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Systems Engineer at a consultancy with 10,001+ employees
The user interface is excellent, and it's easy to create dashboards
Pros and Cons
- "The user interface is excellent, and since I'm using Splunk as a power user, it's easy to create dashboards."
- "Customizing our commands should be simpler. Creating custom commands in Splunk requires a long, complex process. For example, we have a command to add all the column data, but we don't have a command to get the average of the column data at the end. It would be useful to have a blank at the end to create our commands and leave the rest to others."
What is our primary use case?
I use Splunk to get logs from the on-prem servers and create dashboards, alerts, and visualizations.
How has it helped my organization?
Splunk has helped us reduce our alert volume. It has sped up our security investigations. For example, it's easy to detect if there are multiple login failures.
It has saved us a lot of time. We previously used OpenShift to collect CPU and memory data for over 900 clusters, so we needed to log in to each cluster to get the details. Even if it only took one minute per cluster, we would spend 900 minutes doing them all, whereas Splunk can collect all the data in under a minute.
What is most valuable?
Splunk's machine learning toolkit helps us predict things like CPU and memory usage. The user interface is excellent, and since I'm using Splunk as a power user, it's easy to create dashboards. Splunk helps monitor multiple cloud environments. We have OpenShift. All of our VMs and servers are present in the cloud.
What needs improvement?
Customizing our commands should be simpler. Creating custom commands in Splunk requires a long, complex process. For example, we have a command to add all the column data, but we don't have a command to get the average of the column data at the end. It would be useful to have a blank at the end to create our commands and leave the rest to others.
For how long have I used the solution?
We have used Splunk for three and a half years.
What do I think about the stability of the solution?
I rate Splunk eight out of 10 for stability.
What do I think about the scalability of the solution?
I rate Splunk seven out of 10 for scalability. The architecture needs to be tweaked, so it might take some time to scale it.
How was the initial setup?
Setting up the architecture is somewhat difficult, but if you follow the steps laid out in the documentation perfectly, you'll understand how to do it. It's medium difficulty.
What's my experience with pricing, setup cost, and licensing?
I don't know the exact pricing, but I know that Splunk is more expensive than competing solutions. At the same time, Splunk provides more features than others, so it's priced fairly. It's worth the money.
What other advice do I have?
I rate Splunk Enterprise Security eight out of 10. SES is an excellent product. While it has some room for improvement, it's constantly adapting and trying to stay ahead of the competition. Adding commands to Splunk can be tedious. Automation, for example, helps to make the task smaller. We use Python scripts for automation.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Group manager at HCM Technologies
It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query
Pros and Cons
- "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most."
- "The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system."
What is our primary use case?
We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.
In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.
How has it helped my organization?
We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.
We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things. They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use.
We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand.
Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.
What is most valuable?
Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.
The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.
What needs improvement?
The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.
Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.
For how long have I used the solution?
I have been using Splunk for five years.
What do I think about the stability of the solution?
Splunk is stable. We haven't had any downtime or performance issues.
How are customer service and support?
I rate Splunk support 10 out of 10. Splunk has lots of training materials online where our engineers can learn at their own pace. The courses are easy to understand and use simple language. You don't need to learn Java queries. The main reason we rejected QRadar was the fact that it is such a closed solution. If you want to learn something, you have to contact IBM support and request the materials.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing.
ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most.
What's my experience with pricing, setup cost, and licensing?
Splunk can be an expensive solution. It all depends on how we configure the alerts and the events from the endpoints. You can save some money if you do that correctly. If not, it becomes an expensive solution.
If you don't have the money, you can go for an open-source solution like RedELK, which is based on Elasticsearch. It's cheaper, but you have a lot of support issues. There are no security upgrades. Those are not well supported. If somebody has a basic understanding of the technology and the necessary budget, I would say stick with Splunk. Its ease of use is attractive to an engineer.
What other advice do I have?
I rate Splunk Enterprise Security nine out of 10. There's always room for improvement.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Consultant at Ernst & Young
Excellent data dashboards, visualization effects, and threat detection
Pros and Cons
- "Recently, Splunk upgraded to version 9.0.02, which includes excellent data dashboards and visualization effects."
- "We will receive alerts only for the administrators and deployment servers, but not for all servers."
What is our primary use case?
We provide services to our clients as a security operations center and we utilize Splunk Enterprise Security for enterprise security purposes, encompassing various use cases based on client requirements. These include network attacks, malware-related attacks, inbound traffic-related attacks, recurrent activities, web-related detections, internal detections related to root flows, and service account-related use cases.
We are working to secure the enterprise's networks, devices, and infrastructure, as well as enhance overall security. Our goal is to monitor and protect against all types of external cyber-attacks. We will diligently monitor the systems and address any issues at the earliest stage possible.
Splunk Enterprise Security can be deployed both on-premises and in the cloud. We have primarily deployed the solution on Splunk Cloud.
How has it helped my organization?
We utilize Splunk Enterprise Security for monitoring multiple cloud environments. By employing an API, we can deploy various forwarders within Splunk. These forwarders gather logs from diverse cloud sources and other types of sources. Consequently, we have the ability to install an API from the Splunk store, enabling us to seamlessly connect with cloud sources such as CloudWatch, AWS, and other similar platforms. Splunk Enterprise Security offers comprehensive visibility across numerous environments.
Splunk Enterprise Security offers excellent threat detection capabilities to help our organization identify unknown threats. Additionally, we utilize threat feeds that index various anomalies. We have integrated threat intelligence platforms, which provide indicators such as advisories and engagement in case of compromises and attacks. This integration assists us in preventing attacks within our environment. Initially, we can obtain this information through the threat feeds. Consequently, we can restrict and block operating systems either within Splunk itself or through other security tools.
We also utilize threat intelligence. We have access to threat feeds from various sources, such as VPN. The threat intelligence management feature allows us to collect detailed information in the event of a data breach affecting an organization on other websites or within the dark web itself. We receive such information, along with details of any attacks or incidents occurring in different environments worldwide. We can obtain these threat feeds instantly through the cyber news channel mentioned.
The threat topology and MITRE ATT&CK features are integrated, allowing us to obtain the tactics, techniques, and processes necessary to solve any remediation process. By deploying the TTP MITRE ATT&CK framework in any use case, we can acquire a detailed explanation and determine the appropriate course of action to follow. Checking the MITRE enables us to easily resolve and remediate any issues. This helps us address any errors or crashes effectively, by following the simple steps outlined by MITRE. It allows us to easily identify and rectify issues, without the need to involve a senior person if they are unfamiliar with the specific use case. Additionally, it enables us to quickly verify and provide remediation, specifically tailored to the respective team that needs to take action.
Splunk Enterprise Security's ability to analyze malicious activities and detect breaches is advantageous to me. When compared to other tools I have used previously, it involves a straightforward SQL query, allowing me to quickly modify the reports in less than five minutes.
Splunk Enterprise Security has helped us detect threats faster. We can integrate multiple security tools, and we can retrieve logs at any time using simple queries, utilizing various indexes and forwarders. These components handle log parsing and aggregation, enabling us to easily identify all the security rules detected using Splunk. For instance, if we provide a hostname or IP source, we can obtain a list of the security details detected in that specific instance.
Splunk Enterprise Security has helped our organization reduce the threats and breaches from security attacks across various threat factors.
Our clients quickly realize the benefits of Splunk Enterprise Security, which is why they have continued to use it for so many years.
Splunk Enterprise Security has helped us reduce our alert volume. The total reduction in volume depends on the new use cases or devices that are onboarded. Initially, there may be a high alert volume, but we will analyze and work based on those alerts. Through this process, we cannot definitively state the exact percentage reduction, but it does significantly reduce the number of false positives in the environment, thanks to fine-tuning the use cases.
Splunk Enterprise Security has helped accelerate our security investigations. Splunk also offers the Phantom SOAR, although I am not currently utilizing it. However, I am familiar with the Splunk platform, which can automate the process and promptly detect and block various types of actions. We can also easily analyze the Splunk programming language.
Splunk can save our analysts ten minutes of additional time compared to our previous solution when resolving alerts, provided that we have the necessary query knowledge.
What is most valuable?
Recently, Splunk upgraded to version 9.0.02, which includes excellent data dashboards and visualization effects. This upgrade makes it easier for me to implement all the dashboards. I have created a dashboard that showcases all the VPN monthly data in one place, which is a beneficial feature of the new visualization effects.
What needs improvement?
There are deployment servers and other servers, and sometimes Splunk may encounter issues if there are non-reporting devices. We will receive alerts only for the administrators and deployment servers, but not for all servers.
When upgrading Splunk, we encounter certain issues. For instance, it does not accept older versions of the other tools we use. This is the main problem. For example, if we are using a ticketing tool or any other XDR or EDR solutions, we need to upgrade them when we upgrade Splunk. During this process, we will encounter some difficulties, resulting in delays. Ideally, the upgrade process should first accept the current versions and then prompt for an upgrade, allowing us sufficient time to upgrade the other solutions. This helps ensure business continuity, although it may introduce some delays in upgrading all these processes.
For how long have I used the solution?
I have been using Splunk Enterprise Security for five years.
What do I think about the stability of the solution?
Splunk Enterprise Security is stable.
What do I think about the scalability of the solution?
We are satisfied with the scalability of Splunk Enterprise Security. It can increase its capacity and functionality based on our demands.
How are customer service and support?
Splunk technical support is good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I used ArcSight for Level 1 monitoring in my previous company, and my current company was using Splunk Enterprise Security when I joined.
What was our ROI?
We have witnessed a 60 percent return on investment due to the security that the solution offers to our organization.
What's my experience with pricing, setup cost, and licensing?
Unlike other security tools, Splunk provides a fixed amount of gigabytes per day, and we are required to pay for any additional usage beyond that limit, in addition to our monthly cost. I believe this pricing structure is reasonable for medium and large organizations.
What other advice do I have?
I rate Splunk Enterprise Security nine out of ten.
An organization that wants a CM solution but prefers to go with the cheapest option may work for a small organization, but not for medium and large ones. Splunk Enterprise Security is worth the cost for larger organizations.
Splunk Enterprise Security is deployed in a single location where it collects logs from various assets, infrastructure, and security tools. It serves as a monitoring tool, allowing us to view all the logs in a unified platform, including security tools, network scanners, portability management tools, and other infrastructure components such as Windows servers, Mission servers, and devices. Integration of these components occurs through different platforms like SCM or other platforms, enabling us to monitor everything in a single user interface using Splunk.
Maintenance is necessary for updates and patches. Additionally, we must be prompt with deployments as we need to monitor the health checks of the devices reporting to Splunk. It's crucial to remain active in this process to avoid any potential impact, so we should be mindful of that. Two admins are usually enough for maintenance, and if we encounter any issues, we can contact Splunk client support.
Resilience is important to capture all threat activities and threat speeds, such as IOCs, but we primarily focus on the ESF application. We integrate various threat intelligence platforms, including Splunk, which provides threats from different sources.
I recommend Splunk Enterprise Security as long as it fits within the budget.
Splunk Enterprise Security's single pane of glass enables us to easily monitor everything from one centralized location. Additionally, with its simple query language, we can retrieve all the logs in one place and generate reports quickly. This is exactly what security personnel require: fast reports and comprehensive log monitoring. It allows us to efficiently check all the security tools simultaneously.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Director, Information Technology at a government with 501-1,000 employees
Offers complete visibility into the environment, centralize management but latency issues when using cloud services
What is our primary use case?
We have an engineering team working on the back end to receive data, they do data modeling, and create dashboards. That's been pretty useful.
How has it helped my organization?
Splunk Enterprise Security helped our organization a lot. In the past, we relied on every single product that had its own kind of audit trail information. We needed to go and look for it, for example, in the Windows environment. We have to use the event viewer a lot to look for certain things, like system applications and security logs. In Linux, we have to use the log file, and under certain applications in the Linux environment, we have to look at the logs for that as well.
That's just part of the operating system. It is not the infrastructure, like network devices. When we centralize logs, we put everything in one location.
Our advanced users can do the SPL query anything they want. Executives or higher-up management users need to look for certain things, like how many systems are missing patches for this month or who logged in today from where, what they did, and how often they re-authenticated to the systems.
We have a lot of data from businesses, data from our devices, and more. When we put it all in the ES, it gives us the ability to look at certain functions. It provides more insight into our data, where it's traveling from, between endpoints, and what they're doing with it.
We also look into performance. We use other monitoring tools as well, and that data is also piped into Splunk. We have a centralized platform that we can navigate to look for everything we need rather than having to go to each individual system, like Cisco Syslog or we have to go to the Forcepoint console to look for it. It is a centralized platform that gives us more insights into our data or what's happening in general.
It is very important that Splunk Enterprise Security provides end-to-end visibility into our environment because, at any given point in time, we want to know what's happening to the data. Data privacy is the primary concern. We want to make sure that authorized users get access to what they are authorized to so that data would not leak out or travel from a different path. Again, we get a lot of data in there. We understand more about our data to improve the business in certain aspects.
We know that during certain times of the day, a lot of people access a server or website.
Then it'll give us more insight about where we need more network bandwidth or where we need to upgrade network devices. We understand more about our data, like how many people access the data lake house. And that's just for performance.
On the security side, we would know who's accessing it from where. Are they authorized to do so, or is there any weird access pattern in locations that they're not supposed to be in?
So again, we get the data, we centralize it, and we can do data mining. We can pull out anything from there rather than looking all over the place, like, "I want to find out if he's working today if someone's using his account, or from which devices he accessed data from two different places."
From Splunk Enterprise, we can either do it manually or have our engineers create an audit dashboard. Or, if you are an advanced user, you can do SPL queries that will give you anything you need.
The alert volume depends on the users. If they do what they're supposed to, then there's nothing to talk about. If not, it's more or less on how you manage the data, educate your users, and control your system. Based on that, Splunk might play zero, fifty percent, or seventy-five percent role.
In a way, it has helped improve our organization's business resilience. It's a way for us to predict the pattern of data access and other things going on.
Knowing a way to do that, if we have enough resources to do it, is fine because we have so much data, but no one's really monitoring it. If we get alerts in the middle of the night and we don't have anyone to handle it, it's not going to help.
It's another aspect that we worry the most about, where our data is floating.
Now that we've centralized our log information into Splunk, we want it to be secured well because now users can predict a pattern of data access from where, and from whom.
What is most valuable?
We put all of our logs and data into Splunk, like network switches, firewalls, and web-based protection. In general, every component within the infrastructure sends data to Splunk.
Then, we have an engineering team transforming, manipulating, and analyzing the data to create a front-end dashboard in a meaningful way.
What needs improvement?
With the new announcement of version eight, it's going to give us a single point-and-click. On the front page there, that will give us a whole lot of information that we need to look into on the right panel without navigating down or going to more details, clicking here and there.
For how long have I used the solution?
We've been using it for quite a few years now.
Which solution did I use previously and why did I switch?
The solution of choice depends on the engineers and teams. If they manage Linux, they're comfortable with certain tools to read the logs. In a Windows environment, it depends on the engineers. They favor any certain tool; they would do it, but it would be to cut down costs and consolidate all the software strings.
Splunk was not that big years ago. But then we started seeing that they put more investment into it and made the tool more useful.
How was the initial setup?
We're not using the cloud version yet. This is just the enterprise product on-premises.
What's my experience with pricing, setup cost, and licensing?
Splunk can improve the pricing. People like certain features, and sales use the features that they provide, the automated features, to hook customers into paying for the big-price license.
Everyone does it, like Microsoft and Cisco. Initially, you try out the free version, but once you get it in your shop and turn it into production, you start relying on it and don't want to get out. You start paying a lot more for it.
What other advice do I have?
Splunk is on the right path. It's good, but it does not provide everything that we need. There's a lot more to it. I look at it as ideal for detecting in real-time, but we're always behind and just look at the log information.
If you have a network device, a Splunk Enterprise instance, and you have to send data to it. You're relying on network connections.
If you're using a cloud service or anything where Splunk is not on-premises, there's high latency. If that network connection is down, that's it. You don't know what's going on. So even if you have it on-prem, you're still relying on it after the fact.
When you look at Splunk, you're looking at things that have already happened. It's nothing that's actively going out there and doing something for you.
If you had to give it a number, from one to ten, since they've gone this far, I'd give it a five or six. Because locking or monitoring is just a part of business, and how you're going to receive those alerts and act on them is another part of it, when I look at the overall infrastructure and infrastructure management.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cybersecurity Specialist at a manufacturing company with 10,001+ employees
Identifies threats with the help of features like correlation searches
Pros and Cons
- "Scalability-wise, the tool is awesome since you can add or reduce your resources in an easy way."
- "Resource usage can probably be described as an area with shortcomings in the product where improvements are required."
What is our primary use case?
I have used the solution in my company since I was an admin for Splunk. Most of the people involved in the use cases associated with the product are those in the SOC team.
How has it helped my organization?
The tool has helped us to identify and analyze the possible threats. The product helps identify threats and do further investigations.
In terms of the benefits I have seen from using Splunk Enterprise Security, I would say that we are still working on implementing Splunk tools.
What is most valuable?
The most valuable feature of the solution is correlation searches, which allow you to easily find threats and other such areas.
It is really important that Splunk Enterprise Security provides end-to-end visibility into our company's environment, as it can help save time and make the response faster.
Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data with the use of data models and Splunk CIM.
The tool has helped reduce our company's alert volume as the identification process is fast.
Splunk Enterprise Security provides our company with relevant context to help guide our investigations. Any incident can be resolved in a minimal amount of time than expected, and we can get more information about such incidents. It can be resolved mostly on the same day and even in a few hours.
Splunk Enterprise Security helped reduce mean-time resolve. It has also helped improve our organization's business resilience. Considering the tool's ability to predict, identify, and solve problems in real-time, I would say that it keeps our company safe.
Splunk's unified platform helps consolidate networking, security, and IT observability tools. I cannot provide too many details because I am not working directly on the analytics part.
What needs improvement?
I think in the near future, we want to have Splunk Enterprise Security complemented with Splunk SOAR because we have been checking the administrations. It is pretty cool, considering the things that you can do with Splunk Enterprise Security and Splunk SOAR together.
Resource usage can probably be described as an area with shortcomings in the product where improvements are required.
Our company just saw the latest version of the tool here in the Gulf. I am not sure, though, about it because what Splunk showed us was really impressive.
For how long have I used the solution?
I have been using Splunk Enterprise Security for five years. My company is a customer.
What do I think about the stability of the solution?
It is a stable solution. At my company, there are two Splunk admins. Splunk is so stable that though there are two Splunk admins in the company, nobody complains that something is not working. Stability-wise, I rate the solution a nine out of ten.
What do I think about the scalability of the solution?
Scalability-wise, the tool is awesome since you can add or reduce your resources in an easy way.
How are customer service and support?
The solution's technical support offered to users could be much more. At times, I get answers related to Splunk from the support team, which I feel are available on Google. I rate the technical support a seven or eight out of ten. I feel that sometimes the tool's support team uses Google to provide me with answers.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
It was harder to get it working and configured correctly in the past. Things have changed a lot since the first version of the tool was released. I honestly feel comfortable anytime the tool releases something new to be deployed or if there is a new upgrade.
The solution is deployed on an on-premises model. I use the cloud services offered by Azure and AWS.
What was our ROI?
I have not seen a return on investment.
What's my experience with pricing, setup cost, and licensing?
Splunk Enterprise Security is not a cheap product, but I think it is worth every dollar that you pay.
What other advice do I have?
Considering that the initial configuration is difficult, I rate the solution an eight out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2025
Product Categories
Security Information and Event Management (SIEM) Log Management IT Operations AnalyticsPopular Comparisons
CrowdStrike Falcon
Microsoft Sentinel
IBM Security QRadar
Elastic Security
Splunk AppDynamics
Elastic Observability
Grafana Loki
Security Onion
Palantir Foundry
Cortex XSIAM
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which would you recommend to your boss, IBM QRadar or Splunk?
- What are some of the best features and use-cases of Splunk?
- What SOC product do you recommend?
- Splunk as an Enterprise Class monitoring solution -- thoughts?
- What is the biggest difference between Dynatrace and Splunk?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What are the advantages of ELK over Splunk?
- How does Splunk compare with Azure Monitor?
- New risk scoring framework in the Splunk App for Enterprise Security -- thoughts?
- Splunk vs. Elastic Stack