My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.
DevOps&Cloud Engineer Mentee at CertDirectory.io
Reduces alert fatigue, and it's well-documented and well-designed
Pros and Cons
- "Splunk Enterprise Security is fast and well-documented, and user interface and user interaction are well-designed compared to other SIEM solutions."
- "Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use."
What is our primary use case?
How has it helped my organization?
Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.
What is most valuable?
The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.
One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs.
Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.
What needs improvement?
AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.
Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.
Buyer's Guide
Splunk Enterprise Security
August 2025

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,497 professionals have used our research since 2012.
For how long have I used the solution?
I have been using the solution for approximately one year. I used it for 12 months in the company.
What do I think about the stability of the solution?
It's stable. I would rate it a ten out of ten for stability.
What do I think about the scalability of the solution?
The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.
How are customer service and support?
I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.
How was the initial setup?
Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.
Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience.
The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.
Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it.
What was our ROI?
From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.
The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing.
Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.
As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.
What other advice do I have?
I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.
I have not used the risk-based alerting feature. It is more for log management and checking the log flow.
Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.
I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.
I would rate Splunk Enterprise Security an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Jun 27, 2025
Flag as inappropriate
System Engineer - Security Presales at Raya Integration
Achieve comprehensive data visibility with versatile language
Pros and Cons
- "Splunk Enterprise Security's most valuable features are its stability and the robust Splunk Search Processing Language, allowing extensive customization and analysis capabilities."
- "Splunk simplifies real-time problem identification and resolution by seamlessly integrating existing customer and vendor systems."
- "Splunk could enhance its offerings by incorporating modules for network detection and response and fraud management, along with improving its threat intelligence management capabilities."
- "Splunk could enhance its offerings by incorporating modules for network detection and response and fraud management, along with improving its threat intelligence management capabilities."
What is our primary use case?
After the acquisition by Cisco, we are focusing on our partnership with them as a Gold Partner and Tier One reseller. Following the acquisition, we also shifted our focus to Splunk. I am a system integrator implementing Splunk for customers in their environments.
How has it helped my organization?
Splunk has a vast integration with multiple vendors, which makes it easy for our customers to integrate various cloud environments.
Splunk provides complete visibility when integrated with all installed appliances and applications.
The threat intelligence management feature is a good add-on for startups, especially given its affordability.
Splunk allows organizations to ingest and normalize data effectively.
Splunk simplifies real-time problem identification and resolution by seamlessly integrating existing customer and vendor systems. Its customizable dashboards can be tailored to map and reflect specific environmental needs precisely.
The threat topology and MITRE ATT&CK framework features can help discover the full scope of a security incident, provided they are fully integrated into the customer's environment.
Splunk's comprehensive log visibility enables efficient investigation of malicious activities and breaches. By generating a dashboard that collects logs from firewalls, emails, proxy endpoints, and threat intelligence, Splunk can provide access to critical information within seconds, significantly reducing investigation time compared to other vendors or solutions. This streamlined process, facilitated by Splunk's ability to gather and analyze diverse log data, ensures swift identification and resolution of security incidents.
It helps our customers improve their organization's business resilience.
The unified platform helps consolidate networking infrastructure and security. This single-platform approach offers the advantage of combining multiple technologies and features, streamlining operations and enhancing efficiency.
Implementing Splunk with SOAR capabilities, along with machine learning and AI for alert filtering, can significantly reduce alert volume without constantly interrupting administrators. This streamlined approach ensures that only alerts requiring approval are sent to administrators, optimizing their workflow and efficiency.
The analysts using Splunk, even the free edition, are very satisfied with the information it provides for their investigations.
Splunk has helped customers accelerate their security investigations by integrating AI and machine learning into its platform. This integration automates many basic tasks and saves valuable time.
Splunk helps reduce our customer's mean time to resolve.
What is most valuable?
Splunk Enterprise Security's most valuable features are its stability and the robust Splunk Search Processing Language, allowing extensive customization and analysis capabilities.
What needs improvement?
Splunk could enhance its offerings by incorporating modules for network detection and response and fraud management, along with improving its threat intelligence management capabilities. Additionally, the pricing could be made more competitive.
For how long have I used the solution?
I have been using Splunk Enterprise Security for almost six months.
What do I think about the stability of the solution?
Splunk is a very stable platform.
What was our ROI?
My customers feel it's a good investment, but Splunk updated its price models recently.
What's my experience with pricing, setup cost, and licensing?
One of Splunk's two major disadvantages is its high cost. The platform requires significant financial investment and resources, making it expensive despite its comprehensive features.
What other advice do I have?
Splunk has disadvantages such as cost and resource requirements. However, once I invest, it's a powerful platform that ranks number one in SIEM and observability. I rate the product nine out of ten due to pricing concerns and threat intelligence management not being advanced.
I believe Splunk is the top SIEM tool. However, the term "enterprise security" is misused when applied to Splunk. While many vendors claim to offer "enterprise security," true enterprise security should cover all aspects of cybersecurity. Splunk excels in SIEM, SOAR, and UEBA, but it doesn't address other crucial areas like firewalls, PAM, or web/mail gateways. Therefore, Splunk shouldn't be categorized as an "enterprise security" solution. Although Splunk leads in SIEM with its superior visibility and observability, it lacks presence in other essential cybersecurity domains.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Last updated: Feb 10, 2025
Flag as inappropriateBuyer's Guide
Splunk Enterprise Security
August 2025

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,497 professionals have used our research since 2012.
CEO at CygenIQ
Improves threat management and has effective analytics
Pros and Cons
- "The Splunk Enterprise Security's threat-hunting capabilities have been particularly useful in later releases."
- "Splunk Enterprise Security enhances business resilience and assists with threat detection by centralizing security data."
- "Splunk Enterprise Security would benefit from a more robust rule engine to reduce false positives."
- "Splunk Enterprise Security would benefit from a more robust rule engine to reduce false positives."
What is our primary use case?
We primarily used Splunk Enterprise Security for data and cloud ingestion. We also leveraged it for enterprise security use case engineering, which encompassed malware analysis, threat management, detection, and the integration of threat and vulnerability intelligence, culminating in comprehensive reporting and dashboards. This was the principal use case for our SIEM platform. In recent years, we have also employed Splunk for user behaviour analytics to bolster insider threat protection.
We implemented Splunk Enterprise Security to improve security monitoring, threat detection, and incident response.
How has it helped my organization?
Although Splunk is not the only tool we use, it is essential that it provides end-to-end visibility into threats in our environment.
Splunk is effective for helping find security events across multiple cloud, on-premises, or hybrid environments.
Splunk helps improve our organization's ability to ingest and normalize data.
Splunk helps us identify threats in real-time.
We integrated 50 percent of the MITRE ATT&CK framework's techniques to enhance our incident detection capabilities.
Splunk Enterprise Security effectively analyzes various security events and has helped improve my organization's ability to ingest and normalize data.
Splunk helped us detect threats faster.
Splunk Enterprise Security reduced the investigation time by consolidating datasets for quick access.
Splunk Enterprise Security enhances business resilience and assists with threat detection by centralizing security data.
I have a positive impression of Splunk's ability to predict, identify, and solve problems.
Splunk Enterprise Security helps reduce our mean time to resolve.
What is most valuable?
The Splunk Enterprise Security's threat-hunting capabilities have been particularly useful in later releases.
What needs improvement?
Splunk Enterprise Security would benefit from a more robust rule engine to reduce false positives. While its detection capabilities are efficient, there is room to improve its alert volume reduction and false positive management efficiency. Furthermore, enhancements in its integration capabilities with other security infrastructures could optimize its overall effectiveness.
For how long have I used the solution?
I have been using Splunk Enterprise Security for 13 years.
What do I think about the stability of the solution?
In terms of stability, Splunk is good. It provides a stable environment but needs to integrate with ITSM platforms to achieve better visibility.
What do I think about the scalability of the solution?
Splunk Enterprise Security is efficient and scalable, especially for large environments with substantial scalability needs.
How are customer service and support?
The technical support for Splunk met my expectations.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I haven't switched to Splunk from another solution, but I have used various products, such as Google Chronicle, Securonix, ExtraHop, and Sumo Logic, to meet different customer needs. Securonix is used more for behavioural analytics and insider threats, whereas Splunk is used for logging and monitoring.
How was the initial setup?
The initial setup of Splunk Enterprise Security is straightforward, but it does require skilled personnel.
What about the implementation team?
The implementation involved an architect, cloud DevOps engineer, data engineer, full-stack developers, and cybersecurity engineers. A team of five to six members, tailored to different roles, was typical.
What was our ROI?
Splunk's cost is justified for large environments with extensive assets. However, for smaller organizations, other products may provide better value for money.
What's my experience with pricing, setup cost, and licensing?
Splunk is priced higher than other solutions.
What other advice do I have?
I would rate Splunk Enterprise Security nine out of ten.
Splunk Enterprise Security requires continuous maintenance and support, which requires a dedicated team. Previously, seven to eight personnel were focused on platform maintenance. Additional resources may be required to optimize for multiple customer environments.
For those evaluating SIEM solutions solely based on cost, Splunk might not be suitable. It is essential to consider security, context, and specific use cases rather than just choosing based on price. Critical assets need the right platform for effective protection rather than opting for a cheaper solution.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Dec 22, 2024
Flag as inappropriateSoc Manager at a real estate/law firm with 1,001-5,000 employees
Investigation efforts have improved while search complexity still requires attention
Pros and Cons
- "The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents."
- "Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations."
What is our primary use case?
Our main use cases for Splunk Enterprise Security include security, detection, and incident response.
How has it helped my organization?
The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.
What is most valuable?
The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.
The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.
Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.
I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.
We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.
I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.
One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.
What needs improvement?
Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.
For how long have I used the solution?
We are still at the beginning, just four months into using Splunk Enterprise Security.
What do I think about the stability of the solution?
I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.
What do I think about the scalability of the solution?
Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.
How are customer service and support?
I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.
How was the initial setup?
The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.
What about the implementation team?
We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.
What was our ROI?
The return on investment from Splunk Enterprise Security is still to come.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.
What other advice do I have?
I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Sep 13, 2025
Flag as inappropriateReal-time monitoring and alerts enhance performance evaluation and security investigations
Pros and Cons
- "I can create dashboards to collect and view information in a tabular, graphical format. This feature is important because it helps me understand time-series data over one or two hours."
- "Overall, I would rate it a nine out of ten."
- "Data retention can be better. If we want to look at the data for five months or six months, that is not available to us. We only have a history of 20 or 30 days. After that, the information gets lost. That is a drawback."
- "Data retention can be better. If we want to look at the data for five months or six months, that is not available to us."
What is our primary use case?
We use it for real-time monitoring and alerts for all instances and servers on our sub-prod instances. It helps in monitoring, getting alerts for specific errors, and identifying various logs. We also use it for log analysis, which is very beneficial.
My use case is more related to production issues. Threat detection is taken care of by another team.
How has it helped my organization?
It is our go-to tool for monitoring multiple cloud environments. The difficult part initially is to understand how the logging is happening for particular applications or instances. Once you have an understanding of what you want to see and how they are getting generated, you can just write queries, and you can create exhaustive dashboards for anybody to look at and understand how things are.
Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. Its threat detection capabilities are good. We can look at the exact activity and task. We can look at a trace and understand what is happening. It gives a very granular understanding. I see emails from the security team mentioning what they have identified, so it seems to be helpful for threat detection.
Based on the org mail that we received, they were able to block almost 95% of threats in real time. That is a pretty good number.
Splunk Enterprise Security helps to reduce alert volume because you can understand patterns, such as where your requests are going and how everything is happening. There has been a 40% to 50% reduction.
Splunk Enterprise Security has helped speed up our security investigations by 40% to 50%. It has helped the security team to get a head start and understand where the issue is originating and where the problem is. We are operating in a very dynamic environment, so any time lost costs the company money.
What is most valuable?
I can create dashboards to collect and view information in a tabular, graphical format. This feature is important because it helps me understand time-series data over one or two hours. It creates graphs, allowing us to check spikes and examine average values and 90th and 95th percentile values. This capability is useful for performance monitoring and issue identification. I believe it has helped speed up security investigations.
What needs improvement?
Data retention can be better. If we want to look at the data for five months or six months, that is not available to us. We only have a history of 20 or 30 days. After that, the information gets lost. That is a drawback.
Splunk's dashboards are pretty basic. In comparison to Grafana, the dashboards are not as detailed. There is room for improvement in that area.
For how long have I used the solution?
I have been using it for about one and a half years now.
What do I think about the stability of the solution?
It is stable. I have not encountered any stability issues so far.
What do I think about the scalability of the solution?
It is easy to scale. We have multiple instances, sub-instances, and prod instances running, so scalability is not a problem.
It is being used by development teams, QA teams, performance teams, and security teams. We have about 500 people using it.
How are customer service and support?
It is good. I have not had any major issues where support was lacking, so I would rate it positively.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
In this organization, I did not use any similar solution. In my previous organization, we used APM tools like Dynatrace and AppDynamics, which helped us monitor real-time data and performance. Splunk is a similar tool but offers more capabilities and is also cost-effective.
It was an organizational decision to go with Splunk Enterprise Security. It involved financial considerations and the kind of deal Splunk provided, as we are using the enterprise version and another version. Economics, capabilities, and support were factors.
How was the initial setup?
I was not involved in its deployment. When it comes to maintenance, another team looks after it and takes care of maintenance.
What was our ROI?
I have not been involved in the finance part, so I cannot comment on ROI or costs. However, preventing incidents or solving performance issues saves money, converting time saved to money. Customers are happy. Employees are happy. There is less downtime.
What's my experience with pricing, setup cost, and licensing?
I am not aware of the costs; that is handled by a separate team. I only use it for logs and performance issues.
What other advice do I have?
Instead of going for the cheapest solution available, you should go for the one that meets your needs. It takes time for an organization to onboard a new solution, so it is important to choose the right solution from the start. I believe all available solutions are pretty good, so you should see what suits you better.
It is a great tool. If you learn to navigate it, you can access a wide range of information about any application or product. It is a very helpful tool, provided you know how to use it.
Overall, I would rate it a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Last updated: Mar 2, 2025
Flag as inappropriateAssistant VP, Data Loss Prevention at State Street
Creating custom detections has accelerated threat response and improved team independence
What is our primary use case?
My main use case for Splunk Enterprise Security is web uploads.
What is most valuable?
The ability to create SPLs in Splunk Enterprise Security is my favorite feature. These features benefit my organization primarily through threat detection, which I use for, so that's a huge benefit. Splunk Enterprise Security has absolutely helped improve my organization's business resilience.
What needs improvement?
Splunk Enterprise Security could be improved by incorporating AI features, as it doesn't have the AI capability that Pyramid does, where users can ask questions without having to write code.
For how long have I used the solution?
It has been more than three years.
What do I think about the stability of the solution?
I haven't experienced any downtime or performance issues with Splunk Enterprise Security. Zscaler may experience issues because Splunk grabs data from them, but other than that, I haven't had anything crash.
What do I think about the scalability of the solution?
Splunk Enterprise Security adapts to our growing needs on a yearly basis, as we're constantly growing our program and it has helped in that way. We have expanded usage from just engineering, as now our whole DLP team uses it, allowing us to not rely on other people for it. It was a smooth process when we were expanding usage.
What other advice do I have?
The most significant challenges I've faced when using Splunk include getting the code right. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good, as changes are easy to make. On average, my security ops team takes about three days to remediate security incidents with Splunk Enterprise Security, depending on what the incident is.
My advice to other organizations considering Splunk Enterprise Security is that it depends on their needs and costs, but I think it can cover everything from a small business to a large business, so I would definitely recommend it.
On a scale of 1-10, I rate Splunk Enterprise Security an 8.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Sep 11, 2025
Flag as inappropriateSecurity Consultant at Matiq
Reduces manual intervention and enables comprehensive security monitoring with risk-based insights
Pros and Cons
- "The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics."
- "The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics."
- "We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use."
- "Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst."
What is our primary use case?
My usual use cases for Splunk Enterprise Security involve creating notables, use cases, and dashboards. We are creating the use cases as per the defense of depth in all the security layers, such as the network layer or data link layer, DLP protection, and network protection. We are using firewalls and proxy, as well as IPS, and we are using Defender as Cloud App Security of 365 and EDR. We are using Defender as a single pane of glass, collecting all the logs from all the security devices, writing the correlation rules, configuring the notables, and monitoring 360 degrees of the organization's security.
How has it helped my organization?
It is a comprehensive solution with many security-related features. The data enrichment feature helps identify any anomalies from devices and users. It helps identify any malicious activity patterns, risks, or login failures.
We have implemented conditional policies where traffic from certain countries gets blocked. We are utilizing the Splunk Machine Learning Toolkit (MLTK) app to create models for automatic actions or remediation. We are trying to catch the true positive incidents and orchestrate a response. We have created two models to identify brute force attacks and user login failures.
What is most valuable?
The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics. Based on this feature, we can identify anomalies in any activity from the user or device.
It serves as a single pane of glass for all the security-related events. It helps cross-correlate with minimal manual intervention, detect true positives, and take remediation steps in an orchestrated manner. It is very efficient. It's a top solution in Gartner Quadrants and Datamatics.
What needs improvement?
Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use. For any future enhancements or features, such as MLTK and SOAR platform integration, we need more visibility, training, and certification for the skilled professionals who are working.
For how long have I used the solution?
I have been working with Splunk Enterprise Security for seven years.
What do I think about the stability of the solution?
This solution is stable. The platform and the applications we are dealing with are stable and maintain high availability both on-prem and cloud.
What do I think about the scalability of the solution?
Scalability-wise, we find it comfortable. It's convenient to scale up or scale down the licenses or the components in the cloud.
How are customer service and support?
When we require support from the Splunk Enterprise Security team, if we raise a request, they respond based on priority, providing recommendations or best practices as per the platform recommendations.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I work with multiple customers. They use different products, such as Trend Micro XDR. The customer I am working with right now is using Splunk Enterprise Security. It was chosen by the customer.
How was the initial setup?
For deploying Splunk Enterprise Security, we follow a cluster environment for high availability and high performance, maintaining an architecture with several search heads, indexers, and forwarders. Data is pushed from all forwarders to the indexers, which are heavy forwarders where indexing, parsing, and normalization are performed. Once it is done, we search the data through search heads, with a license master and deployment server present to push configurations to all components of Splunk Enterprise Security. It's a distributed and clustered environment we are maintaining.
What was our ROI?
We have seen a return on investment. We are getting more security. We are able to secure the environment from all security threats and maintain an environment that is free from threats and attacks, especially cyberattacks.
What's my experience with pricing, setup cost, and licensing?
Pricing and licensing are quite high compared to other tools or SIEM tools, but the features justify it.
What other advice do I have?
Overall, I would rate Splunk Enterprise Security a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Jun 12, 2025
Flag as inappropriateSAP Roles and Authorization Consultant at a tech vendor with 10,001+ employees
Supports faster incident response and improved threat detection through flexible customization options
Pros and Cons
- "The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability."
- "The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability, as it integrates disparate security solutions, offers many out-of-the-box apps through Splunkbase, enables straightforward customization, and supports efficient detection and alerting processes that improve overall business resilience."
- "Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful."
- "Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful."
What is our primary use case?
My main use cases for Splunk Enterprise Security are mostly for SOC, detection engineering, and incident response.
How has it helped my organization?
Splunk features benefit my organization as we can use it for any custom needs. That's the biggest benefit of getting it. It doesn't matter what team has what kind of requirements. There's a possibility through Splunk's back-end that we can customize it and make it work.
What is most valuable?
The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability.
I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations, as one of the biggest advantages is that Splunk Enterprise Security comes with many apps and applications out of the box through Splunkbase, and there's essentially a connector available for any log source imaginable.
I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security pretty straightforward overall. There's a lot of out-of-box content that can be leveraged and many features available to ensure all configurations are working as expected.
My organization uses risk-based alerting in Splunk Enterprise Security. It supports our SOC by significantly reducing the alert count and allowing analysts to focus on what matters most.
My SecOp team's remediation time for security incidents with Splunk Enterprise Security is definitely faster than other solutions.
I am utilizing new threat detection features in Splunk Enterprise Security, specifically the Assets and Identity Framework and risk-based alerting. These features have improved efficiency and helped reduce false positive counts.
Splunk Enterprise Security has helped improve my organization's business resilience. The flexible pricing models allow us to pick and choose, and I can easily see how different business units are consuming Splunk Enterprise Security, thereby distributing the cost within the organization.
I have recently expanded my usage, and the process was smooth.
What needs improvement?
Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful. A good out-of-box application that can help monitor if the data feeds are feeding in properly or if there is any drop will really help make life easier.
For how long have I used the solution?
I have been using Splunk Enterprise Security for six years now.
What do I think about the stability of the solution?
I would assess the stability and reliability of Splunk Enterprise Security in terms of downtime, crashes, and performance issues, as there are no issues with the availability of the platform since it's cloud-based.
What do I think about the scalability of the solution?
Splunk Enterprise Security scales with the growing needs of my organization as it's highly scalable. As the organization grows, Splunk Enterprise Security can also grow.
How are customer service and support?
I would evaluate customer service and technical support as good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I was mostly using Splunk Enterprise Security.
How was the initial setup?
I would describe my experience with deploying Splunk Enterprise Security as time-consuming. It definitely needs some planning and time to ensure that everything is set up and configured properly.
What was our ROI?
I have seen return on investment with Splunk Enterprise Security.
What's my experience with pricing, setup cost, and licensing?
Im not on the licensing side.
What other advice do I have?
The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are that it takes some time to get the hang of the platform, and it has a slight learning curve associated with it. Other than that, I have no complaints.
The advice I would give to other organizations considering Splunk Enterprise Security is to try it out and see if it fits their requirements. It's highly flexible, highly customizable, and can scale according to needs.
On our rating scale, I give Splunk Enterprise Security an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: Sep 11, 2025
Flag as inappropriate
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Updated: August 2025
Product Categories
Security Information and Event Management (SIEM) Log Management IT Operations AnalyticsPopular Comparisons
CrowdStrike Falcon
Microsoft Sentinel
IBM Security QRadar
Elastic Security
Splunk AppDynamics
Grafana Loki
Elastic Observability
Graylog Enterprise
Security Onion
Cortex XSIAM
Palantir Foundry
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which would you recommend to your boss, IBM QRadar or Splunk?
- What are some of the best features and use-cases of Splunk?
- What SOC product do you recommend?
- Splunk as an Enterprise Class monitoring solution -- thoughts?
- What is the biggest difference between Dynatrace and Splunk?
- IBM QRadar is rated above competitors (McAfee, Splunk, LogRhythm) in Gartner's 2020 Magic Quandrant. Agree/Disagree?
- What are the advantages of ELK over Splunk?
- How does Splunk compare with Azure Monitor?
- New risk scoring framework in the Splunk App for Enterprise Security -- thoughts?
- Splunk vs. Elastic Stack