Splunk Enterprise Security Reviews

My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.

Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.

The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.

One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs. 

Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.

AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.

Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.

I have been using the solution for approximately one year. I used it for 12 months in the company.

It's stable. I would rate it a ten out of ten for stability.

The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.

I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.

Neutral

I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.

Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.

Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience. 

The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.

Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it. 

From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.

The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing. 

Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.

As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.

I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.

I have not used the risk-based alerting feature. It is more for log management and checking the log flow. 

Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.

I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.

I would rate Splunk Enterprise Security an eight out of ten.

After the acquisition by Cisco, we are focusing on our partnership with them as a Gold Partner and Tier One reseller. Following the acquisition, we also shifted our focus to Splunk. I am a system integrator implementing Splunk for customers in their environments.

Splunk has a vast integration with multiple vendors, which makes it easy for our customers to integrate various cloud environments. 

Splunk provides complete visibility when integrated with all installed appliances and applications.

The threat intelligence management feature is a good add-on for startups, especially given its affordability.

Splunk allows organizations to ingest and normalize data effectively.

Splunk simplifies real-time problem identification and resolution by seamlessly integrating existing customer and vendor systems. Its customizable dashboards can be tailored to map and reflect specific environmental needs precisely.

The threat topology and MITRE ATT&CK framework features can help discover the full scope of a security incident, provided they are fully integrated into the customer's environment.

Splunk's comprehensive log visibility enables efficient investigation of malicious activities and breaches. By generating a dashboard that collects logs from firewalls, emails, proxy endpoints, and threat intelligence, Splunk can provide access to critical information within seconds, significantly reducing investigation time compared to other vendors or solutions. This streamlined process, facilitated by Splunk's ability to gather and analyze diverse log data, ensures swift identification and resolution of security incidents.

It helps our customers improve their organization's business resilience.

The unified platform helps consolidate networking infrastructure and security. This single-platform approach offers the advantage of combining multiple technologies and features, streamlining operations and enhancing efficiency.

Implementing Splunk with SOAR capabilities, along with machine learning and AI for alert filtering, can significantly reduce alert volume without constantly interrupting administrators. This streamlined approach ensures that only alerts requiring approval are sent to administrators, optimizing their workflow and efficiency.

The analysts using Splunk, even the free edition, are very satisfied with the information it provides for their investigations.

Splunk has helped customers accelerate their security investigations by integrating AI and machine learning into its platform. This integration automates many basic tasks and saves valuable time.

Splunk helps reduce our customer's mean time to resolve. 

Splunk Enterprise Security's most valuable features are its stability and the robust Splunk Search Processing Language, allowing extensive customization and analysis capabilities.

Splunk could enhance its offerings by incorporating modules for network detection and response and fraud management, along with improving its threat intelligence management capabilities. Additionally, the pricing could be made more competitive.

I have been using Splunk Enterprise Security for almost six months.

Splunk is a very stable platform.

My customers feel it's a good investment, but Splunk updated its price models recently.

One of Splunk's two major disadvantages is its high cost. The platform requires significant financial investment and resources, making it expensive despite its comprehensive features.

Splunk has disadvantages such as cost and resource requirements. However, once I invest, it's a powerful platform that ranks number one in SIEM and observability. I rate the product nine out of ten due to pricing concerns and threat intelligence management not being advanced.

I believe Splunk is the top SIEM tool. However, the term "enterprise security" is misused when applied to Splunk. While many vendors claim to offer "enterprise security," true enterprise security should cover all aspects of cybersecurity. Splunk excels in SIEM, SOAR, and UEBA, but it doesn't address other crucial areas like firewalls, PAM, or web/mail gateways. Therefore, Splunk shouldn't be categorized as an "enterprise security" solution. Although Splunk leads in SIEM with its superior visibility and observability, it lacks presence in other essential cybersecurity domains.

We primarily used Splunk Enterprise Security for data and cloud ingestion. We also leveraged it for enterprise security use case engineering, which encompassed malware analysis, threat management, detection, and the integration of threat and vulnerability intelligence, culminating in comprehensive reporting and dashboards. This was the principal use case for our SIEM platform. In recent years, we have also employed Splunk for user behaviour analytics to bolster insider threat protection.

We implemented Splunk Enterprise Security to improve security monitoring, threat detection, and incident response.

Although Splunk is not the only tool we use, it is essential that it provides end-to-end visibility into threats in our environment.

Splunk is effective for helping find security events across multiple cloud, on-premises, or hybrid environments.

Splunk helps improve our organization's ability to ingest and normalize data.

Splunk helps us identify threats in real-time.

We integrated 50 percent of the MITRE ATT&CK framework's techniques to enhance our incident detection capabilities.

Splunk Enterprise Security effectively analyzes various security events and has helped improve my organization's ability to ingest and normalize data.

Splunk helped us detect threats faster. 

Splunk Enterprise Security reduced the investigation time by consolidating datasets for quick access.

Splunk Enterprise Security enhances business resilience and assists with threat detection by centralizing security data.

I have a positive impression of Splunk's ability to predict, identify, and solve problems.

Splunk Enterprise Security helps reduce our mean time to resolve.

The Splunk Enterprise Security's threat-hunting capabilities have been particularly useful in later releases.

Splunk Enterprise Security would benefit from a more robust rule engine to reduce false positives. While its detection capabilities are efficient, there is room to improve its alert volume reduction and false positive management efficiency. Furthermore, enhancements in its integration capabilities with other security infrastructures could optimize its overall effectiveness.

I have been using Splunk Enterprise Security for 13 years.

In terms of stability, Splunk is good. It provides a stable environment but needs to integrate with ITSM platforms to achieve better visibility.

Splunk Enterprise Security is efficient and scalable, especially for large environments with substantial scalability needs.

The technical support for Splunk met my expectations.

Positive

I haven't switched to Splunk from another solution, but I have used various products, such as Google Chronicle, Securonix, ExtraHop, and Sumo Logic, to meet different customer needs. Securonix is used more for behavioural analytics and insider threats, whereas Splunk is used for logging and monitoring.

The initial setup of Splunk Enterprise Security is straightforward, but it does require skilled personnel.

The implementation involved an architect, cloud DevOps engineer, data engineer, full-stack developers, and cybersecurity engineers. A team of five to six members, tailored to different roles, was typical.

Splunk's cost is justified for large environments with extensive assets. However, for smaller organizations, other products may provide better value for money.

Splunk is priced higher than other solutions.

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security requires continuous maintenance and support, which requires a dedicated team. Previously, seven to eight personnel were focused on platform maintenance. Additional resources may be required to optimize for multiple customer environments. 

For those evaluating SIEM solutions solely based on cost, Splunk might not be suitable. It is essential to consider security, context, and specific use cases rather than just choosing based on price. Critical assets need the right platform for effective protection rather than opting for a cheaper solution.

Our main use cases for Splunk Enterprise Security include security, detection, and incident response.

The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.

The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.

The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.

Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.

We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.

I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.

One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.

Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.

We are still at the beginning, just four months into using Splunk Enterprise Security.

I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.

Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.

Positive

Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.

The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.

We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.

The return on investment from Splunk Enterprise Security is still to come.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.

I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.

We use it for real-time monitoring and alerts for all instances and servers on our sub-prod instances. It helps in monitoring, getting alerts for specific errors, and identifying various logs. We also use it for log analysis, which is very beneficial.

My use case is more related to production issues. Threat detection is taken care of by another team.

It is our go-to tool for monitoring multiple cloud environments. The difficult part initially is to understand how the logging is happening for particular applications or instances. Once you have an understanding of what you want to see and how they are getting generated, you can just write queries, and you can create exhaustive dashboards for anybody to look at and understand how things are.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. Its threat detection capabilities are good. We can look at the exact activity and task. We can look at a trace and understand what is happening. It gives a very granular understanding. I see emails from the security team mentioning what they have identified, so it seems to be helpful for threat detection.

Based on the org mail that we received, they were able to block almost 95% of threats in real time. That is a pretty good number.

Splunk Enterprise Security helps to reduce alert volume because you can understand patterns, such as where your requests are going and how everything is happening. There has been a 40% to 50% reduction.

Splunk Enterprise Security has helped speed up our security investigations by 40% to 50%. It has helped the security team to get a head start and understand where the issue is originating and where the problem is. We are operating in a very dynamic environment, so any time lost costs the company money.

I can create dashboards to collect and view information in a tabular, graphical format. This feature is important because it helps me understand time-series data over one or two hours. It creates graphs, allowing us to check spikes and examine average values and 90th and 95th percentile values. This capability is useful for performance monitoring and issue identification. I believe it has helped speed up security investigations.

Data retention can be better. If we want to look at the data for five months or six months, that is not available to us. We only have a history of 20 or 30 days. After that, the information gets lost. That is a drawback. 

Splunk's dashboards are pretty basic. In comparison to Grafana, the dashboards are not as detailed. There is room for improvement in that area.

I have been using it for about one and a half years now.

It is stable. I have not encountered any stability issues so far.

It is easy to scale. We have multiple instances, sub-instances, and prod instances running, so scalability is not a problem.

It is being used by development teams, QA teams, performance teams, and security teams. We have about 500 people using it.

It is good. I have not had any major issues where support was lacking, so I would rate it positively.

Positive

In this organization, I did not use any similar solution. In my previous organization, we used APM tools like Dynatrace and AppDynamics, which helped us monitor real-time data and performance. Splunk is a similar tool but offers more capabilities and is also cost-effective.

It was an organizational decision to go with Splunk Enterprise Security. It involved financial considerations and the kind of deal Splunk provided, as we are using the enterprise version and another version. Economics, capabilities, and support were factors.

I was not involved in its deployment. When it comes to maintenance, another team looks after it and takes care of maintenance.

I have not been involved in the finance part, so I cannot comment on ROI or costs. However, preventing incidents or solving performance issues saves money, converting time saved to money. Customers are happy. Employees are happy. There is less downtime.

I am not aware of the costs; that is handled by a separate team. I only use it for logs and performance issues.

Instead of going for the cheapest solution available, you should go for the one that meets your needs. It takes time for an organization to onboard a new solution, so it is important to choose the right solution from the start. I believe all available solutions are pretty good, so you should see what suits you better.

It is a great tool. If you learn to navigate it, you can access a wide range of information about any application or product. It is a very helpful tool, provided you know how to use it. 

Overall, I would rate it a nine out of ten.

My main use case for Splunk Enterprise Security is web uploads.

The ability to create SPLs in Splunk Enterprise Security is my favorite feature. These features benefit my organization primarily through threat detection, which I use for, so that's a huge benefit. Splunk Enterprise Security has absolutely helped improve my organization's business resilience.

Splunk Enterprise Security could be improved by incorporating AI features, as it doesn't have the AI capability that Pyramid does, where users can ask questions without having to write code.

It has been more than three years.

I haven't experienced any downtime or performance issues with Splunk Enterprise Security. Zscaler may experience issues because Splunk grabs data from them, but other than that, I haven't had anything crash.

Splunk Enterprise Security adapts to our growing needs on a yearly basis, as we're constantly growing our program and it has helped in that way. We have expanded usage from just engineering, as now our whole DLP team uses it, allowing us to not rely on other people for it. It was a smooth process when we were expanding usage.

The most significant challenges I've faced when using Splunk include getting the code right. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good, as changes are easy to make. On average, my security ops team takes about three days to remediate security incidents with Splunk Enterprise Security, depending on what the incident is.

My advice to other organizations considering Splunk Enterprise Security is that it depends on their needs and costs, but I think it can cover everything from a small business to a large business, so I would definitely recommend it.

On a scale of 1-10, I rate Splunk Enterprise Security an 8.

My usual use cases for Splunk Enterprise Security involve creating notables, use cases, and dashboards. We are creating the use cases as per the defense of depth in all the security layers, such as the network layer or data link layer, DLP protection, and network protection. We are using firewalls and proxy, as well as IPS, and we are using Defender as Cloud App Security of 365 and EDR. We are using Defender as a single pane of glass, collecting all the logs from all the security devices, writing the correlation rules, configuring the notables, and monitoring 360 degrees of the organization's security.

It is a comprehensive solution with many security-related features. The data enrichment feature helps identify any anomalies from devices and users. It helps identify any malicious activity patterns, risks, or login failures. 

We have implemented conditional policies where traffic from certain countries gets blocked. We are utilizing the Splunk Machine Learning Toolkit (MLTK) app to create models for automatic actions or remediation. We are trying to catch the true positive incidents and orchestrate a response. We have created two models to identify brute force attacks and user login failures.

The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics. Based on this feature, we can identify anomalies in any activity from the user or device. 

It serves as a single pane of glass for all the security-related events. It helps cross-correlate with minimal manual intervention, detect true positives, and take remediation steps in an orchestrated manner. It is very efficient. It's a top solution in Gartner Quadrants and Datamatics.

Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use. For any future enhancements or features, such as MLTK and SOAR platform integration, we need more visibility, training, and certification for the skilled professionals who are working.

I have been working with Splunk Enterprise Security for seven years.

This solution is stable. The platform and the applications we are dealing with are stable and maintain high availability both on-prem and cloud.

Scalability-wise, we find it comfortable. It's convenient to scale up or scale down the licenses or the components in the cloud.

When we require support from the Splunk Enterprise Security team, if we raise a request, they respond based on priority, providing recommendations or best practices as per the platform recommendations.

Positive

I work with multiple customers. They use different products, such as Trend Micro XDR. The customer I am working with right now is using Splunk Enterprise Security. It was chosen by the customer.

For deploying Splunk Enterprise Security, we follow a cluster environment for high availability and high performance, maintaining an architecture with several search heads, indexers, and forwarders. Data is pushed from all forwarders to the indexers, which are heavy forwarders where indexing, parsing, and normalization are performed. Once it is done, we search the data through search heads, with a license master and deployment server present to push configurations to all components of Splunk Enterprise Security. It's a distributed and clustered environment we are maintaining.

We have seen a return on investment. We are getting more security. We are able to secure the environment from all security threats and maintain an environment that is free from threats and attacks, especially cyberattacks.

Pricing and licensing are quite high compared to other tools or SIEM tools, but the features justify it.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We use Splunk Enterprise Security for our security monitoring and incident management. This is our global application that we are using for security monitoring and compliance.

We've seen some good improvements from a business perspective, particularly regarding security monitoring. However, when I consider our current challenges and future roadmap, I don't believe Splunk Enterprise Security has the capabilities we need. We previously faced challenges with QRadar, which prompted us to migrate to Splunk Enterprise Security. While Splunk Enterprise Security has addressed the past issues we encountered, it fails to meet our future requirements. Currently, it effectively addresses existing threats, but it doesn’t tackle advanced threats, which is a significant challenge we foresee with Splunk. There is still a lot of room for improvement.

With the Classic flavor we have in our company, the feature that I find good in Splunk Enterprise Security is from the MITRE coverage point of view, and then the level of information that it provides. The integration with its own SOAR platform is also one of the pros.

From the product point of view and deployment point of view, Splunk Enterprise Security is satisfactory. It is not simple; it is at a medium level when it comes to deployment and management of the tool altogether. This includes not only the enterprise platform but also other components such as deployment servers or the Splunk agents we use for collecting logs. When comparing it with different vendors in the industry, from the deployment and maintenance point of view, it is not up to the level of other vendors. 

When discussing the drawbacks, it's important to note that the flavor I’m currently using is called "Classic." Unfortunately, this platform does not offer any of the new features that Splunk introduces. As a result, we are the last ones to find out about new capabilities, and we’re also slow to implement them. Splunk tends to release new features with different flavors of their platform, and being on the Classic flavor means we are least likely to receive the latest updates. This is a significant concern I have regarding Splunk.

When comparing Splunk Enterprise Security with next-gen SIEMs, we look for AI and ML models being incorporated in such a way that it automatically should be able to detect behavioral-based detections. It should be able to detect behaviors from logs and show us the entire attack surface and blast radius of any particular incident, which is primarily missing.

The capability of AI, Artificial Intelligence, is missing, which would help to automatically detect and read data comprehensively. Splunk lacks the new native solutions for agent deployment, which is essential for a large enterprise.

Currently, there is Machine Learning in Splunk Enterprise Security, but that is resource exhaustive and complex, bringing an impact onto our overall stack performance. Technical expertise in Machine Learning is required, and continuous monitoring is needed to ensure Machine Learning learns about our data to provide results, which is resource exhaustive, time-consuming, and costly.

Artificial Intelligence is missing in the Splunk Enterprise Security platform, which would help us read the data automatically, learn from it, and provide attack surface area from a 360-degree perspective. The fixed pricing model requires upfront purchase based on assumptions and roadmap, requiring payment for the next two to three years regardless of usage.

I have been using Splunk Enterprise Security for around three years.

On a stability scale, I would rate it an eight out of ten.

Regarding scalability, I would rate it a seven out of ten. I don't have the pay as you go model. 

We have 150 users using this solution.

Whenever we raise any support case in Splunk, even after providing the required information, if a person is working on it and it gets transferred or handed over to a different representative in a different shift, they keep asking the same questions and requesting more details. Even when we ask for a call, even for P1 or P2 incidents, they keep going around asking for details. When we request P1 or P2 support, it would be wise to get into a call, get all the details, and have a troubleshooting call to address the issue on a priority basis. The technical support representatives keep transferring the tickets during shift handover, and different representatives ask the same questions multiple times, wasting our precious time. The issue doesn't get resolved until I escalate it to their higher management.

Positive

We were using QRadar previously. We had legacy systems, and from the volume and log source point of view, from the costing perspective and detection point of view, we thought Splunk Enterprise Security was far better than QRadar. Splunk Enterprise Security would provide better capabilities and out-of-box detections. These were some of the things that we saw, and Splunk Enterprise Security was also one of the leaders in SIEM technology. However, once we started using Splunk Enterprise Security, we discovered it was not the right tool.

The initial setup was of medium complexity. It took approximately 8 to 12 months to migrate from QRadar to Splunk Enterprise Security. 

The cloud platform we are using is maintained by the Splunk team itself. However, when it comes to our on-premises deployment, the maintenance is very high, cumbersome, and costly from both resource and time perspectives.

We haven't saved any money with Splunk Enterprise Security. Instead, we have spent excess of the budget on this with unexpected costs. That's one of the pain points I see with Splunk Enterprise Security. There haven't been any savings.

Splunk Enterprise Security comes with high fixed costs. That's one of the disadvantages. When comparing with different vendors, they offer pay-as-you-use models, which is more user-friendly, but Splunk Enterprise Security comes with fixed pricing.

We use different security tools as well.

For any user who wants to have a cost-efficient and next-gen SIEM solution, I wouldn't recommend Splunk Enterprise Security. However, if a user is not concerned about cost and is looking for an on-premises solution, then I would suggest Splunk Enterprise Security. For anyone who wants to go for a cloud and cost-effective solution with next-gen capability, I wouldn't recommend this.

I would rate it a seven out of ten.