Try our new research platform with insights from 80,000+ expert users
Sunil K R - PeerSpot reviewer
Senior Software Engineer at Wipro Limited
Real User
Top 10
Helps improve our incident response time, and our mean time to resolve, but visibility is limited
Pros and Cons
  • "The most valuable features are the service analyzer and Glass Tables."
  • "The end-to-end visibility in Splunk ITSI is limited and has room for improvement."

What is our primary use case?

We use Splunk ITSI to monitor the different stages, spaces, and processes of payment operation.

How has it helped my organization?

Splunk helps us improve our incident response time. We have a dedicated observability monitoring team that continuously monitors our systems for failures or delays in payments, 24/7. This monitoring generates alerts that we use to identify potential issues. We have established SLAs for all of these issues. Splunk allows us to alert the appropriate people well in advance of a potential breach, so they can resolve the issue faster and minimize downtime.

I would rate Splunk's predictive analytics for preventing incidents an 8 out of 10.

Splunk ITSI has helped reduce our mean time to resolve.

What is most valuable?

The most valuable features are the service analyzer and Glass Tables.

What needs improvement?

Since ITSI is primarily used for monitoring-related services, it would be beneficial if Splunk offered pre-built dashboards or a drag-and-drop interface for creating custom dashboards. This would simplify the process for users, especially for monitoring basic services like Windows and Linux servers. Currently, Splunk doesn't provide this functionality, requiring users to write queries and build dashboards manually. Including pre-built panels would significantly enhance the value of Splunk for ITSI users.

The end-to-end visibility in Splunk ITSI is limited and has room for improvement.

Buyer's Guide
Splunk ITSI (IT Service Intelligence)
June 2025
Learn what your peers think about Splunk ITSI (IT Service Intelligence). Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,579 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Splunk ITSI for over 1 year.

What do I think about the stability of the solution?

Splunk is generally considered stable when deployed on-premises. However, its performance on cloud platforms like AWS or others may vary.

I would rate the stability 7 out of 10.

The resilience of Splunk is based on how well it performs on high loads so I would rate it 7 out of 10.

What do I think about the scalability of the solution?

I would rate the scalability 9 out of 10.

How are customer service and support?

I am dissatisfied with the customer support team's response times. When we submit a ticket for a high-priority incident, it takes Splunk support approximately 2 hours to respond and connect with us. We have consistently experienced these delays on multiple occasions.

Additionally, when encountering issues with core configuration or out-of-the-box features, tickets are frequently reassigned to different representatives. This handoff process necessitates us to explain the problem repeatedly, which is frustrating and time-consuming.

How would you rate customer service and support?

Neutral

How was the initial setup?

In my previous project, I successfully led the end-to-end deployment of a Splunk migration. The process went smoothly thanks in part to Splunk's professional services team. They conducted a thorough assessment, identified all our potential pain points, and developed a tailored solution and migration plan. This comprehensive approach ensured a seamless transition.

Our core deployment team consisted of 5 internal members and two specialists from Splunk. Additionally, the project included a project manager and a product owner. We also benefited from the expertise of two professional service consultants and two representatives from the customer's side. An on-site admin architect further provided valuable technical support.

Throughout the deployment process, we leveraged support from various resources whenever necessary. This included assistance with configuration changes, deployments, and other related tasks. We also collaborated effectively with our teammates to ensure a smooth and successful implementation.

What about the implementation team?

For the implementation, we had a consultant from Splunk in-house.

What's my experience with pricing, setup cost, and licensing?

Splunk ITSI is expensive. While tools like Grafana offer a significantly lower cost around 30 percent of Splunk's price, their capabilities are more limited. Splunk can ingest and store a much larger volume of raw data up to 50 percent compared to Grafana's 15 percent. This translates to greater observability but at a higher price point.

Splunk ITSI is worth the cost.

Which other solutions did I evaluate?

I compared Grafana, New Relic, and Dynatrace to understand their competitive landscape. Splunk was the most impressive option, except for its pricing.

What other advice do I have?

I would rate Splunk ITSI 7 out of 10.

For organizations already using a different APM solution, Splunk ITSI offers a compelling alternative. While other tools might focus on onboarding metrics, Splunk ITSI prioritizes log data analysis for deeper insights. In addition to ITSI's capabilities, a Splunk Enterprise license unlocks log monitoring functionalities. This provides a comprehensive solution, and if you plan to migrate to Splunk Enterprise Security in the future, you'll be well-positioned. By purchasing a single Splunk Enterprise license and the ITSI and Enterprise Security premium apps, you'll gain a one-stop shop for all your event management, internal monitoring, and APM observability needs.

Splunk ITSI is deployed in multiple site clusters and located in multiple data centers. We have around 500 users.

Platform maintenance is handled by the Linux team. We take care of everything else.

I recommend Splunk ITSI to those looking to implement ITSI.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Splunk admin/devepor at Wipro Limited
Real User
Top 20
Reasonably priced with good monitoring and predictive analytics
Pros and Cons
  • "We can automate routine tasks. We're able to create alerts, reports, scheduled searches, et cetera. It's helping us to save time."
  • "When we check the service analyzer, and we have custom inputs, there are issues."

What is our primary use case?

We are using the solution for correlation searches. We've integrated Splunk with ServiceNow. We're creating aggregation policies to trigger actions in ServiceNow. We use it with the ServiceNow add-on. When something happens in ServiceNow, it's correlated to ITSI as well. 

How has it helped my organization?

We can check to see if dependent services are aligned. The service analyzer allows us to see the health of the services. 

It's been very good for noise reduction. We have alerts that trigger visually and it helps us prioritize. We can create performance-related dashboards so teams will have a clear overview according to their unique requirements. 

What is most valuable?

The infrastructure monitoring is very useful. In our scenario, we can see the performance of logs across parameters like memory or security. We can analyze the data. We can create our own logic and alerts to send to the correlated teams to take care of incidents. 

The end-to-end visibility is very good. With the service analyzer, we're able to see if something goes down. It's inspecting the health of services. It's color-coded, so we can check to see if there are any serious issues. We can do deep dives if something is red. 

We use the predictive analytics on offer. We have some use cases in which we create forecasts around CPU and memory-related alerts. We can use it to predict costs based on the past 30 or 40 days. We're also trying to use this for anomaly detection. We can make good predictions on the basis of data and trends. As long as we have past data, we can use it to build some predictions for the future. We can use this to create and send predictive reports to our teams to help them take pre-emptive action.

It's helped us to right-size resources to match demand. 

The solution has helped us streamline our incident management. We've been able to increase efficiencies through automation.

We've been able to reduce incident volume. If a host is generating frequent tickets, for example, we're able to see it and work on it directly to help us reduce incident counts. 

We've been able to effectively reduce alert noise. We can create logic to create tickets. It will create one ticket per episode so that multiple tickets are not created for one single episode - and this helps us reduce noise. 

We can automate routine tasks. We're able to create alerts, reports, scheduled searches, et cetera. It's helping us to save time.

What needs improvement?

When we check the service analyzer, and we have custom inputs, there are issues. Sometimes our inputs are not taken or recognized. Alerts are not being automatically generated. Also, if someone comes and creates a maintenance window, we can't properly identify who created it. We have to create our own queries before we can identify anything. 

For how long have I used the solution?

I've been using the solution for three years. 

What do I think about the stability of the solution?

The solution is very stable. 

What do I think about the scalability of the solution?

The solution is scalable. Depending on your infrastructure, it can be a bit tricky. 

How are customer service and support?

I haven't had to escalate any issues to technical support. 

Which solution did I use previously and why did I switch?

We're using SolarWinds and Splunk in our current environment. 

How was the initial setup?

I helped with the initial deployment. We have multiple servers sending data to Splunk. The process is straightforward. For the setup, we had three people involved in the process. 

It's not a difficult solution to maintain. 

What's my experience with pricing, setup cost, and licensing?

The licensing is based on data ingestion. However, they do have multiple licensing options.

The pricing is reasonable. 

What other advice do I have?

Splunk is good. It gives good customized options. Any logic or Python script we need to add, we have the freedom to do so. Most solutions aren't as customizable. 

I'd recommend the solution to others. I'd rate it eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Splunk ITSI (IT Service Intelligence)
June 2025
Learn what your peers think about Splunk ITSI (IT Service Intelligence). Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
859,579 professionals have used our research since 2012.
RijoMundassery - PeerSpot reviewer
Splunk Consultant at a financial services firm with 1,001-5,000 employees
Consultant
Top 20
An intelligent and scalable platform for operational excellence
Pros and Cons
  • "The service analyzer view and automatic creation of incidents are valuable."
  • "The biggest improvement area is making it open to developers. Right now, it is very closed. It can only be downloaded by people who have a license to and not everyone. If it is open to everybody, more people will use it."

What is our primary use case?

Splunk ITSI is a product for operations. I use it for detecting issues in the operations and generating alerts for them.

It is an intelligence platform for operational excellence.

How has it helped my organization?

The end-to-end visibility is a great thing about Splunk ITSI. It provides an end-to-end view to any user, from a normal engineer to a high-level manager.

We were able to realize the benefits of Splunk ITSI immediately.

Splunk ITSI helps to right-size resources to match the demand. It improves the quality. It is more organized. It can definitely help in rightsizing.

It helps to avoid duplicated alerts. If rightly implemented, it can reduce the duplication of alerts and provide more specific and accurate context.

Splunk ITSI has helped reduce incident volume. The reduction is implementation-dependent. If it is rightly implemented, we can reduce it to a very low percentage. Out of 100, we get only 10 alerts. If the context is correct, we only need one alert. This can be achieved with ITSI.

Splunk ITSI has helped reduce our alert noise, but I do not have the numbers because the initial implementation was not right. There were so many alerts, but when we corrected the implementation, it reduced them by a lot. I do not have the numbers, but thousands have become hundreds.

Splunk ITSI has helped reduce our mean time to detect (MTTD). It is at least five minutes. The mean time to resolve is dependent on the team. I do not have control over that because, in Splunk ITSI, we generate alerts for multiple teams, not just one team. It all depends on their SLAs.

Splunk ITSI helps us to automate alerting and automatically generate alerts or create incidents. It is not an automation tool to reduce mundane tasks.

Splunk ITSI helped us save costs by reducing downtime and manpower costs or avoiding SLA penalties.

What is most valuable?

The service analyzer view and automatic creation of incidents are valuable.

What needs improvement?

Better documentation would definitely help. Many people do not know about it, so better documentation and use case explanations would be helpful. There should be more YouTube videos about how to implement ITSI

The biggest improvement area is making it open to developers. Right now, it is very closed. It can only be downloaded by people who have a license to and not everyone. If it is open to everybody, more people will use it.

For how long have I used the solution?

It has been quite a long time. It has been more than four or five years.

What do I think about the stability of the solution?

It is pretty stable. If we have the proper infrastructure, this tool is very stable. It does not crash.

What do I think about the scalability of the solution?

Its scalability is high. It can scale very well. You can increase the size of the cluster. You can increase the capacity vertically and horizontally. It is very scalable.

How are customer service and support?

They are good. They respond based on the SLAs. The quality of service depends on how informative you are when you provide the case details to them, but they have the ability to escalate it to higher levels and get help. They have the skills, but sometimes, the support is not in the UK. It sometimes comes from the US, so there may be time constraints when you set up a call. Otherwise, they are good.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have used other solutions. In the old days, I used a BMC system. Splunk ITSI is a completely different type of alerting system.

The BMC solution is more monotonic. It does not have the intelligence like Splunk ITSI to reduce the noise. It just picks up a metric and alerts based on that threshold, whereas, in ITSI, we have the control to reduce the number of alerts generated on the same threshold by adding some intelligence to it. It has the ability to do that Intelligence part. That is why it is called ITSI.

How was the initial setup?

We have both on-premises and cloud deployment models. Its deployment is difficult for a beginner user. You need a consultant or somebody experienced in Splunk ITSI to implement it properly. Splunk ITSI is a premium product. You need very good Splunk infrastructure initially to run this on top. To run it properly, you should have good knowledge. You should at least have Splunk Architect-level certification. Otherwise, you can implement it, but it will not work properly or as you expect.

It is mostly a clustered solution. It is not normally done on a single server. We need to build the entire cluster. The initial build probably can take two weeks. Configuring everything can take a long time. Six months can be considered a good time to make it run properly for enterprise usage.

It needs regular upgrades, backups, and time-to-time updates to the system configurations. It requires a dedicated team. Once it is properly set up, less than ten people can manage it.

What about the implementation team?

I am an ITSI consultant, so I am not a user. I set it up for customers.

The number of people required depends on how much data we need to bring in. If we have a lot of data and a variety of systems, more people are required. If we are just focusing on a singular system, one person can do the job.

In an enterprise environment, there are a multitude of systems and monitoring requirements. Usually, there is a team onboarding data and setting it up. 10-15 people are a good choice for a big enterprise, like a banking client.

What's my experience with pricing, setup cost, and licensing?

It is more of a premium product. I do not have much visibility into pricing because it is taken care of by high-level enterprise customers. I just ask for the license that I need and they negotiate. It all happens between Splunk and the company. I know that it is expensive, but I do not think there is another solution that can do similar things for that price.

What other advice do I have?

To someone who already has an IT alerting and incident management solution but is considering switching to Splunk ITSI, I would say that it will add value to their organization. It can reduce a lot of noise. I would suggest going for it, but it should be the right implementation. You should have knowledgeable people to implement it from the beginning.

It is not something that you just buy and switch on and will start working. It needs a lot of configuration and proper configuration to make it run properly. That is an important part for Splunk ITSI. It is not just the product. The person who is implementing it should be very good. Then only its value can be seen. Otherwise, you have the application but may not get the right value out of it.

Overall, from my experience, I would rate Splunk ITSI an eight out of ten.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Senior consultant at a tech services company with 51-200 employees
Consultant
Top 20
Enables comprehensive event management and improves organizational security through efficient alert correlation
Pros and Cons
  • "Having worked closely with Splunk support engineers, I've observed their high capabilities in resolving issues."
  • "Splunk ITSI could benefit from including more features that other solutions support, such as vulnerability management modules."

What is our primary use case?

Splunk ITSI (IT Service Intelligence) is primarily used for managing alerts and events. It helps me monitor different APIs in inbound and outbound scenarios and triggers alerts. The tool is primarily used to handle threat intelligence and manage event alerts, despite certain limitations like false positives.

How has it helped my organization?

Splunk ITSI has enabled us to better manage events and alerts, aiding in quicker data retrieval and enhanced system uptime. Its ability to correlate multiple event sources allows for comprehensive integration, which has been valuable in improving our organization's security posture.

What is most valuable?

Splunk ITSI allows for integration with threat intelligence, enabling my organization to correlate more than two events for generating alerts. It has a swift data ingestion and retrieval capability due to its robust query language. The system helps reduce data loss and improve event management, offering a platform for various deployment models. The global trust in its capabilities is evident, especially given the preference by financial sectors. Additionally, having features like IT Service Intelligence enhances our organization by providing actionable insights quickly, which is crucial for operational efficiency.

What needs improvement?

Splunk ITSI could benefit from including more features that other solutions support, such as vulnerability management modules. This would help manage vulnerabilities effectively, allowing my organization to track patch management and compliance more thoroughly. It would be beneficial to include a feature that provides comprehensive vulnerability management similar to open-source solutions.

For how long have I used the solution?

I have been working with Splunk ITSI (IT Service Intelligence) for nearly two and a half years.

What do I think about the stability of the solution?

Splunk ITSI is quite stable, and I would rate its stability at around eight point five to nine. The setup, however, must be done correctly as incorrect deployment can lead to issues.

What do I think about the scalability of the solution?

Splunk is highly scalable, with the ability to expand efficiently. I would rate its scalability at nine.

How are customer service and support?

Having worked closely with Splunk support engineers, I've observed their high capabilities in resolving issues. The technical support is excellent, and I would rate it at ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Previously, we have used other solutions like Wazuh and IBM QRadar. We recommend Wazuh primarily due to its lower cost and robust capabilities, although it may lack in certain areas where Splunk ITSI excels.

How was the initial setup?

The initial setup for Splunk ITSI can be a complex process, especially when compared to the simplicity of open-source solutions like Wazuh.

What's my experience with pricing, setup cost, and licensing?

Pricing can vary significantly based on the selected modules and deployment choices. Splunk ITSI tends to be more expensive compared to some open-source solutions.

Which other solutions did I evaluate?

We have evaluated several solutions, including Wazuh, IBM QRadar, and other open-source platforms.

What other advice do I have?

Overall, I would rate Splunk ITSI at nine or nine point two. I would recommend it for enterprise-level organizations due to its cost implications; smaller companies may prefer open-source solutions to reduce expenses. The solution could improve by integrating more vulnerability management features. I would rate the overall solution at nine.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Flag as inappropriate
PeerSpot user
AIOPS Architect at a comms service provider with 1-10 employees
Real User
Top 20
The solution has a correlation layer where you can normalize the events from different sources
Pros and Cons
  • "What I like the most is the event correlations. It's a file structure, and ITSI has a correlation layer where you can normalize the events from different sources. Once these events are normalized, you set up rules to aggregate them into different or the same attributes. After the rules are defined, you can automate the process to solve the issue automatically."
  • "One thing ITSI could improve on is the maintenance windows. I have a huge case where I had to implement something related to the maintenance window. If you try to look up the issues in ITSI, you have to check the incidents individually, and putting hundreds of hosts in maintenance can be a hindrance."

What is our primary use case?

I use ITSI for different companies but with the same objective: to correlate alerts from different sources and assess them according to multiple frameworks. For example, I can combine the alerts from different sources into a single episode. The analyst can resolve the issue without looking in multiple places to get the necessary information.

How has it helped my organization?

ITSI was initially challenging, but you can pick it up quickly once you understand the concept. It also depends on the goal. Combining different sources into episodes is one thing, but integrating ITSI with automation or other ITSM solutions may take longer. 

The solution has a forecasting module. You must have a good infrastructure because AI takes a lot of processing, but it works well. Based on previous data, you can assess it in 30 minutes or so. Having that predictive ability is a lifesaver. 

It can streamline incident management. ITSI has a feature called Teams that lets you control access to different services to control which teams are responsible. You can control permissions and everything else. Everyone is assigned to a team with a unique experience while using the frame of the platform.

ITSI has a feature called NetFlow. It depends on what you plug into it, but in my use case, we usually click alerts before they become incidents and measure how many alerts become incidents to get an idea of how much it's helping to resolve things before they turn into incidents and have an impact. 

It has helped to reduce alert noise because we can group alerts from different sources into one ITSM ticket with information from various sources. This helps our team resolve the issue because they only need to look at a single ticket instead of opening multiple ITSMs to gather all the necessary information to assess the problem.

The amount of alert noise reduced depends on the maturity of the environment. When you set up rules to aggregate events, you have to know some information about those events, like the team that created them, the system they belong to, the impact, and whether they're infrastructure, a service, or an application. If you have those all set up, it could be a 75 percent noise reduction.

ITSI reduced our meantime to detection because ITSI is plugged into each search, and as soon as an event is detected, it's processed and sent to the responsible team. It has helped us to detect issues and resolve them faster so we can provide more information upfront to IT.

It helps the IT team resolve things faster, but it depends on the information that ITSI is grouping. If you have enough information to find the root cause, it can help to resolve everything quicker. For example, let's say an analyst is looking at five impacted services, but one of them is the root cause. If we can provide that information upfront to the analyst, he can resolve the issue much faster because he doesn't have to look at each separately to assess the cause. 

ITSI has helped us automate some tasks. Many issues aren't easily solved. You must have good communication with the team and analysts to see the steps they take to resolve something, but it can tackle the most common issues and free up time. But you must be careful not to automate something a developer should fix. Automation helps a lot, but you can't automate everything. 

What is most valuable?

What I like the most is the event correlations. It's a file structure, and ITSI has a correlation layer where you can normalize the events from different sources. Once these events are normalized, you set up rules to aggregate them into different or the same attributes. After the rules are defined, you can automate the process to solve the issue automatically. 

Generally, the visibility is decent, but you need to set it up properly to have good visibility in a way that makes sense to see the issues you need to see. In ITSI, you have the concept of services and a service tree. If it's set up correctly, it can help you find the root cause of a problem. You need someone who understands ITSI and your business. 

What needs improvement?

One thing ITSI could improve on is the maintenance windows. I have a huge case where I had to implement something related to the maintenance window. If you try to look up the issues in ITSI, you have to check the incidents individually, and putting hundreds of hosts in maintenance can be a hindrance. 

For how long have I used the solution?

I have used Splunk ITSI for four years.

What do I think about the stability of the solution?

I rate ITSI nine out of 10. I've had issues before, but they are usually caused by the configuration or infrastructure. You have to be careful when deploying Splunk across your infrastructure. 

What do I think about the scalability of the solution?

ITSI is scalable, but its engine is somewhat of a weakness. The engine runs on one machine, but ITSI is scalable because even though the engine runs on one machine, it assigns processes to other machines to work on. You can do well with ITSI horizontally, but sometimes, you need to think vertically because the processing takes some memory.

How are customer service and support?

I rate Splunk support seven out of 10. Like any support, how fast they respond depends on the priority. Overall, they've helped a lot and were willing to enter a call to see the environment and the issues themselves. I would say do a good job overall.

How would you rate customer service and support?

Neutral

How was the initial setup?

The complexity depends on your infrastructure. It's a lot easier if you have a single instance, but deploying on a cluster requires a little care. The package formats are specific to the roles of your cluster. We have to be careful with that. It's not too difficult. You can set it up in a day or two if you read the documentation. 

One person can set it up, depending on the size of the cluster. For example, if it only has two machines, one person can do it easily. You can set up a batch script to accelerate the installation. If you have that setup, you can do it easily in a day with one person. If you don't have that, it could take up to two days if you don't have much experience with ITSI.

What other advice do I have?

I rate Splunk ITSI eight out of 10. I would recommend Splunk ITSI, depending on the company's context. If the ITSM solution they have serves them well, I don't think it's necessary to switch to ITSI because it's costly. I would only recommend it to someone who knows they will get a return and have the capital to invest. Small companies probably have a bit of difficulty using ITSI. If you're a big company having issues, ITSI can help you out. 

I recommend new users read the documentation carefully and watch a few videos on it. The first thing is to wrap your head around the concept. If you try to speculate at once without understanding a few things, it could be a lot more difficult. It's helpful if they stop and read the documentation to understand each piece.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
reviewer2500152 - PeerSpot reviewer
Principal architect at a retailer with 1-10 employees
Real User
Offers a return on investment but needs to improve in the area of revolving around dashboards
Pros and Cons
  • "The solution's scalability is fine."
  • "The dashboard function inside the individual episodes, not at the ITSI Notable Event Aggregation Policy level but actually at the correlation search layer, is an area where improvements are required."

What is our primary use case?

I use the solution in my company for event management and areas consisting of episodes.

How has it helped my organization?

Splunk ITSI (IT Service Intelligence) has helped our organization correlate events into episodes.

What is most valuable?

The most valuable feature of the solution is event analytics, and it is because that was our core function when we moved from NOC to IBM Netcool Network Management and then from IBM Netcool Network Management to Splunk ITSI (IT Service Intelligence).

The main benefit I have experienced from using Splunk ITSI is that it has been helpful to have one consolidated tool.

My organization monitors multiple cloud environments using the product. In terms of the ease or difficulty one may have when trying to monitor multiple cloud environments, it is tricky. You have to learn and test things out.

It is important for our organization that Splunk ITSI (IT Service Intelligence) provides visibility into our cloud-native environment, but I would say that it is done in the dev and production environments.

Splunk ITSI (IT Service Intelligence) has helped us with the organization's business resilience. My impression of Splunk's ability to predict, identify, and solve problems in real-time, is that with the new AI feature set coming in, users can apply that logic to the episodes.

I have experienced cost efficiencies by switching to Splunk ITSI (IT Service Intelligence). The doc suggests that too has one pane of glass to go into the system and do automation straight from one page because they get hit with thousands of alerts and alarms every day, and we try to correlate that to a simplistic event.

I have experienced time to value using Splunk ITSI (IT Service Intelligence) over a couple of months.

Splunk's unified platform helps consolidate networking and IT observability tools but not security because our company is not in that space. The consolidation of tools impacts our organization since I feel it is easier to have fewer tools than more.

What needs improvement?

The dashboard function inside the individual episodes, not at the ITSI Notable Event Aggregation Policy level but actually at the correlation search layer, is an area where improvements are required.

In the next release of the tool, the product should offer a dashboard ID in the correlation search.

For how long have I used the solution?

I have been using Splunk ITSI (IT Service Intelligence) for five years.

What do I think about the stability of the solution?

In the early days, the Java-based engine was kinda buggy, and some of the interfaces for Splunk ITSI (IT Service Intelligence) and event analytics needed to feel new and not outdated. It still kinda feels outdated, and I feel like Splunk hasn't really put a lot of thought into such a specific area in the last few years.

What do I think about the scalability of the solution?

The solution's scalability is fine.

How are customer service and support?

The solution's technical support team is okay. For most of the stuff I escalate, I have to always wait for a response from tier-two or tier-three level support.

I am used to solving stuff myself and providing a lot of debugging as to what tier-one or tier-two level support would do, and by the time I get to the aforementioned spot, I see that I have to wait and explain a lot of cycles because I am doing the same research as level one or level two support. I rate the technical support a five out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have experience with Tivoli Netcool, which is a legacy event system from IBM that has the same or similar approach as Splunk ITSI (IT Service Intelligence). I saw that Splunk ITSI (IT Service Intelligence) provides the same features as Tivoli Netcool.

How was the initial setup?

When it came to the deployment part, Splunk's professional services did not know much of what our company needed, considering the level that we were expecting from the product. I come from a telco background where the company used to deal with 1,00,000 alarms a day, and event analytics wasn't something that was really built for it in the beginning when I first deployed it. There were a lot of learning curves that I had to go through to deal with the tool. As I continued to grow with the product, I started pitching probably around 20 ideas at a time to the team, and a lot of my ideas actually made it to Splunk's GA launches. I worked with Isha, Ross Wilkinson, and another person who was right in the middle between them. Though I had spoken to the senior VP of a particular sector and pitched the idea of using Fandom for IT automation, it eventually died out.

The solution is deployed on an on-premises model. I use the cloud services from AWS.

What about the implementation team?

Splunk directly helped with the product's deployment.

What was our ROI?

I have experienced an ROI using the tool, considering the efficiency it offers so that we do not have to take care of certain functions.

What's my experience with pricing, setup cost, and licensing?

Pricing was pretty good, and it is possible to just add on the features we want.

Which other solutions did I evaluate?

I considered Resolve systems for automation and a tool named Moogsoft. Moogsoft has a lot better visual capabilities and looks better than Splunk ITSI (IT Service Intelligence) when it comes to event analytics. I am hoping that with a better dashboard, Splunk ITSI (IT Service Intelligence) can build a better UI layer.

What other advice do I have?

I feel like there is a lot more that can be done in the tool, but I don't know if it is going to be a dying product or if Splunk Observability will try to take over some of the core functions of Splunk ITSI (IT Service Intelligence).

I rate the solution a seven out of ten.

Which deployment model are you using for this solution?

On-premises

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Ravikranth Telekarapu - PeerSpot reviewer
Splunk Engineer at Prudent Technologies and Consulting, Inc.
Real User
Top 20
Provides good visibility, reduces alert noise, and improves detection
Pros and Cons
  • "The most valuable feature is event correlation, which ensures that only one ticket is generated per issue, eliminating duplicates and reducing noise from multiple alerts."
  • "While integrating services and KPIs in ITSI is straightforward, I found it challenging to analyze them with the service analyzers; specifically, using the deep dive feature to pinpoint the exact source and time of an issue proved difficult."

What is our primary use case?

We used Splunk ITSI to monitor service health and key performance indicators across various servers, such as CPU, memory, and disk utilization—advanced detection capabilities based on defined thresholds and triggered alerts. Splunk ITSI, integrated with ServiceNow, facilitated alert generation and management. Additionally, we leveraged ITSI for event analytics and created glass tables based on configuration items. We monitored specific KPIs and generated alerts via ServiceNow based on established thresholds to meet customer requirements.

Some clients have Splunk ITSI deployed in the cloud, and others are on-premises.

How has it helped my organization?

Using a client example, I'll explain the end-to-end visibility provided by Splunk ITSI. We have over a hundred clients in our environment. Once we onboard client data, such as cloud data, we subscribe to that cloud service and integrate the data into our Splunk environment. We then create data models and correlations integrated with the ITSI service. Within ITSI, we create correlation searches and schedule them to run regularly. Each time the Splunk schedule runs, it generates notable events and checks policies to determine if an event qualifies for a ticket. If it qualifies, an episode is created in ITSI, and a ticket is automatically generated in ServiceNow. This is the complete end-to-end process within Splunk ITSI.

We use predictive analytics based on the threshold values to help prevent incidents before they occur.

It does not take long after deployment for our clients to realize the benefits of Splunk ITSI because it immediately reduces alert noise.

Both Splunk ITSI and Splunk Enterprise Security handle incident management, but Enterprise Security utilizes common data models for improved detection. ITSI employs an "episode review" concept to analyze incidents, examining their generation, root cause, trigger alert, and any alerting failures. This provides comprehensive observability of each episode. Similarly, when integrating Enterprise Security with customer systems, pre-built common data models generate alerts that require monitoring to determine their cause, priority, and severity.

Splunk ITSI, using the correlation through event management, can reduce our alert noise.

We can correlate information to receive only relevant alerts, allowing us to quickly respond to issues.

What is most valuable?

The most valuable feature is event correlation, which ensures that only one ticket is generated per issue, eliminating duplicates and reducing noise from multiple alerts. This significantly streamlines issue tracking and resolution. Additionally, the system analyzes service performance by identifying areas of impact and tracking key performance indicators. This deep-dive analysis allows for the precise identification of issues and facilitates data-driven improvements.

What needs improvement?

While integrating services and KPIs in ITSI is straightforward, I found it challenging to analyze them with the service analyzers; specifically, using the deep dive feature to pinpoint the exact source and time of an issue proved difficult. Although I'm proficient in service analytics management, the deep dive aspect requires further development.

For how long have I used the solution?

I have been using Splunk ITSI for two years.

What do I think about the stability of the solution?

Splunk ITSI is stable.

What do I think about the scalability of the solution?

Splunk ITSI is scalable. It is easy to scale on the cloud platform.

How are customer service and support?

The Splunk support team is adequate, but their response time is slow.

How would you rate customer service and support?

Positive

How was the initial setup?

The deployment is straightforward. We acquired a license and integrated it into our current Splunk environment.

What's my experience with pricing, setup cost, and licensing?

Splunk ITSI is a premium application and comes with a premium price tag.

What other advice do I have?

I would rate Splunk ITSI nine out of ten. Splunk ITSI is a valuable tool for IT and operations teams.

I recommend Splunk ITSI. It's an excellent tool for infrastructure monitoring, direct management, and service analytics, providing a clear, consolidated view of your IT environment.

Disclosure: My company has a business relationship with this vendor other than being a customer.
Flag as inappropriate
PeerSpot user
IT Specialist at a computer software company with 1-10 employees
MSP
Integrates various tools and data sources, has real-time monitoring, and provides a clear understanding of how different environments and components are interconnected

What is our primary use case?

I just had to monitor the dashboard and infrastructure alerts and escalate them to the appropriate teams.  

I used it for both performance monitoring and incident management. We had an IT infrastructure setup on Splunk ITSI itself. There were dedicated dashboards created by the admins, and we had to monitor these dashboards for the performance of our infrastructure assets, such as the database or infrastructure access. 

We had to monitor these alerts and escalate them to the appropriate teams. For example, if a network alert showed up on the system board, we had to escalate it to the network team, such as, "We are seeing this kind of alert on the ITSI app board; please have a look into it." So, that's the main task on the Splunk ITSI app.

How has it helped my organization?

Splunk was initiated for monitoring dashboards and to have our infrastructure integrated into Splunk itself. We have several servers, databases, and multiple services running. We have applications that were dedicated to the service provider. So we had our Splunk IT set up on those servers.

Basically, to keep these applications running smoothly or to have a smooth flow of these applications, we integrated everything on Splunk. And, we need to be resilient and proactive so it doesn't cause any impact to the customers and clients and doesn't go down. We set up our monitoring dashboard on ITSI, which keeps us in touch with how the performance and health checks are going on for these components and applications.

It has a clear understanding of how different environments are related to each other. It has pretty much everything integrated within it. You just need to click a few on the board and whatever details you require are there. So, I find it pretty useful.

For predictive analysis, we have access to pull-out reports on whatever packets are integrated into our system, whatever the packet reinsurance, packet alerts, or whatever has been generated in the system. We pull out these reports based on the previous data and incidents or alerts in the environment. 

Then, after analyzing the previous data, we identify what was causing the incidents or alerts. Based on that, we have taken action to prevent incidents in the environment. So that was a really helpful feature as well because having access to the backend itself helps to identify the previous causes or incidents in the environment.

What is most valuable?

I liked how it's integrated in such a way that it's really user-friendly. You don't have to do much. Within a few clicks, you get all the data that you need, like what the server is, what the issue is, and how it can be resolved. It was all integrated into the tool itself.

I found it very easy to identify the server or the root cause. So, it helps to resolve the issue on a priority basis or as soon as possible.

The event analytics in Splunk is integrated to help avoid such incidents. Whenever we see such alerts on the board, we have to take immediate action to avoid any incidents in the future.

Sometimes, an incident happens, like the application goes down, and we receive the incident. At the same time, we receive multiple alerts on our dashboard. So, we have to escalate these alerts along with the incident call and incident procedure. We keep the teams involved by saying, "We are seeing this kind of alert on our ITSI dashboard. Please have a look into it or try to get it resolved." It provides the information IT needs about the server, database, and network connectivity. So, it was easy to identify issues when we had such alerts on the board.

Reduced incident volume: ITSI reduced our incident volume by 20 to 25%. It was really quick, and we were able to investigate whatever incidents or alerts happened in the environment. It was really good. It was really quick to identify such issues and previous issues in the environment. So, it has reduced the MTTR, the mean time to resolve an incident, by 20 to 25%. So it's really helpful.

Alert noise: I didn't see it reduced because whenever we introduce a ticket to ITSI, our system is already integrated into the service. And along with that, we are already migrating from other tools to ITSI itself. So, I'm not quite sure that it reduced it because we are continuously adding servers to ITSI. It increased our count of alerts. But I couldn't comment on that because we are continuously adding our infrastructure to ITSI. So, I haven't identified any reduction.

ITSI reduced our mean time to detect whenever we have seen any meantime to detect alerts in the environment; we get them within a fraction of a second, so we get to see the alerts on the board immediately. It is reduced by 20% to 30% as well.

It continuously refreshes itself within two to three minutes, so it's really reduced our time to detect that part. 

Splunk ITSI helped us automate routine tasks. For example, we have a daily task where we have to pull out the daily report. Based on that, we have to access whatever incidents or alerts happened or occurred during the day. 

We have to pull out the report and get all kinds of data, the details of what we have done and the kind of alerts we have seen in the day. Then this action has been taken or maybe escalated. So it was really helpful to get such data on a daily basis.

What needs improvement?

From my perspective (since I don't have administrator or developer access to Splunk ITSI), we could have a better user interface. The Splunk ITSI user interface can be improved because whenever we see the dashboard, it's mostly in text format. It doesn't have a graphical view.

It's easy to identify issues or alerts if you have a graphical representation on the dashboard. I have seen several dashboards in Splunk ITSI which have a really good graphical interface, but the integrated dashboards we have do not.

I'm not sure if it is configured in such a way or not. Maybe a developer or administrator can access that, but I feel like Splunk ITSI having a good graphical user interface would really improve the visibility of the dashboard and alerts.

For how long have I used the solution?

I have been using it for more than a year. 

What do I think about the stability of the solution?

From my perspective, it's pretty much stable. We haven't experienced anything bad or any technical downtime apart from the scheduled downtime. So, for me,  the stability is really good.

What do I think about the scalability of the solution?

It is scalable, but we didn't get to experience the scalability part because it was developer- and admin-related.

For just one location, we have more than 500 people who can access Splunk ITSI, including the technical and monitoring teams. Considering the different locations as well, it would be in the thousands, but I'm not sure about the exact count.

How are customer service and support?

The customer service and support are quite useful. Whenever we faced an issue on our Splunk ITSI server, or if alerts weren't updating, showing proper data, or generating detailed alerts, we reached out to the Splunk technical teams for support. 

They are really supportive, with quick responses and a solution-oriented mindset. They provide solutions right on time. The DevOps support provided is really good.

It was pretty good. I didn't have any bad experiences.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We had several tools before introducing Splunk ITSI. We had several other tools to monitor network, Windows, Linux, or other portal alerts. 

While having Splunk ITSI, we integrated everything into that. We have decommissioned all of the other tools, and everything is on the IT side.

I have worked on ThousandEyes and Spectrum. These tools were used to identify network alerts. We had Spectrum alerts used for network device alerts. And for ThousandEyes, we used it for the portal alerts, for each and every infrastructure component or service. We had different tools integrated to have such alerts on the board.

So, to reduce having multiple tools, our management team introduced Splunk ITSI because everything is integrated into it. It was really helpful to have just one tool for all of our components instead of multiple app tools.

How was the initial setup?

For us, it's on-prem, not on the cloud. We were planning to move it to the cloud, but it's currently on-prem.

Splunk ITSI requires maintenance. From time to time, we have downtime to integrate other tools into ITSI.

The integration of ITSI with other tools enhanced our operational capabilities and has been really helpful. To access a few other tools apart from ITSI, we have to do several things to get the data from the tools themselves. And I find that these tools are pretty slow. 

Getting the data or accessing anything on those tools is really time-consuming but ITSI was quick. We don't require special tools or special access to that environment. We have IDs created for our individuals, and we just need to access ITSI. It was pretty quick, and we didn't need to do much hard work to access all the data. It's really quite useful in that aspect.

What about the implementation team?

It was already introduced by the technical teams or maybe the administrator or developer. We just had it served on a plate, so I don't have much exposure to the development part.

It was deployed for multiple locations and departments. The network, database, Windows, and Linux departments also have the same dashboard and infrastructure to integrate their servers and alerts into Splunk ITSI. So, having exposure to multiple departments and on-prem environments is really helpful.

What was our ROI?

It was an easy tool when we also used other tools, such as ITSI. To access those tools, we had to log into VPNs and other stuff to get access to our dashboard. 

But with Splunk ITSI, I find it really useful. It was quick, it had all the information you needed, and it was customizable. You don't need to do much to access our infrastructure data. 

Within just a few clicks, you can get whatever you need from ITSI. I find it quite useful. I'll compare it to the other tools as well. It provides good insight.

It saves a lot of time. Whenever we have an incident in the environment, we use to do our priority checks on Splunk ITSI. Whenever we see such an incident, we have to investigate the previous data, see if any previous incidents happened in the environment, or maybe check if any alerts were generated in the system related to that issue. So it is quite helpful whenever we see incidents in the environment.

We have several tools along with Splunk ITSI, but I find Splunk ITSI very useful compared to the others. So I would rate it 70%. I'm satisfied with that. We don't have admin or developer access to Splunk ITSI. But whatever we have access to, I'm definitely 70% sure that ITSI is really good to have in the environment.

On the manpower, it has been reduced by one or two candidates because, obviously, we also use several tools as well, so we have a lot of strength there. However, after we integrated everything on the Splunk ITSI, we reduced our manpower, and it's less time-consuming. Each one can double their task for maybe two weeks their actions as quickly as possible as compared to the other two. Manpower, it's really helpful.

What other advice do I have?

I would recommend Splunk ITSI because it gives you access to all the information you need, and it's just a few clicks away. You just need to know how to navigate through the tool. Apart from that, everything can be done on Splunk ITSI. It's just a matter of how much knowledge you have to access the data in Splunk ITSI.  

Splunk ITSI is really helpful because whatever data you need, you're just a few clicks away from it. That's a really helpful thing to have.

I would definitely recommend it to other users because it gives you really good exposure to the environment. Whatever data you need is quickly accessible.

Overall, I would rate it an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
PeerSpot user
Buyer's Guide
Download our free Splunk ITSI (IT Service Intelligence) Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2025
Buyer's Guide
Download our free Splunk ITSI (IT Service Intelligence) Report and get advice and tips from experienced pros sharing their opinions.