Splunk OverviewUNIXBusinessApplication

Splunk is the #1 ranked solution in Log Management Software, top Security Information and Event Management (SIEM) tools, and top IT Operations Analytics tools. PeerSpot users give Splunk an average rating of 8.2 out of 10. Splunk is most commonly compared to Microsoft Sentinel: Splunk vs Microsoft Sentinel. Splunk is popular among the large enterprise segment, accounting for 69% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Splunk Buyer's Guide

Download the Splunk Buyer's Guide including reviews and more. Updated: December 2022

What is Splunk?

Splunk is a tool that provides log management, security information, and event management solutions that help organizations easily make their machine data accessible, usable, and valuable for everybody. Splunk utilizes operational intelligence to turn machine data into valuable information by monitoring and to analyze all activities. 

Splunk is ideal for data monitoring and searching, since it correlates and indexes large volumes of data into a searchable container. This enables users to create alerts, reports, and visualizations in real time. Splunk provides an in-depth, real-time view of the health and performance of all layers of your tech stack so you can optimize your system’s performance by proactively detecting errors and quickly fixing them.

These days, it is becoming more and more difficult to maintain a strong security posture. Cyber attacks are becoming more and more sophisticated, and attackers have access to more entrance points. By implementing Splunk’s threat intelligence tools, you can modernize your security operations in any setting or framework, making your corporate growth more effective and flexible. The advanced visibility that Splunk provides, allows security teams to quickly detect and remove malicious threats in their environment. 

Some of the benefits of using Splunk include:

  • Complete visibility into your environment: With Splunk, you can break down data silos and get actionable insights from data sent from multi-cloud and on-premises deployments.
     
  • Multi-environment troubleshooting: Detect and remedy problems fast with real-time, complete visibility and insight into the performance of your entire IT environment.

  • Advanced threat detection: Protect your organization from threats with Splunk’s advanced machine learning, security analytics, and threat intelligence tools that provide a sophisticated alert system to help shorten triage times and raise true positive rates.

  • Access to updated security information: Stay on top of new and emerging threats from automatic security content updates delivered directly from the Splunk Threat Research Team.

  • Multiple deployment options: Splunk has flexible deployment options. It can be deployed on the cloud, on-premises, or hybrid - depending on your organization’s needs.

  • Automated insights: Splunk’s AI-driven insights can help you predict problems by applying multiple conditions, thresholds, and complex rules. The solution’s built-in data science capabilities automatically reduce background noise and speed up error resolution times.

  • Multiple integration options: Splunk seamlessly integrates with many devices and operating systems, including:

    • Amazon Web Services (AWS)
    • Google Cloud Platform (GCP)
    • Microsoft Azure
    • NewRelic

Reviews from Real Users

Splunk stands out among its competitors for a number of reasons. Two major ones are its flexible search query tools and its strong AI capabilities.

A Solutions Consultant at a tech services company notes, “It provides a lot of analytics with the underlying AI engine, and it is a lot easier than other solutions. There are some products that do automated AI-based detection and drawing up charts, but for network monitoring and all of the monitoring aspects, it is quite a nice tool. It is very convenient for business users because they get more or less a lot of data readily available. If you're familiar with the Splunk query language, you can pretty much do whatever you want.”

Splunk was previously known as Splunk Enterprise Security.

Splunk Customers

Splunk has more than 7,000 customers spread across over 90 countries. These customers include Telenor, UniCredit, ideeli, McKenney's, Tesco, and SurveyMonkey.

Splunk Video

Splunk Pricing Advice

What users are saying about Splunk pricing:
  • "It can be cost-prohibitive when you start to scale and have terabytes of data. Its cost model is based on how much data it processes a day. If they're able to create scaled-down niche or custom package offerings, it may help with the cost. Instead of the full-blown features, if they can narrow the scope where it can only be used for a specific purpose, it would kind of create that market for the product, and it may help with the costing. When you start using it as a central aggregator and you're pumping tons of logs at it, pretty soon, you'll start hitting your cap on what it can process a day. Once you've got that, you're kind of defeating the purpose because you're going to have to scale back."
  • "I remember Splunk being relatively affordable. Kibana was more reasonable, but you get more with Splunk. If I was suggesting something, I would probably suggest Splunk because it is better to pay a little bit more and get a lot more."
  • "Further reductions would be fantastic, and I believe that more and more people would flock to it."
  • "It is economical than other solutions."
  • Splunk Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Security Engineer at a recreational facilities/services company with 10,001+ employees
    Real User
    Top 5
    Very versatile for many use cases
    Pros and Cons
    • "The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly."
    • "Their technical support sucks."

    What is our primary use case?

    We are using Splunk in the standard information security use case. We're also using it for various application use cases around identity management, windows active directory, and those types of use cases.

    How has it helped my organization?

    Splunk has provided a venue for us to determine student engagement during COVID, for which we didn't really have any other way except by looking at data that we captured off of our student systems and our authentication servers to see who's logging in, and who's logging out, and for how long they've been logged in.

    What is most valuable?

    The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.

    We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.

    What needs improvement?

    Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.

    By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.

    I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective. 

    Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.

    That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.

    Buyer's Guide
    Splunk
    December 2022
    Learn what your peers think about Splunk. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
    670,331 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using Splunk for probably 10 years.

    What do I think about the stability of the solution?

    At least in our environment, it is super stable. When you think about how much time you spend working with other applications, just Windows Server requires more feeding than Splunk does, you see that Splunk is a very low maintenance care and feeding product.

    We have probably 150 users in the environment and their roles vary from being application management folks to application engineering folks to the executive suite, so lots of different use cases. The executive suite tend to prefer more curated content and the application owners have a mix of curated content and dynamic search functions they can perform. Then the engineering tier basically gets some curated content and some free reign to do whatever they want for the most part. I'm the guy that supports this instance. So there's one person.

    I support not only Splunk, but I am also the campus security engineer and I'm also the dude that runs or is responsible for all of our campus monitoring infrastructure. So that tells you how little maintenance is required.

    We are adding new use cases on a fairly regular basis and we are adding more licensing to our indexing license. I don't see Splunk going away. There's nothing else that I think provides the ability to do this much data analytics from just the numbers of equipment that you need to run it. Also, the number of people that you need to actually make sure that it's functioning well. In higher ed., everybody always says we should do open source. And I respond that what I do in Splunk with 20 systems, I would need three racks of equipment to do on an open source platform. I have basically 70 - 75% of the racks now and I'd need three times that or more to run this as an open source product. And it wouldn't be as cute and it wouldn't be as beautiful or as flexible.

    What do I think about the scalability of the solution?

    I know other folks in the higher ed. space that are running petabyte size instances with Splunk. So I would have to say it scales very well just from talking to the folks in my market silo.

    How are customer service and support?

    Their technical support sucks.

    My engagement with their technical support was for a product which they basically took over from an open source product and they just seemed to not be able to figure out why it's not doing what it's supposed to do. The number of times I've had to engage with Splunk for solutions has been for a couple of use cases. And in every one of those use cases, support was very painful. It took a very long time and it seemed like they were more interested in burning their queue volume than actually satisfying me as a customer.

    I work in higher ed. Here in higher ed., it costs us a lot of money to run it. The support from the company that you spend a lot of money with is pretty poor. I get most of my support through the Splunk sales folks because they seem to know more and they're more incentivized to keep me as a customer. When I call in to open a ticket with Splunk support, they really don't know, and this is going to sound terrible, they don't really care whether I have a 50 Meg license or a 50 petabyte license. If it's not on their workflow, their pre-programmed triage, they can't do it.

    Which solution did I use previously and why did I switch?

    Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.

    How was the initial setup?

    Splunk is a complex critter to put in and it's a more complex critter to keep running. We have 10 search heads and four indexers and universal and a heavy forwarding cluster. We have clustered indexers and clustered search heads. This is definitely not a drag and drop product.

    We engaged a third party Splunk integrator to help us do our Splunk deployment and they did our initial deployment. We used a different integrator to do some of our upgrades, which we probably won't use again. Our implementation strategy was we really just wanted to look at the classic security use case when we put this in 10 years ago. Then after that came in, and everybody was happy with what it was doing, we added some other use cases and universal forwarding and so on and so forth.

    What about the implementation team?

    We used an integrator.

    The integrator we used to do our initial deployment was excellent. The integrator we used to do our last round of upgrades was less than excellent.

    When I hire an integrator to do an upgrade in an environment, I expect them to come back and say "all of your application layer apps are upgradeable, but your OS's need to be upgraded. Do you want me to do that? Or should you do that?" I now have different versions of OS's under Splunk running in my Linux world and it would've been nice to upgrade the system OS and then upgrade Splunk, even if it was more disruptive. I guess I have to read the statement of work more closely in the future.

    What was our ROI?

    The TCO and ROI are really great if you're in the private, non-public sector and you're in a more standard business sector. The return on investment in total cost of ownership on Splunk is from somebody who doesn't fit into that neat silo. Do we calculate that stuff? So our return on investment is by being able to solve problems that we never knew we could solve. My answer to it is the flexibility to be able to figure out student engagement when COVID hit. This was the only platform we could do it on.

    What's my experience with pricing, setup cost, and licensing?

    I can comment on price in this way - in education in Ohio, we're part of the Ohio supercomputer consortium, and they act as a collective bargaining agent. So we get our licensing as a piece of the State of Ohio's Splunk license. So my pricing is very much not list or even reduced list because of the volume that the state buys.

    We generally spend about $20,000 a year in third party integrator costs to get us past some of the rough edges that we get with Splunk support.

    Which other solutions did I evaluate?

    We briefly looked at the open source product and we obviously looked at a Check Point product. When we looked at Splunk it seemed like they had a smaller cost to procure it, and a much smaller cost to maintain it than all of those other solutions. So it was kind of why we went with Splunk. This is very non-intuitive since everybody says they love Splunk but it costs too much.

    What other advice do I have?

    My advice to anyone considering Splunk is to understand exactly how much data you want to look at and you want to bring in on a daily basis. Then create a rational strategy to bring the data in, in reasonably sized chunks, that fulfill a use case at a time.

    On a scale of one to ten, I would rate Splunk a really good nine.

    I'd rate it a really good nine because it's really versatile. You can do a lot of things with it. It allows you to do a lot of analytics in the platform without needing a bunch of other third partyware to help you figure it out.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Principal Enterprise Architect at a tech consulting company with 11-50 employees
    Reseller
    Top 5
    Handles a high volume of data, collects information from multiple sources, and is very stable
    Pros and Cons
    • "The reporting aspect is good and it does what I need it to do."
    • "If you monitor too much, you can lose performance on your systems."

    What is our primary use case?

    In our organization, Splunk is used in our data centers.

    We have integration services and other types of systems in our new IoT architecture. We're using it to capture information.

    We use Splunk as an aggregator for monitoring information from different sources, however, for our protection suite, we're using Comodo.

    It's designed to collect data from different points. It has a lot of integrations built into it and that's why we're using it.

    We use it for our enterprise more - such as for messaging. There's a lot of stuff we do on our integration services layer that we use Splunk for. For security purposes, we're using Comodo. Therefore we're not using Splunk for security purposes. We're using it for monitoring what's happening at our integration services layer.

    How has it helped my organization?

    Splunk indicates when we've got problems popping up somewhere or we're not getting the flow we expected. If there's a problem, we have those flagged and we use it for logging.

    What is most valuable?

    Splunk handles a high volume of data that we have, and it does it really well.

    For what we're using it for, we're happy with its functionality.

    The reporting aspect is good and it does what I need it to do.

    From an operational standpoint, it helps us on the operations side and it also shows where we're having issues.

    It connects to a lot of stuff. We can collect information from a lot of sources.

    What needs improvement?

    The interface or maybe some settings need to be improved a bit. It cannot be perfect, however, the issues may be related to the configuration or setup.

    If you monitor too much, you can lose performance on your systems. You have to be careful what you're monitoring. If you monitor everything, everything stops working. You can go overboard in monitoring. You have to plan your monitoring pretty carefully.

    It could be easier for beginners. As it is, right now, You have to have a good understanding of the solution in order to use it properly.

    That said, as the user, I'm at a higher level of management on the architecture side in dealing with resilience. My concerns are different from other user concerns. Also, most of our clients are using it way more than we're using it.

    For how long have I used the solution?

    We've used the solution for more than a decade. It's been a long time. 

    What do I think about the stability of the solution?

    We haven't had any problems with stability. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

    What do I think about the scalability of the solution?

    We've never had an issue with scalability. If a company needs to scale, it can.

    The danger of Splunk is that it can get too big too quickly and you have to be very careful with what you want to be monitoring due to the fact that if you monitor too much, you can slow down things and you can hurt your performance on your system. We have to be very careful of what we're logging.

    We have about 12 users on the solution right now.

    We do not plan to increase usage in the future.

    How are customer service and support?

    We don't use technical support very much. We've been using it for so long, we generally understand it and do not require assistance.

    Which solution did I use previously and why did I switch?

    We used to use Splunk a lot more, however, we've moved more to Comodo right now. I'd say we've moved to Comodo from Splunk in a lot of areas.

    On the security side, we use Comodo. Not all of our clients even have Comodo. A lot of them are using Splunk, however, a lot of them are using Splunk for enterprise operations and network operations items. Some of them are using security and a lot of them aren't. Splunk is offered as a security option now, however, originally, when you used it, it was to collect enterprise operations information and know-how your systems are running. 

    How was the initial setup?

    We've been using it for a long time, therefore, I don't even remember when we set it up or how it went. We do keep it updated and use the latest versions.

    I only have one or two people doing maintenance on it.

    What was our ROI?

    ROI's a hard thing to pin down. We've had it for so long, it's part of our core operating infrastructure.

    What's my experience with pricing, setup cost, and licensing?

    Everything we do is either yearly or multi-year. I don't know if there is any additional cost to standard license fees.

    What other advice do I have?

    We use Splunk and we also sell and support it for our clients.

    Normally our policy is to keep software updated to the latest version.

    The main issue is that we do enterprise architecture and network and security operations. We recommend certain platforms to clients. We don't always sell Splunk directly to them due to the fact that, since we're being hired to help them make choices, we need to be neutral. In the cases where it doesn't make sense, we don't sell it. We just help clients make decisions.

    I don't know which version of the solution we're using. I'm an architect; I'm not on the operations level. I'm not the one who actually uses it. Our operations use it. I get dashboard results and I do reports that are based on it, however, I'm not the one actually running it. We have a NOC and a SOC and others use it a lot more individually. They have a lot more interaction than I do. I'm getting reports out of it. Others are actually connecting to it, using it as a tool. I'm not a tool user. I'm an information user.

    All Splunk is, is data collection and it can sort things out on a dashboard. However, a lot of what Splunk does is collect data and you have to decide what kind of information you're going to let it collect. When we're doing design operations we have to really pay attention to what we're doing, so we don't actually slow things down or impede things. The reason we use Splunk is we put a lot of data into it.

    With Splunk, you need to really be careful about what you're monitoring and how you use it, to get keep the results working. It's a good tool if you know what you're doing and what you need to be logging. You need to be aware of what you're logging to ensure it isn't going to cause problems with your performance.

    I wouldn't recommend it for somebody who's coming in new. Of the clients we have using it, I don't know if any of them don't have professional IT running it. It's important to really understand what's going on.

    I'd rate the solution at an eight out of ten. In certain environments, it could be a bit complex. It's not something you could just drop into an organization, you need to be trained to use it. You need the experience to use it properly.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Splunk
    December 2022
    Learn what your peers think about Splunk. Get advice and tips from experienced pros sharing their opinions. Updated: December 2022.
    670,331 professionals have used our research since 2012.
    Data Center Architect at a outsourcing company with 201-500 employees
    MSP
    Rock-solid with flexible search capability, but gets expensive because of its cost model
    Pros and Cons
    • "The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard."
    • "It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost."

    What is our primary use case?

    We typically use it for centralized log management and SIEM functionality.

    I am using the most recent version of it.

    How has it helped my organization?

    As per government requirements, a lot of government sites have to have the active monitoring of logs. So, we use their security appliance add-on that essentially combs through the log. It pre-filters and brings out the critical events so that you can focus on those instead of having to create your own searches and whatnot. It helps simplify the process of monitoring security events in the logs for people.

    What is most valuable?

    The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard.

    What needs improvement?

    It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.

    To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.

    For how long have I used the solution?

    I have been using Splunk for about seven years.

    What do I think about the stability of the solution?

    It has been very stable. It is pretty rock solid.

    What do I think about the scalability of the solution?

    It is as scalable as you can afford. We have a pretty small user base of 75 users, and it is mostly data center administration staff, application administrators, and security people. It is more of an in-house solution than a customer-facing solution.

    Our usage is moderate. We're okay right now. We primarily use it as a SIEM and log aggregator. We could use it for other things, but the cost is what is preventing us from that at this point.

    How are customer service and support?

    We've had a few calls, and they're very responsive.

    Which solution did I use previously and why did I switch?

    We were using an assist log backend with Rsync and Kiwi prior to that. It was more of a co-solution than a cobbled-together solution. Splunk was a big improvement. The main reason for going for it was just the rate at which we were growing. We needed to have something that was more scalable than what we had before.

    How was the initial setup?

    It was pretty straightforward as compared to most applications. It had the ability to auto-deploy agents to end devices. Splunk infrastructure itself wasn't difficult to deploy or set up. They package that process, and it is pretty well-rounded. They even offer a jumpstart install service to help get it off the ground when you buy in, and those components work really well together.

    It was all done within a day. Some of the endpoints took a little bit longer, but the basic install was done in the day.

    What about the implementation team?

    We used packaged professional services from a partner of Splunk. Our experience with them was very good.

    In terms of maintenance, it is pretty simple. There are fewer patches than there would be for supporting a Windows device. There is not much labor to maintain it.

    What's my experience with pricing, setup cost, and licensing?

    It can be cost-prohibitive when you start to scale and have terabytes of data. Its cost model is based on how much data it processes a day. If they're able to create scaled-down niche or custom package offerings, it may help with the cost. Instead of the full-blown features, if they can narrow the scope where it can only be used for a specific purpose, it would kind of create that market for the product, and it may help with the costing. When you start using it as a central aggregator and you're pumping tons of logs at it, pretty soon, you'll start hitting your cap on what it can process a day. Once you've got that, you're kind of defeating the purpose because you're going to have to scale back.

    They're kind of pushing everybody away from perpetual licensing into subscription-based models, which a lot of companies are doing too, but in most environments that I've been in, they prefer to go the perpetual license and then just pay maintenance on top of it. That's because it's easier for them to forecast the big expense up front.

    What other advice do I have?

    I would advise definitely taking advantage of their professional services and making sure that the administrators and whoever is going to be using the tool go through the training. The cost for the training, which depends on if you're commercial or government, is not that much, and there is a definite value there because if you're trying to learn it on your own with a book, it is going to take forever.

    I would rate Splunk a seven out of 10. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Austin Greenbaum - PeerSpot reviewer
    Information Technology Specialist at a healthcare company with 10,001+ employees
    Real User
    Provides information about what's going on in a simplified way
    Pros and Cons
    • "From my experience, the visual aid that it provides is most valuable. There are charts and other means to provide information."
    • "Its user interface for everything other than the charts can be improved. Some parts of it can be simplified a bit, such as when importing documents that have the network traffic. When you're going through the information about the network traffic, you have to have the expertise, but even if a program is supposed to be for IT support, it is good to make it user-friendly because it gets easier to train people. When something goes wrong, the more difficult a program is in terms of UI, the harder it is to fix the issue."

    What is our primary use case?

    I went to a cybersecurity boot camp through Penn University, and we went over this topic for a decent amount of time. It was more of a testing environment where they gave us different file formats that we had to go through. We would upload those files to Splunk, and it would give us good examples of what it would look like under different circumstances, such as when an organization is getting hacked, when there is a DDOS attack, and so on.

    How has it helped my organization?

    It is a good way of seeing the network traffic as a whole. With network traffic, there are a lot of things going on, especially in a big organization. It organizes the information and makes it more usable for average people. If you use Wireshark, you'll get a ton of information, and it is super easy to get lost in it. Even if you put Wireshark on for about 30 minutes, you can very easily get lost. Splunk simplifies the information, and it gives you charts and different means of seeing that information, making it easily understandable for people.

    What is most valuable?

    From my experience, the visual aid that it provides is most valuable. There are charts and other means to provide information.

    What needs improvement?

    Its user interface for everything other than the charts can be improved. Some parts of it can be simplified a bit, such as when importing documents that have the network traffic. When you're going through the information about the network traffic, you have to have the expertise, but even if a program is supposed to be for IT support, it is good to make it user-friendly because it gets easier to train people. When something goes wrong, the more difficult a program is in terms of UI, the harder it is to fix the issue.

    For how long have I used the solution?

    I've been using this solution for a little while. 

    What do I think about the stability of the solution?

    In terms of stability, I really liked it. I didn't see any issues as far as stability was concerned. Whenever I needed it, it was there. It was available, and it worked. It was pretty good.

    What do I think about the scalability of the solution?

    Its scalability seems pretty good. If you are working with a lot of information, it would be usable.

    Its users would depend on the organization. Mostly network engineers, network analysts, and SOC analysts would be dealing with this. 

    How are customer service and support?

    There were instructors who knew how to fix a lot of the issues. If there was an overarching issue, they would deal with it.

    Which solution did I use previously and why did I switch?

    At the boot camp, we also used Kibana, which looked a little bit more friendly, but when we got into the details, I liked Splunk a little bit more. It was more intuitive, and it did a little bit more on its own rather than Kibana. With Kibana, it felt like I had to hold its hand all the way through the whole process. There were 20 people, and I know a number of people were leaning towards Kibana. It just came down to personal preference.

    How was the initial setup?

    We saw some of the basics for deploying it within an environment, but it was very minimal. 

    It isn't complex, but there is a little bit of a learning curve. Once you get the hang of it, it is very easy to get in and do things, but there is definitely a learning curve. I am not speaking just for myself; other 20 or more students that were in that class at the time also had a difficult time getting the hang of it, but once you get the hang of it, it is smooth sailing. You can fly through the program. Making it a little bit more simplified would help.

    What's my experience with pricing, setup cost, and licensing?

    I remember Splunk being relatively affordable. Kibana was more reasonable, but you get more with Splunk. If I was suggesting something, I would probably suggest Splunk because it is better to pay a little bit more and get a lot more.

    What other advice do I have?

    I would advise making sure that your staff is very aware of how the program works. After one or two classes, I got the hang of it, and it felt like I knew everything that was there to know about it, but when we went into the next class, I realized that there is a lot more. So, if you are going to use the program, I would advise making sure that everyone is trained and everyone really understands it. You should take your time to go into the nitty-gritty. You can very easily think that you know everything, but when you make mistakes in Splunk, at least from my experience, it can get messy quickly. So, you want to make sure that everyone has a very good understanding of what they're doing so that you can keep everything organized and accurate.

    I would rate it an eight out of 10. When we're getting into the nuts and bolts and looking at the data, it is an eight, but when we are just navigating through the website, it is a seven. Only its UI needs improvement. It isn't bad, but there is room for improvement. They should make it a little bit more user-friendly.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    IT Security Consultant at Microlan Kenya Limited
    Real User
    Top 5Leaderboard
    Efficient, scalable, robust and easy to use
    Pros and Cons
    • "What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis."
    • "Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine."

    What is our primary use case?

    I have some experience with the solution, since I am working with customers who are interested in part time help monitoring their network and have been helping them fine-tune the rules in the solution's platform. The way the primary task works is to watch for and then respond to the threat. Should there be a need, I usually work with a team in fine-tuning the rules on this platform. We are providing the products.

    I recently started working primarily on the Playbooks of the Splunk Phantom, so I've been creating some of these to help the customer automate the process of responding to the threats.

    What is most valuable?

    What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis. I recently have become involved in the Playbooks, since it is painful for the client to respond to the threat, be it positive or negative. As such, I currently see the Phantom component of the solution to be of great value. Otherwise, most other features seem to be similar to Netwitness, such as the monitor log, network, and endpoint capabilities. Importantly, the solution lacks endpoint options, as these are currently deployed on Cisco, which is okay, as it works fine with that bad side of the endpoint security. This translates into them building queries, rules and then Playbooks. 

    The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand.

    What needs improvement?

    Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine. 

    For how long have I used the solution?

    I have been engaged in the production environment of Splunk for around a year and have been reading up on it for a long time.

    What do I think about the stability of the solution?

    I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. 

    What do I think about the scalability of the solution?

    Splunk allows one to easily scale up this platform. One can add more interfaces to that platform if he gets more data. 

    How are customer service and support?

    I usually rely on the Splunk community for information, such as discussions of incidents and other issues which others are facing. I feel the Splunk community to be an excellent source of information for me.

    How was the initial setup?

    Out of the three platforms I have been dealing with, I feel the initial setup of Splunk to be the easiest. I found it a bit difficult to set up a new environment with RSA Netwitness. Splunk, on the other hand, I have found to be very straightforward and an uncomplex platform. 

    Which other solutions did I evaluate?

    I have been proposing to management to take the solution to be a primary product in our dealings with it. We do not encounter many issues involving the solution. One of the problems I have with the RSA Netwitness platform is its complexity. Splunk is straightforward for us when it comes to views and it provides us the network security posture.

    The ability for the solution to work with Cisco shows that the solution can work with other products. The only thing is that when the solution is compared with other vendors, one sees that there is only a single other vendor that has endpoint security like this one, Netwitness platform having its component for the endpoint. This is why an integrated endpoint would be a nice feature, even though the solution works on Cisco. 

    The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand. 

    When it comes to a data platform, there is RSA NetWitness, which may also be a good platform. I have not done much training of my own on Splunk, but have gained much experience through learning and working with clients that I support. This is because the platform is understandable. 

    I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. Clearly, I cannot include Wazuh in the top five categories, as its rating is not up there with Splunk, Qradar and LogRythm.

    What other advice do I have?

    I cannot think of anything disadvantageous about Splunk, as we are talking about a product that I like. I feel the solution has beautiful features. 

    The decision to go with Splunk would depend on the business needs of the individual. I know that Splunk has both a cloud and an on-premises option. Sometimes, such as when it comes to conferences, there is no need to move some of the data to the cloud for the purpose of complying with regional requirements. There may be a need to retain some of it and a person might wish for a mixture of on-cloud and on-premises capabilities.

    I rate Splunk as an eight out of ten. It is a robust platform and easy to use. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Kenneth Barnes - PeerSpot reviewer
    CTA\Owner at UCSolutions
    Real User
    Top 10
    Easy to use and simple to set up with reasonable pricing
    Pros and Cons
    • "The SIEM is the most valuable feature of the product."
    • "The documentation is in definite need of improvement."

    What is our primary use case?

    I need the product for SIEM, Security Identity Event Management. I also need it for security operations, automated response, as well as mapping adjusting of security components as well. It helps us with how best to look at various events, and orchestrate between various different hyper-scalers.

    How has it helped my organization?

    The solution has made us more secure and has allowed for more definable mapping.

    What is most valuable?

    The SIEM is the most valuable feature of the product.

    Having a better integration method and then ingesting and mapping the information have been somewhat easier than some of the other tools that I've used previously (other than QRadar and Rapid7).

    The initial setup is pretty simple.

    The solution is scalable.

    Stability has been quite good. 

    The pricing is pretty decent.

    What needs improvement?

    The documentation is in definite need of improvement. 

    There are pieces of it that are somewhat just daunting and there should be better orchestration and automation. 

    I've done some automation with it, with Terraform, and also with some other sources. If it wasn't so proprietary, that would be ideal.

    I'd like to have it so that Splunk integrates better with Terraform and Python.

    For how long have I used the solution?

    I've used the solution for eight years. I've used it for quite a while. 

    What do I think about the stability of the solution?

    Splunk is probably the best brand in terms of stability. I'd rate its reliability at a four out of five. There aren't bugs or glitches. It doesn't crash or freeze.

    What do I think about the scalability of the solution?

    The scalability is great. I'd give it a score of four out of five. If a company needs to expand, it can do so. 

    We have 450 people in our organization that use the product. We've also done this for clients that needed access for over 200,000 people.

    We use the solution extensively and likely will increase usage.

    How are customer service and support?

    The support is okay, however, there are a couple of things that they couldn't figure out and they couldn't help me with automation or stuff like that. It could have been better from there, however, it's not that bad. 

    Which solution did I use previously and why did I switch?

    I've previously used QRadar and it wasn't ideal.

    There were certain times I integrated with other solutions too.

    How was the initial setup?

    The initial implementation is pretty simple and straightforward. It's not too complex. I'd rate the experience at an eight out of ten.

    The initial deployment took us about two weeks or so.

    The amount of personnel you need for deployment and maintenance tasks depends on the size of the deployment. Typically, it's just one or two people. That said, it needs to be proportionate to certain sizes. Usually, the staff is from procurement or provisioning.

    What about the implementation team?

    I handled the implementation myself. I didn't need any outside assistance from any integrators. I'm a consultant myself.  

    What was our ROI?

    We've seen quite extensive ROI, however, it's more of a qualitative assessment and I don't have numbers to share. It works well and customers are happy. That's what counts. 

    What's my experience with pricing, setup cost, and licensing?

    It's a little bit more expensive than some of the other tools. It's not as expensive as QRadar. That said, it's more expensive than LogRhythm or Sentinel.

    There aren't really other fees beyond the standard costs of licensing. 

    Which other solutions did I evaluate?

    I evaluated other things. I also integrated with other solutions too. I decided to go with Splunk due to the fact that it worked well.

    What other advice do I have?

    I'm a consultant. I'm also a customer and use it myself. 

    We use multiple deployment models, including public and private clouds. 

    We typically use the latest version of the solution. 

    I'd advise potential new users to get a proper plan. They should have a good partner or someone that can help them and quickly map and orchestrate.

    I'd rate the solution at a ten out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Security Architect at a tech services company with 51-200 employees
    Real User
    Top 5Leaderboard
    Cloud-ready, with forums and README tutorials that cover everything you need to know
    Pros and Cons
    • "Splunk would be my choice for the presentation layer because it comes with inbuilt reports and a dashboard that you can customize."
    • "I haven't found a way for me to create my own plugins and integrate them into Splunk, but this isn't necessarily a limitation; it could simply be a lack of knowledge on my part."

    What is our primary use case?

    Splunk just acts as an extra presentation layer, and we tried it because of the plugins they have to try and get more logs into the environment.

    What is most valuable?

    Splunk would be my choice for the presentation layer because it comes with inbuilt reports and a dashboard that you can customize.

    What needs improvement?

    Aside from the 5GB limit on the community version, I believe it is the same as ELK. It's a useful tool, and nothing comes to mind right now.

    I haven't found a way for me to create my own plugins and integrate them into Splunk, but this isn't necessarily a limitation; it could simply be a lack of knowledge on my part.

    What do I think about the stability of the solution?

    Splunk is a stable solution. I am very happy with the stability of Splunk.

    What do I think about the scalability of the solution?

    Splunk can be scaled to any environment. The way it's designed, it's cloud-ready, and it has a lot of performance, in-built indexing, and performance tuning options. Splunk is easily scalable.

    How are customer service and support?

    I am happy to report that I've never needed to contact technical support. The README tutorials and the existing forums provide me with practically everything I need. So far, I haven't had to do so. This should be a testament to the solution.

    Which solution did I use previously and why did I switch?

    We broaden the scope of IT governance and IT security.

    We look at everything from SIEM to network management to endpoint protection, server protection, database protection, and anything else that can aid in visibility, policy enforcement, and monitoring.

    Our organization is using a combination of Splunk and Elasticsearch. We get most of what we need from the ELK suite. ELK Stack is usually the primary focus.

    ELK has the same inbuilt reports and dashboards that you can customize, but ELK is better for central logging and log aggregation. Once they've all been aggregated, you'll be able to run any kind of queries and APIs to query the logs on ELK and then use Splunk as a presentation layer for the consumers to use.

    Security tools, in my opinion, are business tools and should be used by businesses rather than security engineers. I'm experimenting with a hybrid of the two, in which ELK serves as the engine for central logging and Splunk handles the presentation layer and aggregation of additional third-party logs from tools that might be difficult to integrate into ELK.

    I would rate Elasticsearch a ten out of ten.

    How was the initial setup?

    It's a cloud-ready package. It has the same characteristics as ELK. From a deployment standpoint, I don't have any issues with it. The material is freely accessible to anyone who wishes to use it. There is a virtual machine option. You can get a virtual machine by downloading it. The deployment options are simply numerous, and it is up to the implementer.

    It wasn't that difficult for me. There are no complaints from me. The material is present, and there are numerous options for deployment. It's relatively simple to go from zero to viewing data with Splunk. ELK is the same way. It is now up to the implementers and their environment to provide you with more data about it.

    What's my experience with pricing, setup cost, and licensing?

    They could improve their discounts. I think it's a good solution, and it's gaining a lot of traction, maybe they are recouping their R&D costs, Further reductions would be fantastic, and I believe that more and more people would flock to it.

    Which other solutions did I evaluate?

    We provide IT consulting services. Our customers occasionally ask us to assist them in locating specific solutions.

    What other advice do I have?

    I would recommend this solution to others who are interested in using this solution.

    I would say the forums and READMEs provide more than enough information about Splunk. Most people struggle because they move too quickly through the implementation process. As long as you follow the guidelines, particularly the specifications for environment requirements and implementation methodology, these solutions should work out of the box.

    Splunk is a very good solution, I would rate it a ten out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    PeerSpot user
    Solutions Consultant at a tech services company with 1,001-5,000 employees
    Real User
    Top 10
    Easy to use, provides a lot of analytics, and allows you to do pretty much whatever you want
    Pros and Cons
    • "It provides a lot of analytics with the underlying AI engine, and it is a lot easier than other solutions. There are some products that do automated AI-based detection and drawing up charts, but for network monitoring and all of the monitoring aspects, it is quite a nice tool. It is very convenient for business users because they get more or less a lot of data readily available. If you're familiar with the Splunk query language, you can pretty much do whatever you want."
    • "If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide."

    What is most valuable?

    It provides a lot of analytics with the underlying AI engine, and it is a lot easier than other solutions. There are some products that do automated AI-based detection and drawing up charts, but for network monitoring and all of the monitoring aspects, it is quite a nice tool.

    It is very convenient for business users because they get more or less a lot of data readily available. If you're familiar with the Splunk query language, you can pretty much do whatever you want.

    What needs improvement?

    If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide.

    For how long have I used the solution?

    I have been using this solution for about three to four months.

    What do I think about the scalability of the solution?

    I'm not sure. I do not really throw a lot of data in it, but it has been authenticated very nicely. It manages indexes and all of these things very nicely. I have not been privy to any production systems where you have millions of lines of log coming in every second. It works very well for the data that I have. It should be able to handle a lot of data. That's the whole purpose of it, and that's why Splunk has become so popular. It is an enterprise monitoring tool, and a lot of customers have Splunk in their ecosystem.

    How are customer service and technical support?

    They have pretty much good documentation and good training. Their documentation is a lot better than Qlik Sense.

    Which solution did I use previously and why did I switch?

    Splunk is an enterprise monitoring tool. Qlik Sense can do a little bit of log monitoring, but it is mostly used for dashboard reporting, whereas Splunk is more around monitoring and figuring out threats and all such things. They are different, but both deal with the data and allow you to create operation reports. 

    Power BI is another tool that a lot of our customers use, but Splunk is quite often requested. It is also a lot more popular than Qlik Sense. We have a fair number of Qlik Sense customers.  

    We usually sell Blue Prism to business users who are more concerned with the reporting aspect, which is why they would like to have easy tools like Qlik Sense in their ecosystem, but on the infrastructure side, it would be Splunk for enterprise monitoring.

    How was the initial setup?

    Simple environments are easier to install. Because there is a lot of data log monitoring, once you have a production system, there is some amount of work in setting it up, especially making it SSL Secure and exposing it on the internet. There are multiple components behind it, so you need to ensure that all these things are set up correctly. These kinds of things are not required on a cloud platform because you are just uploading data. You really don't have much access to the backend.

    Splunk also has a cloud version, which I haven't looked at, but I have used Qlik Sense's cloud platforms. With on-premises, you are in control of pretty much how you set up all the data that you are sending out. A lot of our customers have the issue that if it is a cloud platform, they cannot really send out the data to any of these cloud platforms. So, there are data residence and other issues.

    What's my experience with pricing, setup cost, and licensing?

    It is economical than other solutions.

    What other advice do I have?

    I would definitely recommend Splunk. It is quite a decent tool, and it is there in a lot of enterprises.

    I would rate Splunk an eight out of ten.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: partner
    PeerSpot user
    Buyer's Guide
    Download our free Splunk Report and get advice and tips from experienced pros sharing their opinions.
    Updated: December 2022
    Buyer's Guide
    Download our free Splunk Report and get advice and tips from experienced pros sharing their opinions.