Splunk Room for Improvement
Security Engineer at a recreational facilities/services company with 10,001+ employees
Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.
By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.
I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective.
Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.
That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.View full review »
There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side.
The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly.
The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available.
In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.
The interface or maybe some settings need to be improved a bit. It cannot be perfect, however, the issues may be related to the configuration or setup.
If you monitor too much, you can lose performance on your systems. You have to be careful what you're monitoring. If you monitor everything, everything stops working. You can go overboard in monitoring. You have to plan your monitoring pretty carefully.
It could be easier for beginners. As it is, right now, You have to have a good understanding of the solution in order to use it properly.
That said, as the user, I'm at a higher level of management on the architecture side in dealing with resilience. My concerns are different from other user concerns. Also, most of our clients are using it way more than we're using it.View full review »
Data Center Architect at a outsourcing company with 201-500 employees
It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.
To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.View full review »
Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine.
Its user interface for everything other than the charts can be improved. Some parts of it can be simplified a bit, such as when importing documents that have the network traffic. When you're going through the information about the network traffic, you have to have the expertise, but even if a program is supposed to be for IT support, it is good to make it user-friendly because it gets easier to train people. When something goes wrong, the more difficult a program is in terms of UI, the harder it is to fix the issue.View full review »
Senior Consultant at sectecs
I really dislike how Splunk sales and partner manager behaves. I have faced several sales model and partnership changes. Also, the last time I wanted to by a license ro built a SIEM solution, they had removed the ability to purchase a splunk subscription or license from their website. In the past, there was a web page calculator it was possible to by online, but now it instructs to contact sales.
The free version is limited to 500 megabytes and there is no alerting. Due to the missing feature on the Splunk webpage, I have ask Splunk Sales to purchase a license like 1Gyte a day or a license for max 2500 Euro/year to use it as a test or development instance for myself. Asking Splunk for a quote willing to pay for Splunk license to learn and to get used to the product, Splunk didn't get it managed to offer my a license neither arranging the partnership paperwork I have ask for. Sales people from Splunk where calling, each time after I left my details on ther trial download page. I explained my experience and concerns about Splunk in the past. All excuses received and promises that someone will contact me to solve the issues faced in the past, was leading in excactly nothing. Well Done Splunk.
Inflexible and expensive and I do not have much faith in the people working there because if someone is asking for a test environment and is willing to spend up to €2,500 a year, I can't understand why they are unable to provide a license. This could be a lost opportunity because they are not able to onboard a potential new partner.
They definitely need to boost their sales and partner program because it changes to often, where they are dropping partners and it is difficult to get in contact with somebody. This is something that needs to be improved.
I would like to see more SIEM functionality and embedded moduled such a ticket tool to make a end to end SIEM.
Audit Remideation/Financial Manager at a tech services company with 1,001-5,000 employees
We're still going through it at this time. However, there are a few changes that could be made.
It could be more user friendly, in terms of the end-user experience. The end-user aspect of it could be more enhanced, whereby you could probably have a lot more people that could sign into the tool and look at the reports, and have the reports actually laid out in plain English. Usually, with tools like Audit Vault and Splunk, if you're not the IT person and you're not trained on that system and you're seeing all of the outputs, the language is something you have to convert.
Therefore, the end-user experience could be improved so that when you get those alerts and notifications, you could have supervisors and different people actually knowing what those reports mean instead of having someone convert them into something more easily digestible.
There should be more enhancements done to the end-user dashboards. Improved dashboards are always good. If you have an IT tech that's up there, and they're looking at the dashboards and they're seeing everything, it would help they could do events and have a dashboard that they could log into as a supervisor and see everything, and just get specific reports for specific areas.
CSSP Manager at a tech services company with 51-200 employees
I'm a security manager and Splunk is not a good solution for my needs and not as good as other products I've used. I really think they just overreached and are marketing the solution as something that it really isn't. It's really not an SIEM product. It's really not a monitoring solution. If Splunk wants to get into SIEM, they need to make a totally new product. They should just leave SIEM, it's not their thing, not what they do. They're good at log collection and indexing. Stick to it. There are some things with log collection and log retention capabilities that they could actually improve instead of trying to create products for all these other different areas. I don't want their next release, I would rather just kind of scale back on some of the extras, and just really focus on log collection and log retention. I'd like to have more options on how I can perform those features with their products. I'd like to see a lot more integration with other products.
Automation Specialist, Analytics at a computer software company with 10,001+ employees
Sometimes we experience issues when formatting and configuring files; however, this is a very technical issue that's hard to explain.
When extracting the data or structuring the data in the right format, sometimes it becomes challenging. It's up to the user to understand the regex commands.
Our customers often complain that the price of Splunk is too high.
When Splunk is deployed on the cloud, there are certain considerations that cannot be met. Cloud-based configuration cannot be done by our Splunk admin team. It needs to be routed via a ticket. You don't have more control on the cloud from a configuration point of view, whereas, with on-premise, you are in control — you can define any configuration settings.
When you install on-premise, many types of configurations can be done but when Splunk is on the cloud, you're dependent on their specific configurations.View full review »
The documentation is in definite need of improvement.
There are pieces of it that are somewhat just daunting and there should be better orchestration and automation.
I've done some automation with it, with Terraform, and also with some other sources. If it wasn't so proprietary, that would be ideal.
I'd like to have it so that Splunk integrates better with Terraform and Python.View full review »
Solutions Consultant at a tech services company with 1,001-5,000 employees
If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide.View full review »
Principal Information Systems Security Engineer at ManTech International Corporation
The biggest problem is data compression. Splunk is an outstanding product, but it is a resource hog. There should be better data compression for being able to maintain our data repositories. We end up having to buy lots of additional storage just to house our Splunk data. This is my only complaint about it.
Sometimes it becomes very difficult to find certain results from Splunk. Not all users are developers and they are not able to write code to find specific results or specific details from Splunk. From a user perspective, the solution needs to improve the search functionality.
The dashboard could be improved. If it was easier for non-developers or those working in network security, it would be ideal. It would be nice if they had a built-in dashboard for those who are less knowledgeable in coding.
The product is relatively expensive.View full review »
Senior Solutions Architect at a manufacturing company with 51-200 employees
Being a SIEM solution with a centralized dashboard, we would like to have more options to customize it. It should be easy to customize dashboards.
When we are monitoring something, we would like to have a more granular outlook. Splunk has a good dashboard that is easier to use than some competing products, but better customizability would be a great help for the users.View full review »
- It needs integration with a configuration management solution.
- It could use better password management for forwarders.
- It needs a better way to export dynamic views without requiring a ton of code and user/pw.
Senior security consultant at a comms service provider with 51-200 employees
Splunk could be improved by reducing the cost. The cost is one of the biggest challenges for us in keeping to our production requirements.
As for additional features, I think they need to refine their AI capability. I know that everyone is talking about artificial intelligence and threat hunting, so I guess one of the key requirements for us is for the solution to automatically provide us some kind of indication and then mitigate any risk. So automation should be a feature.View full review »
Senior Informatica Administrator at a computer software company with 10,001+ employees
Index performance is a bit slow but this is partly due to the huge volumes of data for our industry within our environment This makes the index very large and inefficient in terms of performance. Performance could be improved to cater to this, however. We have also had problems with the compatibility between Splunk and other systems. We have previously been on 5.3 and migrated to 5.5. We are now planning to migrate to version 7.7. It has been difficult to find documentation about the compatibility with Linux. In terms of the interface, it could include some improvements for the look and feel.View full review »
Our two main complaints are about the difficulty of the initial setup and the licensing model.
The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.View full review »
The TERM licensing model is still not very useful. It's not helping us. They used to have a perpetual licensing model. Now Splunk is offering annual term/subscription only. That's costly and it's more expensive and it's putting some burden on us.
Technical support needs to be more responsive.
We would like to see more AI. Through AI, artificial intelligence, not machine learning only. We want to see more AI-enabled kinds of functionalities just to reduce dependencies on manual interventions. We do that, however, automation and artificial intelligence-based kind of automation we would really like to see.View full review »
Assistant Vice President at a financial services firm with 10,001+ employees
Over the years, I know they've been doing what they can to continue to add integration capabilities to their solution. If they continue to do that, that would be ideal. However, beyond that, there really aren't any features that I find to be lacking in any part of the solution.
On-premises scaling of the solution is a bit more limited than it is on the cloud.
The pricing of the solution needs to be a bit lower.
It would be ideal if the hardware could meet more universal global regulatory requirements. It would be great it the solution better aligned with global standards.View full review »
CEO at a tech services company with 11-50 employees
In my opinion, it is too expensive for our projects.
It is very competitive for small and medium businesses. Perhaps some should be set aside for developing markets. To begin with, similar to the current market, there may be some special conditions for large transactions.
In the next releases, I would like to see more pricing flexibility. It's a subscription-based service, and they don't sell professional licenses.
In some cases, particularly with large projects, we are not competitive in terms of pricing when compared to IBM QRadar and other solutions; even if we offer the maximum discount available, our prices remain uncompetitive.View full review »
Senior Network Engineer at a tech services company with 51-200 employees
Over time I will have more requirements and I can foresee the solution could improve the search algorithm to run and output the data faster.View full review »
Engineer at a financial services firm with 201-500 employees
The solution has a high learning curve for users. It's a little complicated when you're trying to figure out all the features and what they do.
The solution needs a bit more functionality. For example, being able to save a search and select it when you're doing an investigation. I know you can create dashboards and things like that, however, sometimes being able to have a pre-saved search and just fill in whatever value you need would make everything so much easier.View full review »
Assistant Manager System at a financial services firm with 10,001+ employees
Technical support is lacking post-sale.
The modification of firmware could be improved.
We find that the maintenance process could be a lot better.
The solution is more expensive than other options on the market.View full review »
Assistant Manager ICT - Projects at a financial services firm with 1,001-5,000 employees
Other than the pricing modules, I have no issues with the product itself.
The configuration had a bit of a learning curve.
I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications.
If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.View full review »
Splunk is a very costly solution and I think it's the most expensive in the market in terms of costing. Splunk provides an application for infrastructure monitoring. If we're monitoring the docker with containers, we can't see the container name, only the ID. That's a big drawback.
Consultant at a financial services firm with 5,001-10,000 employees
Splunk is query-based, which is not the case with most cybersecurity tools. It is based on search queries and can be difficult to use. It would be good if they can make it easier to understand how to create search queries. They can improve the knowledge base for better understanding.
To create your dashboard, you need to have a search query. We have multiple firewalls in our company, and we need a dashboard for them. It would be helpful if a default firewall dashboard is included in Splunk to make monitoring easier. If a dashboard is available for a security device, the operation part will be more efficient. We won't have to follow a manual process for this.View full review »
Sr. Cyber Security and Solutions Architect at a government with 10,001+ employees
The configuration could be better.
We would like to see improved pricing, however, I'm kind of out of that arena. I make suggestions based upon the flexibility with which we serve our customer base, which is millions of our veterans. I would say that if someone was not familiar with it, one of the things that I've heard is that it's kind of hard for them to understand the whole thing. Splunk is just one piece to the puzzle. It's not the whole puzzle. It's kind of not the solution's fault, in that sense. That said, if it could be more accessible to people with different skillsets, that would be ideal.
We'd like to see reporting where there's a way that we can get a higher description without being too technical, for example, where it's kind of more of an executive-level of technical.View full review »
It's difficult to set up initially, and their billing model is also a bit complicated.
We have to predict in advance how much data we will have and what the storage would be that we don't have. This makes the licensing complicated because when you start you don't have these numbers.
In order to know how much it will cost, you need those numbers.
I really wish that it was an application that was easier to use.View full review »
The complexity could be worked on so that it's even easier and faster. However, I understand that, if some complexity was removed, there might be slightly more limitations.
Occasionally there are data sizing and data-related issues that need to be overcome.
I'd like to see more documentation on the product.
The initial setup is not straightforward.
You do need a lot of training and certification with this product. Other than that, it's pretty good.View full review »
They could have more dashboards done or predefined so our clients could use them directly in order to have more information ready to use.
The difficult part is related to integration with sources of data that are used to create the logs as this depends on the infrastructure of the client.View full review »
Founder at a marketing services firm with 11-50 employees
The solution could be more user friendly and it's difficult to know at this stage whether our requirements will be met by the solution.
Its setup is a little bit complex for a distributed environment.
Their support can also be better. If we raise a case with Splunk support and by any chance we missed to respond for more than a week, they usually close the case. Sometimes, it can take us more than a week to reply. In that case What they can do is they can send a followup mail before closing.View full review »
IT System Developer/Admin at a manufacturing company with 10,001+ employees
An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times.
They also need to update their documentation.View full review »
Network Operations Center Engineer at a tech company with 51-200 employees
The price of the solution could be cheaper.View full review »
Product Manager, CyberSecurity at a tech services company with 201-500 employees
We need to get a Splunk Cloud instance inside South Africa's borders. At this stage, we are pushing Splunk Cloud, but it is not yet within South Africa's borders. So we've got data sovereignty issues, especially with government organizations.
Technical support could be improved as well.
Splunk can be an expensive solution. I think that they need to change their pricing model. At present, it is based on the number of gigabytes that you ingest into the Splunk system. Their competitors are now starting with a pricing model where you pay per device talking back. If Splunk could have a similar alternative, it would then allow people to choose the data model they want such as set data or a set number of devices.View full review »
Telecom Tech at a university with 501-1,000 employees
From the commercial point of view, they have to bring down their costs. It's a bit pricey right now. The license is quite expensive.
Much like the SOAR platform, which has security, orchestration, and automation response, all of that should be part of the SIM solution itself. Currently, it is actually separated. We understand that we have to integrate a SIM with a SOAR platform, however, if they could combine these two products together, that would be ideal. It would make things easy to implement and make more automation possible to avoid false-positive alerts.
Its pricing model and integration with third-party services can be improved. We had faced an issue with integration.
The alerting feature is currently not available with Splunk, but it is definitely available with Datadog and PagerDuty. They should include this feature.
A few dashboards in Splunk look quite old and are not that modern. They aren't bad, but improving these dashboards will definitely make Splunk more attractive and usable.
I read in a few blog posts that there were a few security incidents related to Splunk agents. So, it can be made more secure.View full review »
Security Professional at a tech services company with 501-1,000 employees
It currently has limited default rules and customizations. If they can concentrate more on the compliance part and the security information part, it would be helpful. The platform part is good, but it requires many features from the security aspect.View full review »
Sr. IT Manager at a government with 10,001+ employees
Queries are not always as easy or straightforward as they might be, so it can be difficult to figure out what you need to look for.
In the next release of this product, I would like to see it offer more recommendations as to what needs to be done.View full review »
Splunk needs to be able to hold more days of data. At the moment it only holds three months of data. It needs more views and colors within the dashboard and the ability to have the flexibility to create a user-defined panel.View full review »
Technical Architect, Cloud Operations at a computer software company with 5,001-10,000 employees
Its reporting can be improved. That's the only complaint I have heard. I don't need the reporting part, but I know that other people in the organization need it.
In terms of new features, I got everything that I needed from the tool. If they want to expand the capabilities to different things, they can cover topics besides log aggregation, etc.View full review »
Product Manager, FX Solutions at a tech services company with 10,001+ employees
The solution could improve by making it more business analysis oriented. The way it is now is designed more for developers.View full review »
Cyber Security Consultant at a tech services company with 11-50 employees
There is improvement needed when importing from some types of data sources. Most of the time you have to do some customization for the data because not everything is working the way it should. Additionally, in other solutions, it is easier to build use cases.View full review »
Technical manager at a tech services company with 11-50 employees
This solution could be improved by better pricing in general and by easier installation.View full review »
President at a non-profit with self employed
The solution could improve by increasing the performance. We have run into problems when large amounts of data are processed.View full review »
Sr. IT Manager at a government with 10,001+ employees
Splunk is very complex. The implementation and the scanning of the logs can be difficult.View full review »
Enterprise Client Executive at a tech services company with 11-50 employees
Its interface could be improved.
Senior Technical Lead at a financial services firm with 10,001+ employees
The solution could improve by giving more email details.
In a future release, the solution could improve on the artificial intelligence features, such as if an alert comes, it could automatically do logging from the system, get the KV knowledge base, and perform other functions. This would be a benefit.View full review »
CyberSecurity Consultant at a tech services company with 51-200 employees
When it comes to out of the box use cases, I feel the solution to be too slow.View full review »