Splunk Enterprise Security Room for Improvement

Sameep Agarwal. - PeerSpot reviewer
Group manager at HCM Technologies

The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.  

Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.

View full review »
Avinash Gopu. - PeerSpot reviewer
Associate VP & Cyber Security Specialist at US Bank

There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices. This is because Splunk relies on agents, which cannot access certain workstations. In these cases, we have to rely on application data. For example, with mainframes, manual reports are generated and sent to Splunk, limiting visibility to what's manually reported. This lack of automation for specific platforms needs improvement from Splunk. Additionally, API access is limited for other applications that rely on API calls and requests. This requires heavy customization on Splunk's end. These are the main challenges we've encountered.

Monitoring multiple cloud platforms, like Azure, GCP, and AWS, with Splunk Enterprise Security presents some challenges. While Splunk provides different connectors for each provider, consolidating data from two domains across distinct cloud environments can be complex. However, leveraging pre-built templates and Splunk's data collation capabilities can help overcome these hurdles. Despite initial difficulties, I believe Splunk can effectively address this task, earning it an eight out of ten rating for its multi-cloud monitoring capabilities.

While Splunk Enterprise Security offers insider threat detection capabilities, its effectiveness could be enhanced by integrating with additional tools, such as endpoint security solutions. This integrated approach is particularly crucial for financial institutions, which often require dedicated endpoint security teams. While using multiple tools is valuable, further improvements within Splunk itself are also necessary. Considering both external integration and internal development, I would rate its current insider threat detection capabilities as three out of ten.

Threat detection is where Splunk falls behind. While it offers tools, other use cases require additional work. PAM is an enterprise tool that centralizes information about users, servers, and everything else. It needs real-time monitoring, which I haven't seen in any of the companies I've worked for. They only rely on Splunk for alerting, but real-time monitoring should be handled by the endpoint security team's tools. This means there's no detection or analysis at the machine or endpoint level. Additionally, threat analysis reporting is also absent.

View full review »
Viney Bhardwaj - PeerSpot reviewer
Sr Manager at Ernst & Young

Splunk does not provide any default threat intelligence like Microsoft Sentinel, but you can integrate any third-party threat intelligence with Splunk. By default, no threat intelligence suite is there, whereas, with IBM QRadar or Microsoft Sentinel, the default feature of threat intelligence is there. It is free. It would be better if Splunk could provide a default threat intelligence suite.

The second issue is that Splunk is expensive compared to many other SIEM tools in the market. A competitive price will work better.

The third issue is that Splunk Cloud is sometimes slow. If I create more use cases, Splunk will be slow because they provide limited resources in Splunk Cloud. They can do some optimization there.

The last issue is that they used to give a trial version of the Splunk Enterprise Security app that we could showcase to customers for demonstration, but they have stopped that free trial version. If they can start that again, it will be better. It will help to showcase the capability of Splunk.

View full review »
Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.
Praveen-Kadali - PeerSpot reviewer
Senior Consultant at Ernst & Young

There are deployment servers and other servers, and sometimes Splunk may encounter issues if there are non-reporting devices. We will receive alerts only for the administrators and deployment servers, but not for all servers.

When upgrading Splunk, we encounter certain issues. For instance, it does not accept older versions of the other tools we use. This is the main problem. For example, if we are using a ticketing tool or any other XDR or EDR solutions, we need to upgrade them when we upgrade Splunk. During this process, we will encounter some difficulties, resulting in delays. Ideally, the upgrade process should first accept the current versions and then prompt for an upgrade, allowing us sufficient time to upgrade the other solutions. This helps ensure business continuity, although it may introduce some delays in upgrading all these processes.

View full review »
MR
Manager, Security Engineering at a computer software company with 1,001-5,000 employees

Enterprise Security hasn’t helped us reduce our alert volume. The analysts have, however.

We do all of our enterprise security on-prem. We avoid the Splunk Cloud solution since we want the flexibility to build our own. It is a hugely complicated product. Obviously, anything that they could do to make it easier would be ideal. 

View full review »
SAURABHYADAV4 - PeerSpot reviewer
Technical Specialist at HCL Technologies Limited

It would be nice if Splunk reduced the cost of training. Their training sessions are way too costly.

View full review »
Rishabh Gandhi - PeerSpot reviewer
Senior Security Analyst at Inspira Enterprise India Pvt. Ltd.

Splunk Enterprise Security has a learning curve that needs to be improved. I have seen users struggle with Splunk just because of the language they've used to create it. I've recently started working for the past three months on Sentinel. The same thing happens with Sentinel, where you select certain things, and it will create a query for you.

It would be great if I could have a certain dialogue box in Splunk that uses innovative AI tools like ChatGPT, which are available now in the tech department. If a user is struggling, they can just ask an AI tool what they are trying to do with a query, and then it can suggest how a query can be written for a particular user. It can help in a way to understand the context of what the user is trying to write, which will be very helpful for ongoing operations.

Even if users have zero knowledge, they can get comfortable with Splunk much more easily if an AI tool helps them write a query or search for any indexes or data models. It will be able to give more context to the user regarding how they should approach the query. This can be done using AI tools like ChatGPT, which will understand the context of what the user is trying to approve and give suggestions based on it.

View full review »
TB
Sr Cybersecurity Engineer at a energy/utilities company with 10,001+ employees

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

View full review »
SC
CSO at a manufacturing company with 1,001-5,000 employees

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

View full review »
Maaz  Khalid - PeerSpot reviewer
Cyber Security Analyst at Rewterz

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

View full review »
MANISH CHOUDHARY. - PeerSpot reviewer
SOC manager at a tech vendor with 10,001+ employees

Splunk can improve its third-party device application plugins.

View full review »
Jeremiah Anderson - PeerSpot reviewer
Sr. Cybersecurity Engineer Splunk Architect at Coalfire Federal

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

View full review »
DS
Security Analytics innovation lead at a pharma/biotech company with 10,001+ employees

Splunk Enterprise Security could have more pre-built integrations and rules. The detection is fairly accurate, but it depends on the rules you create. Splunk's out-of-the-box configuration isn't that useful. 

If you spend time with your team creating rules specific to your environment, you can get a lot of value from Splunk. At the same time, that requires some additional effort and costs. Splunk has a few built-in integrations that are ready to go. In other cases, we need to build custom solutions, which is more difficult and costly.

View full review »
LC
Security Engineer at a recreational facilities/services company with 10,001+ employees

Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.

By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.

I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective. 

Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.

That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.

View full review »
Balamurali Vellalath - PeerSpot reviewer
Practice Head-CyberSecurity at ALTEN calsoft Labs

There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side.

The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly.

The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available.

In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.

View full review »
JG
IT Director at Administrative Office U.S. Courts

Splunk conferences are very helpful for networking and talking to folks who have a similar situation. It would be helpful for customers if they could create some real-world cases, and we can find a case study to align with. I know that Splunk has tremendous potential. We only include a tiny piece of it. There is a lot of stuff that we need to learn. If Splunk can provide more real-time examples, that will be helpful for customers.

View full review »
YT
Regional Sales Manager at Redington (India) Ltd

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

View full review »
OO
Owner at Py Concepts

There are a lot of false positives which can cause a lot of fatigue. 

Sometimes, there is latency in the logs. 

When you deploy Splunk, you need a high level of knowledge. You really need to know what you are doing. It requires a lot of things.

They need to come up with straight steps to get things done, to have a step-by-step process to achieve this or that. 

View full review »
KC
IS Engineer at a hospitality company with 10,001+ employees

There are a lot of areas that are currently being improved that I want to be improved. Features related to content management must be improved. The product is adding more drill-downs.

When the tool was originally set up, things were not configured properly due to the rapid deadlines for installing everything. Now, we have to go back and recover a lot of things that aren't properly configured.

View full review »
BC
IT Specialist at a government with 10,001+ employees

I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit. 

In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.

View full review »
Kiran Kumar. - PeerSpot reviewer
Lead Administrator at Wipro Limited

The price has room for improvement.

View full review »
SK
Senior Engineering Manager at Happiest Minds Technologies

The glass table feature does not perform as expected. It must be improved.

View full review »
ST
Information Security Analyst at Apcfss

It's a little difficult to archive data in Splunk for longer than six to eight months. Integration is more challenging compared to other tools we've used, such as LogRhythm. 

Integrating tools and creating use cases could be easier. It's hard for a junior security engineer with only a couple of years of experience to write use cases. They can do it, but it's much easier in a solution like IBM QRadar. Setting conditions is like a multiple-choice type of thing. It's a more user-friendly process. 

View full review »
Hari Haran. - PeerSpot reviewer
Technical Associate at Positka

One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives. 

Also, we have a lot of security feed providers. If there was some kind of management tool for that, it would be a great tool to have.

View full review »
PW
Director of Security Engineering and Operations at a legal firm with 1,001-5,000 employees

It is important to make sure that everything is built off of the threat models and all the underlying items within Splunk. This includes making sure that the log feeds are aligned correctly so that when we look at data and alarms, everything makes sense. Sometimes, I see alarms that are caused by data sources that have snuck in. For example, if my firewall says something about AV, it might get mapped into antivirus. This can happen because firewalls are multipurpose devices, and they can end up in models that aren't really applicable. Part of the problem is the infrastructure within Enterprise Security with how they group data types. For example, authentication data, firewall data, network data, and user-based data are all gathered in different ways. This can lead to confusion, especially when multifunction devices are involved. For example, if a firewall says that antivirus is not enabled, it might still detect something as if it was antivirus-related. This can blur the incidents and the information we have. It is important to identify items that creep in or issues that need to be cleaned. This will help us identify problem areas and their root causes more effectively and quickly. We can then clean up the data model, make sure the lines are correct, and get higher-quality alarms.

View full review »
Nagendra Nekkala. - PeerSpot reviewer
Senior Manager ICT & Innovations at Bangalore International Airport Limited

The threat detection library needs to increase the frequency at which the playbooks are updated. 

View full review »
MA
System Administrator at Nournet communications

The price of Splunk Enterprise Security is high and can be improved.

Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently.

View full review »
JB
Security Engineer at State of Nevada

I do a lot of the maintenance. A lot of my workers are fresh into Linux and need to monitor, manage, and do maintenance on it. They should bring back the maintenance mode button. Splunk used to have it and they took that feature away.

The upgrading process could be smoother. 

View full review »
HC
Insider Thread Consultant at a manufacturing company with 10,001+ employees

The product must improve insider threat detection. Almost everything is outside in, but not inside out.

View full review »
SN
Senior Analyst at a computer software company with 11-50 employees

Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model. 

View full review »
Riaz Ahmmed - PeerSpot reviewer
Team Lead at ATSS

Splunk Enterprise Security can be improved by including backup network detection and response and safe management to the paid platform.

Splunk Enterprise Security's price is high and could be lowered.

View full review »
Chetankumar Savalagimath - PeerSpot reviewer
Delivery Manager at a tech services company with 1,001-5,000 employees

I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.

View full review »
SaravanaKumar1 - PeerSpot reviewer
Principal Consulting - Cloud & Infrastructure Services at Fourth Dimension Technologies

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

View full review »
Alex Adamovici - PeerSpot reviewer
Head of Knowledge Capture Cloud at Integritie

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

View full review »
Kutay KOCA - PeerSpot reviewer
Cyber Security Analyst at Clarusway

While Splunk Enterprise Security offers valuable features, its cost is high and could be more competitive.

View full review »
RV
CEO at a retailer with 51-200 employees

Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box. The effort required for tuning and management is higher compared to some other solutions. Focusing on automation and reducing the engineering effort would enhance its effectiveness. I would like a store platform similar to what Sentinel offers to be included in the next release of Splunk Enterprise Security. Additionally, the pricing structure needs improvement.

View full review »
PP
Senior Security Engineer at a tech services company with 201-500 employees

Splunk Enterprise Security has not helped reduce our alert volume. We need to separate a few of the alerts, and if there is a time based on the priority, we put the time at what time it needs to appear every day or for seven days or more days. If an alert is present or if something is triggering, then it will be detected. However, the number of alerts that can be handled effectively depends on the specific use case. For each result that is affecting the system or for any specific issue, only those particular alerts should be generated. We can define a timer and determine how often checks should be performed. For example, weekly checks may be sufficient in some cases. However, if there are hundreds of alerts generated in a week, it may not be possible to handle them all effectively. Testing must be conducted to filter out unnecessary alerts. Therefore, clear boundaries must be defined in the use case when creating alerts.

The price for Splunk Enterprise Security is high and has room for improvement.

View full review »
Yash-Gupta - PeerSpot reviewer
Analyst, TSG Information Security Cyber Operations at a consultancy with 5,001-10,000 employees

I haven't explored beyond the security aspect as a data analyst. I haven't noticed any shortcomings so far. 

View full review »
AG
Chief Cybersecurity Architect at a security firm with 201-500 employees

They can incorporate the SOAR solution within the actual product so that we do not require two different products, two different installations, and two different pricing methods. In regards to UBA, I am familiar with the UBA that existed two years ago. I am not updated about it today, but two years ago, UBA required such an amount of data that from a cost perspective, it was not worth it. When you compare it to what you get out of the box with Microsoft Sentinel without additional costs, there is no match. 

View full review »
SoheylNorozi - PeerSpot reviewer
IT Consultant at a tech services company with 51-200 employees

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.

I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier. 

View full review »
Kenny Corbett - PeerSpot reviewer
Associate Director of IT at Rigel Pharmaceuticals Inc

The pricing can be better.

View full review »
SO
Manager at a consultancy with 1-10 employees

In terms of monitoring capabilities, Splunk Enterprise Security performs adequately. However, its user interface requires training for efficient use. Compared to competitors like IBM QRadar, McAfee Nitro, and RSA Security Analytics, Splunk has a steeper learning curve, making it feel less user-friendly.

View full review »
VK
Security Analyst at a tech services company with 1-10 employees

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

View full review »
KI
Staff application Security Analyst at a media company with 5,001-10,000 employees

My organization needs more people to learn how to use the solution effectively. It takes time to train people.

View full review »
VA
Tech Director at a government with 10,001+ employees

I love the solution, but I would like to see more accessibility to the machine-learning capabilities that are sprinkled around Splunk.

View full review »
SH
Cyber Security Engineer at a university with 5,001-10,000 employees

Splunk could add more ways to manage archiving and storage. There isn't a web interface. You can do this on the SaaS version, but the on-premise platform doesn't have this option. It has other things but no option for remote NAS. I would like to have a personal web interface where I can specify how long logs should be stored. To have this readily available on the web, you need to adjust some settings on the backend. That is tricky. 

View full review »
VN
Owner at a computer software company with 1-10 employees

I find that the learning curve for Splunk is relatively lengthy. To utilize it effectively, one needs a substantial amount of time for learning. I might appreciate a learning curve that comes with more out-of-the-box functionality, such as easily installable Splunk apps or user-friendly features.

View full review »
DB
Project Manager at a construction company with 1,001-5,000 employees

Some of the queries are difficult to run and have room for improvement.

View full review »
AZ
System Engineer at Tara

The threat intelligence management feature is something we cannot use.

We'd like Splunk to reduce false positives. 

It would be helpful to be able to configure everything a bit more. If your network is very big, it's important to customize.

The dashboard could be improved so that tracking and analysis could be better visualized.

View full review »
RB
Engineer at a government with 10,001+ employees

We are waiting for Dashboard Studio to mature a little bit more. There are some things that we are using with Classic Dashboards which have not yet made it to Dashboard Studio. We are waiting for that.

It seems to be limited in terms of predictive features. I took up machine learning a couple of years ago. It seems to have some capabilities there, but I do not have specific things for it right now.

View full review »
JC
Cyber Security at a financial services firm with 5,001-10,000 employees

Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market.

In terms of scalability, it is hard to forecast where you are going. There is room to improve there.

View full review »
OF
SOAR Developer at a media company with 10,001+ employees

Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help. 

View full review »
MM
SOC Analyst at a tech services company with 10,001+ employees

They wanted us to do basic training, which was offered to our organization for free. That was great. However, ours is a cybersecurity focus. The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training.

View full review »
AB
Cloud Cybersecurity Engineer at a tech services company with 10,001+ employees

I am looking forward to their expansion of the use of AI. Using AI in the user interface will go a long way because one of the challenges in my organization is getting other people to use Splunk. A lot of people are averse to using new tools so if they make it even more user-friendly than it already is, I think that could go a long way.

View full review »
TG
Sr. Cyber Security and Solutions Architect at a government with 10,001+ employees

The configuration could be better.

We would like to see improved pricing, however, I'm kind of out of that arena. I make suggestions based upon the flexibility with which we serve our customer base, which is millions of our veterans. I would say that if someone was not familiar with it, one of the things that I've heard is that it's kind of hard for them to understand the whole thing. Splunk is just one piece to the puzzle. It's not the whole puzzle. It's kind of not the solution's fault, in that sense. That said, if it could be more accessible to people with different skillsets, that would be ideal.

We'd like to see reporting where there's a way that we can get a higher description without being too technical, for example, where it's kind of more of an executive-level of technical.

View full review »
reviewer1331706 - PeerSpot reviewer
I&T Design & Execution Reliability Engineering Leader at a financial services firm with 10,001+ employees

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

View full review »
CD
project manager at ManTech International Corporation

The biggest problem is data compression. Splunk is an outstanding product, but it is a resource hog. There should be better data compression for being able to maintain our data repositories. We end up having to buy lots of additional storage just to house our Splunk data. This is my only complaint about it.

View full review »
Santhosh Kandadi - PeerSpot reviewer
Assistant Vice President at Synchrony

Over the years, I know they've been doing what they can to continue to add integration capabilities to their solution. If they continue to do that, that would be ideal. However, beyond that, there really aren't any features that I find to be lacking in any part of the solution.

On-premises scaling of the solution is a bit more limited than it is on the cloud.

The pricing of the solution needs to be a bit lower.

It would be ideal if the hardware could meet more universal global regulatory requirements. It would be great it the solution better aligned with global standards.

View full review »
OS
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services

The Web Application Firewall will send you too much information because it's more dedicated to security than a normal firewall.

View full review »
RA
Security Operation Centre (SOC) Analyst at Nera Philippines Inc.

We'd like to have the number of devices covered under the license to be increased. 

View full review »
AS
Senior Network Engineer at a government with 5,001-10,000 employees

It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics. 

View full review »
AG
Information Technology Specialist at a healthcare company with 10,001+ employees

Its user interface for everything other than the charts can be improved. Some parts of it can be simplified a bit, such as when importing documents that have the network traffic. When you're going through the information about the network traffic, you have to have the expertise, but even if a program is supposed to be for IT support, it is good to make it user-friendly because it gets easier to train people. When something goes wrong, the more difficult a program is in terms of UI, the harder it is to fix the issue.

View full review »
AB
Risk Manager at Samapartners

The threat detection system has room for improvement. The critical aspect for an organization is the timely detection of incidents. If the rules are not defined correctly, threats may not be detected in real-time, resulting in incidents being detected months or even years after they occur.

View full review »
DL
Head of Cybersecurity at a computer software company with 51-200 employees

When it comes to malicious activities, however, it's rather overpriced. There are cheaper ways to detect.

There are quite a lot of security platforms on the market that do the same thing in a similar way at a cheaper rate. 

The pricing could be a lot lower. I'm from Asia, and they need to provide Asian pricing. They should price better for the region they are in. Once companies see the price, it puts them off. 

The integration could be a bit better. They charge for certain integrations. 

View full review »
NS
Security Engineer

The product could be cheaper.

View full review »
RC
Security Compliance Program Manager at a educational organization with 5,001-10,000 employees

Customers cannot manage or maintain the servers on the cloud since they are all deployed. Since there are platforms, they can become a little bit hectic. One of my other observations is that the applications that are available on the store are not updated as much as those available on on-prem.

Moreover, I have had issues with the Splunk store. I believe that the developers in the Splunk store are external and I can see that the level of maturity of these developers ranges between low and medium. I have never seen the maturity go up higher. The applications are not maintained regularly and it can cause issues in the visibility dashboard. I would suggest to Splunk's tech team to keep the store private, so that Splunk creates its own applications without the interference of external developers.

I have concerns about the architecture as well since I can see it is not very well defined. However, this is not the case with on-prem. We were able to manage and do whatever we wanted on the server level without opening a case or anything else. Moreover, the applications are updated every six months.

View full review »
Robert Cheruiyot - PeerSpot reviewer
IT Security Consultant at Microlan Kenya Limited

Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine. 

View full review »
John Yuko - PeerSpot reviewer
Assistant Manager ICT - Projects at I&M Bank Ltd

Other than the pricing modules, I have no issues with the product itself.

The configuration had a bit of a learning curve.

I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications.

If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.

View full review »
SD
Technical Project Manager at Altran

I would like to see them develop integration with the help of a rack rest API. Which is an API that helps to secure communication with oracle cloud and pull down records from there.

This integration is currently missing in current version of splunk. I'm looking forward to see this feature getting implemented  in next version of Splunk and so that organizations can get benefit of this  feature in future.

View full review »
RB
Engineering Manager at Cengage Learning

I would like some additional AI capabilities to provide additional information about things going wrong and things going well.

View full review »
GG
Security Engineer at By Light Professional IT Services

There is machine learning with Splunk Enterprise Security, and based on the keynotes at the Splunk conference, there is going to be some AI involved as well. My biggest struggle with Splunk, in general, is memorizing all the commands. If I want to know which users have logged in between certain hours, I cannot write that query out. It would be helpful to have AI so that I can explain in simple terms what I want and then the search gives that back to me. I am waiting for that. That is going to be my bread and butter because my big thing is that I just cannot remember all those commands.

If you have a dashboard that is too large with too many searches, it tends to get bogged down. If you create various different dashboards, you can bypass the issue of not having enough resources to load all the things you need to load.

View full review »
Salma Shahin - PeerSpot reviewer
Senior Engineer at Sony India Software Centre

The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues.

I would also like to be able to see all the data for internal logs. When we search for internal logs, sometimes, we are not able to find some of the data. For example, when Splunk crashes or something happens, we don't get to know what happened. We tried looking into the internal logs, but we could never figure out the reason from the logs. The information is limited, and it should be improved.

View full review »
SP
CHRO at a computer software company with 5,001-10,000 employees

In the several years I have worked with the solution, I have felt there to be a need for practice of queries and understanding. As with other areas needing practice, the more one learns and practices, the easier things become. 

While this is not terribly difficult, it is so when compared with QRadar. This holds true when we don't know the queries at all. Other than this, it is a great tool. 

The solution should also have more advanced capabilities in comparison with QRadar, which offers Watson. The product should have add-ons. 

View full review »
it_user664632 - PeerSpot reviewer
Senior IT Security Operations at a pharma/biotech company with 10,001+ employees

Cluster management can only be done via a command line. I would like them to add some GUI options for that. Permissions are not very flexible, so it would be nice to have more granular options, such as double factor authentication.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc


View full review »
JJ
Lead Solution Architect at a tech vendor with 5,001-10,000 employees

Splunk's ability to analyze malicious activities scores an 8 out of 10, but there's room for improvement. By analyzing emerging patterns, Splunk could identify and predict potential threats more effectively.

View full review »
MY
Systems Engineer at a consultancy with 201-500 employees

We'd like to have customer service in Hong Kong. I tend to wait a while for their response. We'd like to have more best-practice rules and instructions on how to create a dashboard.

I've only been using Splunk for two years. I make use of it to incorporate other solutions. I need to spend more time mastering Splunk. Sometimes it's a little bit difficult to use. I'd like to get more certificates, et cetera, and have spoken to their main office about that. It's got a high learning curve.

It hasn't helped us speed up security investigations. 

View full review »
MK
Technical Account Manager at Trustaira

Sometimes it becomes very difficult to find certain results from Splunk. Not all users are developers and they are not able to write code to find specific results or specific details from Splunk. From a user perspective, the solution needs to improve the search functionality.

The dashboard could be improved. If it was easier for non-developers or those working in network security, it would be ideal. It would be nice if they had a built-in dashboard for those who are less knowledgeable in coding.

The product is relatively expensive. 

View full review »
CM
Incident Manager at CyberCore Technologies

There is a definite learning curve to starting out. However, there is quite a bit of documentation out there to help you get started. 

View full review »
RE
Cyber Security Consultant at a tech services company with 10,001+ employees

As a student, I'd like to see more labs and things for students to test in order to learn.

Having a trial version or more training on Splunk would be helpful.

There is a free version, but it is insufficient for training and learning because it is a little bit difficult to work with, especially if you are a beginner. It's difficult to improve when you're just starting out with logs and SOC. As a result, we require a longer free version.

View full review »
MS
Senior security consultant at a comms service provider with 51-200 employees

Splunk could be improved by reducing the cost. The cost is one of the biggest challenges for us in keeping to our production requirements. 

As for additional features, I think they need to refine their AI capability. I know that everyone is talking about artificial intelligence and threat hunting, so I guess one of the key requirements for us is for the solution to automatically provide us some kind of indication and then mitigate any risk. So automation should be a feature. 

View full review »
KB
DevOps Engineer at Amplify Education, Inc.

A problem that we had recently had was we licensed it based on how much data you upload to them every day. Something changed in one our applications, and it started generating three to four times as many logs and. So now, we are trying to assemble something with parts of the Splunk API to warn ourselves, then turn it off and throttle it back more. However it would be better if they had something systematically built into the product that if you're getting close to your license, then to shut things down. This sort of thing would help out a lot. It would help them out too, because then they wouldn't be hollering at us for going over our license.

View full review »
ShilpeeSinha - PeerSpot reviewer
Senior Security Engineer at Citrix

It is one of the best tools that I'm using. I don't have any feedback as such right now regarding improvements. I'm not also an expert, so maybe I'm missing something.

Writing queries is a bit complicated sometimes. If they could provide some building queries, that would be great.

View full review »
RU
Senior Solutions Architect at a manufacturing company with 51-200 employees

Being a SIEM solution with a centralized dashboard, we would like to have more options to customize it. It should be easy to customize dashboards.

When we are monitoring something, we would like to have a more granular outlook. Splunk has a good dashboard that is easier to use than some competing products, but better customizability would be a great help for the users.

View full review »
SD
Assistant Manager System at a financial services firm with 10,001+ employees

Technical support is lacking post-sale.

The modification of firmware could be improved.

We find that the maintenance process could be a lot better. 

The solution is more expensive than other options on the market.

View full review »
RB
Automation Specialist, Analytics at a computer software company with 10,001+ employees

Sometimes we experience issues when formatting and configuring files; however, this is a very technical issue that's hard to explain.

When extracting the data or structuring the data in the right format, sometimes it becomes challenging. It's up to the user to understand the regex commands. 

Our customers often complain that the price of Splunk is too high.

When Splunk is deployed on the cloud, there are certain considerations that cannot be met. Cloud-based configuration cannot be done by our Splunk admin team. It needs to be routed via a ticket. You don't have more control on the cloud from a configuration point of view, whereas, with on-premise, you are in control — you can define any configuration settings. 

When you install on-premise, many types of configurations can be done but when Splunk is on the cloud, you're dependent on their specific configurations.

View full review »
it_user340983 - PeerSpot reviewer
Infrastructure Engineer at Zirous, Inc.

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

View full review »
it_user126027 - PeerSpot reviewer
Owner with 1-10 employees

Better directions on search head clusters. A lot of the documentation that I saw was either old or out of date. I believe I ended up doing a lot of searching and ended up not completing the feature. I opted out of creating a search head cluster.

View full review »
KB
CTA\Owner at UCSolutions

The documentation is in definite need of improvement. 

There are pieces of it that are somewhat just daunting and there should be better orchestration and automation. 

I've done some automation with it, with Terraform, and also with some other sources. If it wasn't so proprietary, that would be ideal.

I'd like to have it so that Splunk integrates better with Terraform and Python.

View full review »
PB
Principal Systems Engineer at Aricent

Our two main complaints are about the difficulty of the initial setup and the licensing model.

The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.

View full review »
PB
Principal Systems Engineer at Aricent

It's difficult to set up initially, and their billing model is also a bit complicated. 

We have to predict in advance how much data we will have and what the storage would be that we don't have. This makes the licensing complicated because when you start you don't have these numbers.

In order to know how much it will cost, you need those numbers.

I really wish that it was an application that was easier to use.

View full review »
MK
Senior Consultant at Securian Financial Group

I would like to see Splunk improve its posture as a production operations tool.  This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have.

I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.

View full review »
it_user525171 - PeerSpot reviewer
Specialist Master, Cyber Risk at a tech vendor with 10,001+ employees

The GUI can be improved. Splunk has always suffered from having a kind of goofy UI, it needs some updating.

View full review »
it_user257376 - PeerSpot reviewer
Lead Splunk Architect at a financial services firm with 10,001+ employees

Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources.

View full review »
it_user575310 - PeerSpot reviewer
Engineer, Infrastructure Applications at a healthcare company with 1,001-5,000 employees

Deploying Splunk as scale is not easy. It requires a significant amount of relatively complex architecture once you push past the single server instance. Breaking out your search and indexing layer requires someone with Splunk experience. Want to add search layer replication for HA? Want to host in AWS and do cross-region index replication?

Splunk expertise is in high demand today and finding talented engineers to pull off your large-scale implementation is hard. Do your homework.

View full review »
AB
Senior Information Technology System Analyst at YASH Technologies

Its pricing model and integration with third-party services can be improved. We had faced an issue with integration. 

The alerting feature is currently not available with Splunk, but it is definitely available with Datadog and PagerDuty. They should include this feature.

A few dashboards in Splunk look quite old and are not that modern. They aren't bad, but improving these dashboards will definitely make Splunk more attractive and usable.

I read in a few blog posts that there were a few security incidents related to Splunk agents. So, it can be made more secure.

View full review »
KK
IT Analyst at a energy/utilities company with 1,001-5,000 employees

Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market.

View full review »
TF
CTO at IHS Markit

The query language is pretty slick and easy, but it is not consistent in parts. Some of it feels a little esoteric. Personally, some of my engineers are coming from SQL or other languages. Some things are a little bit surprising in Splunk and a little bit inconsistent in their querying, but once you get use to it and once you get use to the field names and function names, you can get the hang of it. However, if it was a bit more standardized, it might be quicker to get it up and running.

I would like additional features in different programming models with the support for writing queries in SQL or other languages, such as C#, Java, or some other type of query definitions. I would also like a better UI tool for enhancements of advanced visual query editors.

View full review »
GS
Principal Engineer at Publix Super Markets

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

View full review »
CJ
Information Security Engineer/Architect at The Church of Jesus Christ of Latter-day Saints

More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it. 

View full review »
RW
Regional Head at a tech services company with 51-200 employees

I'd like to see more documentation on the product.

The initial setup is not straightforward.

You do need a lot of training and certification with this product. Other than that, it's pretty good.

View full review »
CS
Data Center Architect at a outsourcing company with 201-500 employees

It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.

To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.

View full review »
EG
Information Security Officer at a financial services firm with 501-1,000 employees

Right now, everything is good. I don't really have notes for aspects of improvement. 

There can be a bit of complexity around some fields during the initial setup. There are some places where you have to use regular expressions to parse logs. The part of parsing logs correctly is the most, let's say, difficult thing, and when this is done, all of the other things are easier. Anyway, the regex part is a very good feature and in my opinion, it should stay like it is, because it gives a lot of flexibility. Customers may learn to use it or use technical support.

The cost of the solution is a little bit high.

View full review »
Donald Baldwin - PeerSpot reviewer
Principal Enterprise Architect at Aurenav Sweden AB

The interface or maybe some settings need to be improved a bit. It cannot be perfect, however, the issues may be related to the configuration or setup.

If you monitor too much, you can lose performance on your systems. You have to be careful what you're monitoring. If you monitor everything, everything stops working. You can go overboard in monitoring. You have to plan your monitoring pretty carefully.

It could be easier for beginners. As it is, right now, You have to have a good understanding of the solution in order to use it properly.

That said, as the user, I'm at a higher level of management on the architecture side in dealing with resilience. My concerns are different from other user concerns. Also, most of our clients are using it way more than we're using it.

View full review »
JO
General Manager at Intersoft S.A.

They could have more dashboards done or predefined so our clients could use them directly in order to have more information ready to use.

The difficult part is related to integration with sources of data that are used to create the logs as this depends on the infrastructure of the client.

View full review »
RT
VMware Engineer at First Data Corporation
  • The amount of time it takes to troubleshoot not-easily-available data
  • Also, hours on the phone with VMware techs.
View full review »
SM
Engineering Manager at a manufacturing company with 10,001+ employees

For on-premise, it's more about optimization. With such a heavy byte scale of data that we are operating on, the search for disparate data sometimes takes about a minute. This is understandable considering the amount of data that we are pumping into it. The only optimization that I recommend is better sharding, when it comes to Splunk, so that data retrieval can be faster.

With the AWS hosted version, we have not hit this bottleneck yet, simply because we are not yet at the multiple terabyte scale. We have hit with the on-premise enterprise version. This is a problem that we run into every so often. We don't run into this problem day in and day out. Only during the month of August through October do we contend with this issue. Also, there is a fair bit of lag. We have our ways to work around it. Between those few months, we are pumping in a lot of data. It is between 8 to 10 terabytes of data easily, so it is at a massive scale. There are also limitations from the hardware perspective, which is why it is an optimizing problem.

View full review »
it_user865026 - PeerSpot reviewer
Lead Systems Architect at a energy/utilities company with 10,001+ employees
  • Custom visualizations are real hard. While the default visualizations are good, creating enhanced visualizations are complex.
  • Configuring a few apps is complex, not straightforward.
View full review »
it_user250131 - PeerSpot reviewer
Information Architect at a financial services firm with 5,001-10,000 employees

We usually have to follow up with technical support on our open cases. Otherwise, Splunk listens to customers and is constantly incorporating their feedback in future releases.

View full review »
Sontas Jiamsripong - PeerSpot reviewer
Account Presale at a tech services company with 1,001-5,000 employees

I would like Splunk to add more integration. QRadar has many indications with more products than Splunk.

View full review »
AM
Senior Cyber Security Expert at a security firm with 11-50 employees

The complexity could be worked on so that it's even easier and faster. However, I understand that, if some complexity was removed, there might be slightly more limitations.

Occasionally there are data sizing and data-related issues that need to be overcome.

View full review »
it_user859668 - PeerSpot reviewer
Splunk Administrator at Arizona State University

Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run.

While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged.

View full review »
it_user860487 - PeerSpot reviewer
Business Intelligence Developer at Arizona State University
  • Certain sections of the developer documentation could use some updating and clarification.
  • Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. 
  • Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).
View full review »
it_user859650 - PeerSpot reviewer
Systems Analyst Staff - SW Eng Compute Analytics Lead at Qualcomm
  • Free-floating panels in the dashboards are like a glass table. 
  • It needs more formatting control without having to be an admin.
View full review »
it_user859446 - PeerSpot reviewer
Splunk Architect at The Johns Hopkins University Applied Physics Laboratory

It can be tough to determine if you are getting all of the value out of your investment at times. However, our sales seems to be flexible and will work on an organization to organization basis to negotiate license terms. 

View full review »
LR
Cybersecurity Senior Manager at a tech services company with 10,001+ employees

We had some connections issues with the solution at the beginning.

View full review »
SS
Consultant at a financial services firm with 5,001-10,000 employees

Splunk is query-based, which is not the case with most cybersecurity tools. It is based on search queries and can be difficult to use. It would be good if they can make it easier to understand how to create search queries. They can improve the knowledge base for better understanding.

To create your dashboard, you need to have a search query. We have multiple firewalls in our company, and we need a dashboard for them. It would be helpful if a default firewall dashboard is included in Splunk to make monitoring easier. If a dashboard is available for a security device, the operation part will be more efficient. We won't have to follow a manual process for this.

View full review »
JD
Enterprise Architect at a tech services company with 10,001+ employees

When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved.

I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier.

View full review »
RM
Splunker at freelancer

The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this will become a non-issue.

Also, AngularJS/ReactJS inclusion could be made easier in GUI.

View full review »
AM
Senior Technical Lead at a financial services firm with 10,001+ employees

The solution could improve by giving more email details.

In a future release, the solution could improve on the artificial intelligence features, such as if an alert comes, it could automatically do logging from the system, get the KV knowledge base, and perform other functions. This would be a benefit.

View full review »
AT
Managing Director at Hayyan Horizons

The TERM licensing model is still not very useful. It's not helping us. They used to have a perpetual licensing model. Now Splunk is offering annual term/subscription only. That's costly and it's more expensive and it's putting some burden on us.

Technical support needs to be more responsive. 

We would like to see more AI. Through AI, artificial intelligence, not machine learning only. We want to see more AI-enabled kinds of functionalities just to reduce dependencies on manual interventions. We do that, however, automation and artificial intelligence-based kind of automation we would really like to see.

View full review »
SO
Founder at a marketing services firm with 11-50 employees

The solution could be more user friendly and it's difficult to know at this stage whether our requirements will be met by the solution. 

View full review »
JB
Sr. IT Manager at a government with 10,001+ employees

Splunk is very complex. The implementation and the scanning of the logs can be difficult.

View full review »
JB
Sr. IT Manager at a government with 10,001+ employees

Queries are not always as easy or straightforward as they might be, so it can be difficult to figure out what you need to look for.

In the next release of this product, I would like to see it offer more recommendations as to what needs to be done.

View full review »
PN
Director at a tech services company with 10,001+ employees

I have not tested the hybrid model yet. I don't know whether all its integrations and interfaces will work between the cloud and on-premise model. I also don't know if across multiple clouds all the products will perform properly.

If it could be made available as a service, this would be much better than as a product.

View full review »
Yosef Tavin - PeerSpot reviewer
DevOps Engineer at BigPanda

It needs to improve the way to install third-party apps and enable installation without logging into splunk.com.

View full review »
RP
Director of IT at BLUE LAKE RANCHERIA

The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement.

View full review »
it_user399819 - PeerSpot reviewer
Security Architect at a energy/utilities company with 1,001-5,000 employees

The GUI can be improved to include some of the capabilities that other BI solutions have. Basically, the layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this could become a non-issue.

View full review »
ST
Junior SAP Security Engineer at Sagesse Tech

Splunk Enterprise Security needs to improve its stability.

The UI can be difficult to understand for non-technical people.

View full review »
VA
Security Architect at a tech services company with 51-200 employees

Aside from the 5GB limit on the community version, I believe it is the same as ELK. It's a useful tool, and nothing comes to mind right now.

I haven't found a way for me to create my own plugins and integrate them into Splunk, but this isn't necessarily a limitation; it could simply be a lack of knowledge on my part.

View full review »
ID
Senior Network Engineer at a tech services company with 51-200 employees

Over time I will have more requirements and I can foresee the solution could improve the search algorithm to run and output the data faster.

View full review »
GW
Consultant at Splunxter, Inc.
  • It needs integration with a configuration management solution. 
  • It could use better password management for forwarders. 
  • It needs a better way to export dynamic views without requiring a ton of code and user/pw.
View full review »
AV
IT System Developer/Admin at a manufacturing company with 10,001+ employees

An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times.

They also need to update their documentation.

View full review »
AK
Senior Informatica Administrator at a computer software company with 10,001+ employees

Index performance is a bit slow but this is partly due to the huge volumes of data for our industry within our environment This makes the index very large and inefficient in terms of performance. Performance could be improved to cater to this, however. We have also had problems with the compatibility between Splunk and other systems. We have previously been on 5.3 and migrated to 5.5. We are now planning to migrate to version 7.7. It has been difficult to find documentation about the compatibility with Linux. In terms of the interface, it could include some improvements for the look and feel.

View full review »
SJ
Engineer at a financial services firm with 201-500 employees

The solution has a high learning curve for users. It's a little complicated when you're trying to figure out all the features and what they do.

The solution needs a bit more functionality. For example, being able to save a search and select it when you're doing an investigation. I know you can create dashboards and things like that, however, sometimes being able to have a pre-saved search and just fill in whatever value you need would make everything so much easier.

View full review »
MT
Project Manager at Idemitsu Oil & Gas

If possible, we would like to have not only a log monitoring system but a network monitoring feature in this solution as well.

View full review »
GM
Application Engineer at Expedia

The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer. Splunk is good about viewing data within the last seven or 14 days, but if you want to see a year-over-year trend, you have to do a lot of work to get to that point. If there was a better way to extract the data point and put it into a long-term viewing ability for a year-over-year analysis, then compare that to your other business metrics. That is what I am looking for, as an example, for a call center you want to see the time it takes for your customer to be handled on their need comparatively to the system performance that is happening, then overlay that data. 

View full review »
VS
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees

Operational Workflow, Use Case Framework, and ticketing systems to make it suitable for SOC environments

View full review »
AP
Presales Manager at a tech services company with 11-50 employees

Splunk's cost is very high. They need to review the pricing. They have to go back and totally readdress the market.

Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud. 

Its costs are too high and it should be more cost effective because it's going to be a cloud offering. 

View full review »
VS
Splunk BDM in UA at a manufacturing company with 51-200 employees

The Splunk licensing model should be more flexible.

The support that is included with the standard licensing fee is very bad.

View full review »
HT
System Administrator and DevOps Engineer at a tech services company with 10,001+ employees

Splunk is a very costly solution and I think it's the most expensive in the market in terms of costing. Splunk provides an application for infrastructure monitoring. If we're monitoring the docker with containers, we can't see the container name, only the ID. That's a big drawback.

View full review »
it_user867936 - PeerSpot reviewer
Works at a financial services firm with 10,001+ employees

Splunk can improve regex/asset analysis as we do not want to crawl until it is done. I could not find a timestamp for when the log was processed and generated.

View full review »
it_user867087 - PeerSpot reviewer
Security Engineer at Information Innovators Inc. (Triple-i)

The Enterprise Security app could be improved. We have had trouble with it working from the first day.  

View full review »
CM
Business Intelligence Engineer at SONIFI Solutions, Inc.

The product was designed for security and IT with business intelligence needs, such as PDF exporting, but this has not been the highest priority. While the functionality is there, it could be developed more. 

View full review »
RS
Tech Lead Security at a comms service provider with 51-200 employees

Its search or filtering capability is nice, but it can be improved. It is currently a bit complicated, and it should be simplified. If we can write the search filter in a more simplified way, it would be better.

Their sales support and tech support need improvement. Their support is really bad.

View full review »
AD
Director General de España at a cloud provider with 51-200 employees

The UI can be improved. Dashboards and reports can be better in terms of graphics.

View full review »
AA
Information Security Analyst at a tech services company with 1,001-5,000 employees

Its setup is a little bit complex for a distributed environment. 

Their support can also be better. If we raise a case with Splunk support and by any chance we missed to respond for more than a week, they usually close the case. Sometimes, it can take us more than a week to reply. In that case What they can do is they can send a followup mail before closing.

View full review »
ST
IT & Cloud Architect at AiM Services SA

The security can be improved. 

View full review »
it_user782697 - PeerSpot reviewer
Security Operation Center Analyst at Sadad

In the next release of Splunk, I think the machine learning should be emphasized. Now, it's really important to analyze Big Data, data mining. A SIEM solution, like Splunk, needs an improved data mining solution, artificial intelligence. Splunk would be the best if it improved these features.

View full review »
MA
System Administrator at Abdullah Al-Othaim Markets

Make it easy to use and the cost cheaper. This will help all organisations to implement Splunk

View full review »
it_user174663 - PeerSpot reviewer
Systems/Applications Specialist with 201-500 employees

It can be easier to setup and adding new sources which Splunk are improving with every new version.

View full review »
MM
CEO at a tech services company with 11-50 employees

In my opinion, it is too expensive for our projects.

It is very competitive for small and medium businesses. Perhaps some should be set aside for developing markets. To begin with, similar to the current market, there may be some special conditions for large transactions.

In the next releases, I would like to see more pricing flexibility. It's a subscription-based service, and they don't sell professional licenses.

In some cases, particularly with large projects, we are not competitive in terms of pricing when compared to IBM QRadar and other solutions; even if we offer the maximum discount available, our prices remain uncompetitive.

View full review »
JS
Product Manager, FX Solutions at a tech services company with 10,001+ employees

The solution could improve by making it more business analysis oriented. The way it is now is designed more for developers.

View full review »
DG
CSSP Manager at a tech services company with 51-200 employees

I'm a security manager and Splunk is not a good solution for my needs and not as good as other products I've used. I really think they just overreached and are marketing the solution as something that it really isn't. It's really not an SIEM product. It's really not a monitoring solution. If Splunk wants to get into SIEM, they need to make a totally new product. They should just leave SIEM, it's not their thing, not what they do. They're good at log collection and indexing. Stick to it. There are some things with log collection and log retention capabilities that they could actually improve instead of trying to create products for all these other different areas. I don't want their next release, I would rather just kind of scale back on some of the extras, and just really focus on log collection and log retention. I'd like to have more options on how I can perform those features with their products. I'd like to see a lot more integration with other products.

View full review »
MS
Sr. Manager Information Security at Tapal Tea (Private) Limited

Due to the size limit, we could not see the full product.

View full review »
TJ
QA Lead at a financial services firm with 11-50 employees

The search could be improved. Now, it is a bit difficult to write search queries because they become quite long, then maintaining those long search queries is a quite challenging.

View full review »
JC
Chief Architect at PathMaker Group

The community surrounding the product is okay, but I would like more material supplied by Splunk around some more common integration stuff. I wish there was a bigger library, because we are building stuff. Where I often feel like other people have done things before, we are reinventing the wheel. While it is not a core piece of our organization and it is not a priority, it does inform our SIEM platform. It would be nice if there was a little more cookie cutter solutioning inside of it, and that they would take a little more time to shake it out.

The first year and a half was a little wacky with its usefulness, but now it is a solid piece of our infrastructure.

View full review »
it_user861630 - PeerSpot reviewer
Senior Network Security Engineer at Starz Entertainment

ES is very powerful, but it requires a mature security posture at the company to take advantage of it currently. The use cases provided by Splunk are a good starting point, but could cover many additional topics to ensure that a smaller or less experienced shop might maximize the value of an ES deployment.

View full review »
it_user664626 - PeerSpot reviewer
Business Analyst at a retailer with 10,001+ employees

VMware and security device integration looks a bit complex.

View full review »
AR
Senior Manager, Analytics & Insights at a consultancy with 10,001+ employees

The algorithms customization of Splunk could improve. They have limited algorithms for machine learning support. If they can allow the user to add more machine learning algorithms, such as the ability to choose the algorithm that a user might want. Additionally, they should provide the required libraries for those algorithms, and then analyzes the data for use.

View full review »
MK
Technical manager at a tech services company with 11-50 employees

This solution could be improved by better pricing in general and by easier installation. 

View full review »
HK
Telecom Tech at a university with 501-1,000 employees

From the commercial point of view, they have to bring down their costs. It's a bit pricey right now. The license is quite expensive. 

Much like the SOAR platform, which has security, orchestration, and automation response, all of that should be part of the SIM solution itself. Currently, it is actually separated.  We understand that we have to integrate a SIM with a SOAR platform, however, if they could combine these two products together, that would be ideal. It would make things easy to implement and make more automation possible to avoid false-positive alerts.

View full review »
FH
Technical Architect, Cloud Operations at a computer software company with 5,001-10,000 employees

Its reporting can be improved. That's the only complaint I have heard. I don't need the reporting part, but I know that other people in the organization need it.

In terms of new features, I got everything that I needed from the tool. If they want to expand the capabilities to different things, they can cover topics besides log aggregation, etc.

View full review »
HF
Product Manager, CyberSecurity at a tech services company with 201-500 employees

We need to get a Splunk Cloud instance inside South Africa's borders. At this stage, we are pushing Splunk Cloud, but it is not yet within South Africa's borders. So we've got data sovereignty issues, especially with government organizations.

Technical support could be improved as well.

Splunk can be an expensive solution. I think that they need to change their pricing model. At present, it is based on the number of gigabytes that you ingest into the Splunk system. Their competitors are now starting with a pricing model where you pay per device talking back. If Splunk could have a similar alternative, it would then allow people to choose the data model they want such as set data or a set number of devices.

View full review »
it_user1415322 - PeerSpot reviewer
Senior Consultant at sectecs

I really dislike how Splunk sales and partner manager behaves. I have faced several sales model and partnership changes. Also, the last time I wanted to by a license ro built a SIEM solution, they had removed the ability to purchase a splunk subscription or license from their website. In the past, there was a web page calculator it was possible to by online, but now it instructs to contact sales.

The free version is limited to 500 megabytes and there is no alerting. Due to the missing feature on the Splunk webpage, I have ask Splunk Sales to purchase a license like 1Gyte a day or a license for max 2500 Euro/year to use it as a test or development instance for myself. Asking Splunk for a quote willing to pay for Splunk license to learn and to get used to the product, Splunk didn't get it managed to offer my a license neither arranging the partnership paperwork I have ask for. Sales people from Splunk where calling, each time after I left my details on ther trial download page. I explained my experience and concerns about Splunk in the past. All excuses received and promises that someone will contact me to solve the issues faced in the past, was leading in excactly nothing. Well Done Splunk.

Inflexible and expensive and I do not have much faith in the people working there because if someone is asking for a test environment and is willing to spend up to €2,500 a year, I can't understand why they are unable to provide a license. This could be a lost opportunity because they are not able to onboard a potential new partner.

They definitely need to boost their sales and partner program because it changes to often, where they are dropping partners and it is difficult to get in contact with somebody. This is something that needs to be improved.

I would like to see more SIEM functionality and embedded moduled such a ticket tool to make a end to end SIEM.

View full review »
it_user870792 - PeerSpot reviewer
Senior Security Engineer

DMC should be a little more intuitive with better dashboarding. Seeing the cause of data flow can be tough to track down. 

View full review »
it_user865365 - PeerSpot reviewer
Data Scientist Intern at Splunxter, Inc.

It needs more thoroughly tested releases. Every new big version (6, 7, etc.) has had so many bugs that it makes me wary of customers upgrading right away.

View full review »
it_user859770 - PeerSpot reviewer
consultant at a non-profit with 1,001-5,000 employees

I like Splunk. The only thing which can be improved is that they are too subjective on whom their Splunk4Good initiative can be applied. They market it as you only need to be a nonprofit, but there is more to it.

View full review »
AK
System Engineer at NetScout Systems

The analytics of Splunk could be improved.

View full review »
SO
Software Engineer at Tableau Software

The search query seems slow, but I am not sure if that is just because it is searching millions upon millions of lines of text. Also, I just started using it, so I might have no idea what I am doing. I could probably speed up the queries by improving my search skills.

My company could benefit from doing more Splunk training with Splunk consultants teaching us how to use it. It is possible that we have already done this and I haven't participate, but this type of training would be helpful.

View full review »
GA
Security Architect at a comms service provider with 10,001+ employees

Every product needs improvement. If we can get a faster product, we will take it. There are new services which are coming up. If Splunk can catch up with the speed of Amazon, and with the integration, instead of us waiting for another year or so, that would be good.

We would like more integrations with other cloud products, not just AWS, e.g., Azure.

View full review »
it_user664635 - PeerSpot reviewer
Performance Consultant at a tech services company with 10,001+ employees

Security administration and user access control is pretty basic. This can be improved.

The user access control could be much more granular, so that the admins can control r/w/x access for specific features of the product like dashboards, etc.

If this is improved, with a mapping against LDAP roles, it would be excellent.

View full review »
it_user594183 - PeerSpot reviewer
Security Engineer at a retailer with 10,001+ employees

When we deep dive into the events for the triggers, we have very little information in some instances.

View full review »
RM
Audit Remideation/Financial Manager at a tech services company with 1,001-5,000 employees

We're still going through it at this time. However, there are a few changes that could be made.

It could be more user friendly, in terms of the end-user experience. The end-user aspect of it could be more enhanced, whereby you could probably have a lot more people that could sign into the tool and look at the reports, and have the reports actually laid out in plain English. Usually, with tools like Audit Vault and Splunk, if you're not the IT person and you're not trained on that system and you're seeing all of the outputs, the language is something you have to convert.

Therefore, the end-user experience could be improved so that when you get those alerts and notifications, you could have supervisors and different people actually knowing what those reports mean instead of having someone convert them into something more easily digestible. 

There should be more enhancements done to the end-user dashboards. Improved dashboards are always good. If you have an IT tech that's up there, and they're looking at the dashboards and they're seeing everything, it would help they could do events and have a dashboard that they could log into as a supervisor and see everything, and just get specific reports for specific areas.

View full review »
Emad Ul Haq - PeerSpot reviewer
Network & Telco Lead at a energy/utilities company with 501-1,000 employees

Code understanding requirement is complicated for most users.

View full review »
HK
President at a non-profit with self employed

The solution could improve by increasing the performance. We have run into problems when large amounts of data are processed.

View full review »
BA
Solutions Consultant at a tech services company with 1,001-5,000 employees

If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide.

View full review »
RW
Architecture and Security Team Leader at CV Akbar Panjaya

Splunk should be able to integrate with other product using the free version.

The product was difficult to back up the first time.

View full review »
it_user762567 - PeerSpot reviewer
Director of Information Security with 201-500 employees

The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication.

What they need to do more than anything else is, they need to take a serious look at purpose-built modules like the SIEM and put a lot more effort into making them more robust. If they did that I think they would have a better chance on the market. The base tool was great, and if the organization that they're looking to sell into requires a good, solid logging solution then they would have a very good sales statement to make because you could get the logging solution you need that could give you the SIEM at the same time.

View full review »
BW
Senior Network & Security Architect at a insurance company with 501-1,000 employees

I would like to see future development in terms of ML (Machine Learning). 

View full review »
it_user872772 - PeerSpot reviewer
Technical Lead at Wipro Technologies
  • Scheduled PDF generation does not work well for all visualizations, and it does not work for custom visualizations.
  • While scheduled reports can be embedded, Splunk dashboard can not be embedded directly without enabling cross origin.
  • Missing capability for audio/video and image processing.
View full review »
MC
Presales IT at a tech services company with 201-500 employees

The price of Splunk is too high for our market.

View full review »
TA
Cyber Security Consultant at a tech services company with 11-50 employees

There is improvement needed when importing from some types of data sources. Most of the time you have to do some customization for the data because not everything is working the way it should. Additionally, in other solutions, it is easier to build use cases.

View full review »
VW
Security Professional at a tech services company with 51-200 employees

It currently has limited default rules and customizations. If they can concentrate more on the compliance part and the security information part, it would be helpful. The platform part is good, but it requires many features from the security aspect.

View full review »
LF
Técnico Judiciário at a government with 1,001-5,000 employees

Cybersecurity and infrastructure monitoring have room for improvement. 

View full review »
AZ
Principal Consultant at a computer software company with 51-200 employees
  • Multi-tenancy support
  • Improved user interface
  • Non-proprietary search language
  • Different licensing model
View full review »
BS
Enterprise Client Executive at a tech services company with 11-50 employees

Its interface could be improved. 

View full review »
LK
Network Operations Center Engineer at a tech company with 51-200 employees

The price of the solution could be cheaper. 

View full review »
it_user859464 - PeerSpot reviewer
Senior Cloud Operations Analyst at a tech vendor with 1,001-5,000 employees

I would like to get visibility into the data pipelines on heavy forwarders and indexers to see exactly their source and the cause of saturation when it occurs. This would help us learn even more about our high use applications.

View full review »
it_user635271 - PeerSpot reviewer
Foundation Technology Specialist at a insurance company with 1,001-5,000 employees

Official training, even CBT, is expensive so not many people are able to get certified. This leads/causes the users to make use of the most basic functionality only.

It is a challenge to manage the environment in such a way, that one’s log, even with the bandwidth license, isn’t exceeded. Splunk has moved towards not applying hard caps in data ingestion, and this will help us in the future.

However, I’d like an easier way to flag certain source log files as non-critical and have Splunk automatically disable those event sources when the license capacity exceeds an arbitrary value.

View full review »
TB
Technical Director at a consultancy with 11-50 employees

Visualizations can improve. There are some performance and stability issues with the visualization layer.

View full review »
SA
CyberSecurity Consultant at Information Technology Solutions- ITS

When it comes to out of the box use cases, I feel the solution to be too slow. 

View full review »
JN
IT Infrastructure Architect at a tech company with 201-500 employees

It needs documentation, and "how-to-do" information. It's complicated to build reports and views.

View full review »
AZ
BS Systems Engineer at a tech services company with 501-1,000 employees

Enterprise security: Splunk must work on clarifying the solution to customers and explain how to gain more from it.

View full review »
it_user694383 - PeerSpot reviewer
SVP, Technical Operations at a tech vendor with 201-500 employees

Unlike other cloud based analytics platforms, at the time of this writing Splunk Cloud is a dedicated instance per customer rather than a shared tenancy platform. While this is beneficial from an overall performance standpoint, the product lacks the seamless integrations one has come to expect from a cloud solution. This translates to a much stronger reliance on Splunk's support organization out of necessity, as the customer cannot make most changes in a self-service manner.

View full review »
DA
Engineer at a integrator with 11-50 employees

The clusters are hard. It has too many moving parts. 

They should make data onboarding easier.

View full review »
it_user1048674 - PeerSpot reviewer
Cyber Analyst with 501-1,000 employees

A few more analysis aids might help. The next release could have more intuitive help examples.

View full review »
it_user363165 - PeerSpot reviewer
Products Manager at a tech services company with 5,001-10,000 employees

The GUI should be improved, in other words, the overall appearance.

View full review »
TS
Project Manager at a comms service provider with 10,001+ employees

After a crash, the product takes a while to recover.

View full review »
MC
Net Sec at a tech services company with 11-50 employees

Splunk has different plugins but by default, the logs are not organized, it shows that there are roll-ups that are out of the box. I saw many plugins that can help improve or extend Splunk's functionality but I haven't tried many of them.

It would be best if they can incorporate all security locks with minimal incidents. 

View full review »
MN
Data Scientist at a tech vendor with 201-500 employees

Splunk needs to be able to hold more days of data. At the moment it only holds three months of data. It needs more views and colors within the dashboard and the ability to have the flexibility to create a user-defined panel.

View full review »
ED
Java Technical Lead at a insurance company

Make it easier to include roles and user controls, as it is horrible now.

View full review »
IS
Enterprise Architect and Business with 5,001-10,000 employees

I would like to have the ability to master the management of clustering.

View full review »
Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.