2018-01-16T14:09:00Z

What needs improvement with Splunk?

Miriam Tover - PeerSpot reviewer
  • 57
  • 312
PeerSpot user
130

130 Answers

Kutay KOCA - PeerSpot reviewer
Real User
Top 10
2024-02-27T14:50:00Z
Feb 27, 2024

While Splunk Enterprise Security offers valuable features, its cost is high and could be more competitive.

Search for a product comparison
Maaz  Khalid - PeerSpot reviewer
Real User
Top 20
2024-01-30T08:46:00Z
Jan 30, 2024

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

VN
Real User
Top 20
2024-01-19T10:55:00Z
Jan 19, 2024

I find that the learning curve for Splunk is relatively lengthy. To utilize it effectively, one needs a substantial amount of time for learning. I might appreciate a learning curve that comes with more out-of-the-box functionality, such as easily installable Splunk apps or user-friendly features.

RV
Real User
Top 20
2023-12-21T13:58:00Z
Dec 21, 2023

Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box. The effort required for tuning and management is higher compared to some other solutions. Focusing on automation and reducing the engineering effort would enhance its effectiveness. I would like a store platform similar to what Sentinel offers to be included in the next release of Splunk Enterprise Security. Additionally, the pricing structure needs improvement.

Yash-Gupta - PeerSpot reviewer
Real User
Top 10
2023-11-13T16:46:00Z
Nov 13, 2023

I haven't explored beyond the security aspect as a data analyst. I haven't noticed any shortcomings so far.

MY
Real User
Top 5
2023-10-24T10:21:00Z
Oct 24, 2023

We'd like to have customer service in Hong Kong. I tend to wait a while for their response. We'd like to have more best-practice rules and instructions on how to create a dashboard. I've only been using Splunk for two years. I make use of it to incorporate other solutions. I need to spend more time mastering Splunk. Sometimes it's a little bit difficult to use. I'd like to get more certificates, et cetera, and have spoken to their main office about that. It's got a high learning curve. It hasn't helped us speed up security investigations.

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,386 professionals have used our research since 2012.
OO
Real User
Top 20
2023-10-11T21:05:00Z
Oct 11, 2023

There are a lot of false positives which can cause a lot of fatigue. Sometimes, there is latency in the logs. When you deploy Splunk, you need a high level of knowledge. You really need to know what you are doing. It requires a lot of things. They need to come up with straight steps to get things done, to have a step-by-step process to achieve this or that.

MANISH CHOUDHARY. - PeerSpot reviewer
Real User
Top 10
2023-10-10T07:51:00Z
Oct 10, 2023

Splunk can improve its third-party device application plugins.

Viney Bhardwaj - PeerSpot reviewer
Reseller
Top 10
2023-10-05T14:26:00Z
Oct 5, 2023

Splunk does not provide any default threat intelligence like Microsoft Sentinel, but you can integrate any third-party threat intelligence with Splunk. By default, no threat intelligence suite is there, whereas, with IBM QRadar or Microsoft Sentinel, the default feature of threat intelligence is there. It is free. It would be better if Splunk could provide a default threat intelligence suite. The second issue is that Splunk is expensive compared to many other SIEM tools in the market. A competitive price will work better. The third issue is that Splunk Cloud is sometimes slow. If I create more use cases, Splunk will be slow because they provide limited resources in Splunk Cloud. They can do some optimization there. The last issue is that they used to give a trial version of the Splunk Enterprise Security app that we could showcase to customers for demonstration, but they have stopped that free trial version. If they can start that again, it will be better. It will help to showcase the capability of Splunk.

Kiran Kumar. - PeerSpot reviewer
Real User
Top 20
2023-09-27T13:43:00Z
Sep 27, 2023

The price has room for improvement.

RA
Real User
Top 20
2023-09-20T10:41:00Z
Sep 20, 2023

We'd like to have the number of devices covered under the license to be increased.

AZ
Real User
Top 20
2023-09-20T07:11:00Z
Sep 20, 2023

The threat intelligence management feature is something we cannot use. We'd like Splunk to reduce false positives. It would be helpful to be able to configure everything a bit more. If your network is very big, it's important to customize. The dashboard could be improved so that tracking and analysis could be better visualized.

Ahmed Elakwah - PeerSpot reviewer
Consultant
2023-09-18T17:34:00Z
Sep 18, 2023

The rate of onboarding is a challenge due to the fact that every cloud has its own way of collecting logs. The insider threat detection capabilities are not helping our organization find unknown threats and anomalous user behavior. We have tried many times to make use of this feature and to integrate it with UBA products from Splunk. However, we find the results are usually not accurate so we rely on the analysis we are doing manually. Splunk will generate content security content every day. And they don't test it heavily. For example, we cannot enable it directly since, if we enable the content, it will generate a lot of false positives. Departments need to validate and assess the use cases they create. It generates a lot of alerts and then we have to check them and reduce the queue. We might need to have better testing for the use cases before they push it to production.

VK
Real User
Top 20
2023-08-29T09:06:00Z
Aug 29, 2023

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

SC
Real User
Top 5
2023-08-11T14:06:00Z
Aug 11, 2023

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies. Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server. However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

KC
Real User
Top 20
2023-07-20T01:54:00Z
Jul 20, 2023

There are a lot of areas that are currently being improved that I want to be improved. Features related to content management must be improved. The product is adding more drill-downs. When the tool was originally set up, things were not configured properly due to the rapid deadlines for installing everything. Now, we have to go back and recover a lot of things that aren't properly configured.

JC
Real User
Top 20
2023-07-20T01:48:00Z
Jul 20, 2023

Its pricing is extremely high. There are other tools out in the market that are competitive. They do not necessarily have all the functionality, but they are competitive. The professional services we have used have been high as well in comparison to the market. In terms of scalability, it is hard to forecast where you are going. There is room to improve there.

Jeremiah Anderson - PeerSpot reviewer
Real User
Top 10
2023-07-19T01:34:00Z
Jul 19, 2023

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

AB
MSP
Top 20
2023-07-19T01:24:00Z
Jul 19, 2023

I am looking forward to their expansion of the use of AI. Using AI in the user interface will go a long way because one of the challenges in my organization is getting other people to use Splunk. A lot of people are averse to using new tools so if they make it even more user-friendly than it already is, I think that could go a long way.

MM
Real User
Top 20
2023-07-19T01:08:00Z
Jul 19, 2023

They wanted us to do basic training, which was offered to our organization for free. That was great. However, ours is a cybersecurity focus. The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training.

SoheylNorozi - PeerSpot reviewer
Real User
Top 5
2023-07-17T15:07:00Z
Jul 17, 2023

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently. I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier.

YT
Reseller
Top 20
2023-07-05T12:43:00Z
Jul 5, 2023

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

Hari Haran. - PeerSpot reviewer
Real User
Top 10
2023-06-01T12:56:00Z
Jun 1, 2023

One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives. Also, we have a lot of security feed providers. If there was some kind of management tool for that, it would be a great tool to have.

PW
Real User
Top 5
2023-05-11T19:40:00Z
May 11, 2023

It is important to make sure that everything is built off of the threat models and all the underlying items within Splunk. This includes making sure that the log feeds are aligned correctly so that when we look at data and alarms, everything makes sense. Sometimes, I see alarms that are caused by data sources that have snuck in. For example, if my firewall says something about AV, it might get mapped into antivirus. This can happen because firewalls are multipurpose devices, and they can end up in models that aren't really applicable. Part of the problem is the infrastructure within Enterprise Security with how they group data types. For example, authentication data, firewall data, network data, and user-based data are all gathered in different ways. This can lead to confusion, especially when multifunction devices are involved. For example, if a firewall says that antivirus is not enabled, it might still detect something as if it was antivirus-related. This can blur the incidents and the information we have. It is important to identify items that creep in or issues that need to be cleaned. This will help us identify problem areas and their root causes more effectively and quickly. We can then clean up the data model, make sure the lines are correct, and get higher-quality alarms.

SaravanaKumar1 - PeerSpot reviewer
Real User
Top 10
2023-05-05T09:45:00Z
May 5, 2023

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors.

RC
Real User
Top 10
2023-02-02T18:05:00Z
Feb 2, 2023

Customers cannot manage or maintain the servers on the cloud since they are all deployed. Since there are platforms, they can become a little bit hectic. One of my other observations is that the applications that are available on the store are not updated as much as those available on on-prem. Moreover, I have had issues with the Splunk store. I believe that the developers in the Splunk store are external and I can see that the level of maturity of these developers ranges between low and medium. I have never seen the maturity go up higher. The applications are not maintained regularly and it can cause issues in the visibility dashboard. I would suggest to Splunk's tech team to keep the store private, so that Splunk creates its own applications without the interference of external developers. I have concerns about the architecture as well since I can see it is not very well defined. However, this is not the case with on-prem. We were able to manage and do whatever we wanted on the server level without opening a case or anything else. Moreover, the applications are updated every six months.

ShilpeeSinha - PeerSpot reviewer
Real User
Top 10
2022-07-05T06:31:02Z
Jul 5, 2022

It is one of the best tools that I'm using. I don't have any feedback as such right now regarding improvements. I'm not also an expert, so maybe I'm missing something. Writing queries is a bit complicated sometimes. If they could provide some building queries, that would be great.

Alex Adamovici - PeerSpot reviewer
Real User
Top 10
2022-05-16T13:41:58Z
May 16, 2022

I've not come across any areas that need improvement. I'd like to see more integration with more antivirus systems.

Salma Shahin - PeerSpot reviewer
Consultant
Top 20
2022-03-29T16:01:12Z
Mar 29, 2022

The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues. I would also like to be able to see all the data for internal logs. When we search for internal logs, sometimes, we are not able to find some of the data. For example, when Splunk crashes or something happens, we don't get to know what happened. We tried looking into the internal logs, but we could never figure out the reason from the logs. The information is limited, and it should be improved.

Shibu Babuchandran - PeerSpot reviewer
Real User
ExpertModerator
2021-08-31T10:19:31Z
Aug 31, 2021

Hi @Miriam Tover ​,


Some of the few points that I feel needs improvements is below :


-Automated machine learning
-Extraction, transformation and loading
-Data modeling
-Building Splunk queries
-Dashboard creation
-Capacity data storage for Splunk data.
-Tuning Splunk analytics dashboards for performance
-User training

Jairo Willian Pereira - PeerSpot reviewer
Real User
Top 5
2021-05-11T18:24:28Z
May 11, 2021

New build-in use-cases for Enterprise Security, a fair price-model, improvement over SPL and index performance, adding and integrating with new connectors and market platforms (more open-source solutions too).

DA
Real User
2019-03-14T11:34:00Z
Mar 14, 2019

The clusters are hard. It has too many moving parts. They should make data onboarding easier.

MT
Real User
2019-03-06T07:41:00Z
Mar 6, 2019

If possible, we would like to have not only a log monitoring system but a network monitoring feature in this solution as well.

it_user762567 - PeerSpot reviewer
Real User
2019-02-10T10:06:00Z
Feb 10, 2019

The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication. What they need to do more than anything else is, they need to take a serious look at purpose-built modules like the SIEM and put a lot more effort into making them more robust. If they did that I think they would have a better chance on the market. The base tool was great, and if the organization that they're looking to sell into requires a good, solid logging solution then they would have a very good sales statement to make because you could get the logging solution you need that could give you the SIEM at the same time.

SD
Real User
2019-02-07T12:28:00Z
Feb 7, 2019

I would like to see them develop integration with the help of a rack rest API. Which is an API that helps to secure communication with oracle cloud and pull down records from there. This integration is currently missing in current version of splunk. I'm looking forward to see this feature getting implemented in next version of Splunk and so that organizations can get benefit of this feature in future.

reviewer1331706 - PeerSpot reviewer
Real User
2022-03-02T14:46:57Z
Mar 2, 2022

I don't like the pipeline-organized programming interface. I find the graphical options really limited and you don't have enough control over how to display the data that you want to see. I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset. Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse. You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

RE
Real User
2022-03-01T15:09:36Z
Mar 1, 2022

As a student, I'd like to see more labs and things for students to test in order to learn. Having a trial version or more training on Splunk would be helpful. There is a free version, but it is insufficient for training and learning because it is a little bit difficult to work with, especially if you are a beginner. It's difficult to improve when you're just starting out with logs and SOC. As a result, we require a longer free version.

AS
Real User
2022-02-08T07:40:00Z
Feb 8, 2022

It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics.

MC
MSP
2022-02-03T17:52:00Z
Feb 3, 2022

The price of Splunk is too high for our market.

BS
Reseller
2021-12-16T18:33:00Z
Dec 16, 2021

Its interface could be improved.

CD
Real User
2021-12-16T17:06:00Z
Dec 16, 2021

The biggest problem is data compression. Splunk is an outstanding product, but it is a resource hog. There should be better data compression for being able to maintain our data repositories. We end up having to buy lots of additional storage just to house our Splunk data. This is my only complaint about it.

MS
Consultant
2021-11-29T08:09:05Z
Nov 29, 2021

Splunk could be improved by reducing the cost. The cost is one of the biggest challenges for us in keeping to our production requirements. As for additional features, I think they need to refine their AI capability. I know that everyone is talking about artificial intelligence and threat hunting, so I guess one of the key requirements for us is for the solution to automatically provide us some kind of indication and then mitigate any risk. So automation should be a feature.

MK
Real User
2021-11-19T18:16:00Z
Nov 19, 2021

This solution could be improved by better pricing in general and by easier installation.

John Yuko - PeerSpot reviewer
Real User
2021-11-19T03:26:52Z
Nov 19, 2021

Other than the pricing modules, I have no issues with the product itself. The configuration had a bit of a learning curve. I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications. If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.

Donald Baldwin - PeerSpot reviewer
Real User
Top 5Leaderboard
2021-11-05T19:14:00Z
Nov 5, 2021

The interface or maybe some settings need to be improved a bit. It cannot be perfect, however, the issues may be related to the configuration or setup. If you monitor too much, you can lose performance on your systems. You have to be careful what you're monitoring. If you monitor everything, everything stops working. You can go overboard in monitoring. You have to plan your monitoring pretty carefully. It could be easier for beginners. As it is, right now, You have to have a good understanding of the solution in order to use it properly. That said, as the user, I'm at a higher level of management on the architecture side in dealing with resilience. My concerns are different from other user concerns. Also, most of our clients are using it way more than we're using it.

SA
Real User
2021-11-02T18:33:14Z
Nov 2, 2021

When it comes to out of the box use cases, I feel the solution to be too slow.

AM
Real User
2021-10-07T16:37:49Z
Oct 7, 2021

The solution could improve by giving more email details. In a future release, the solution could improve on the artificial intelligence features, such as if an alert comes, it could automatically do logging from the system, get the KV knowledge base, and perform other functions. This would be a benefit.

AT
Real User
2021-09-10T12:40:05Z
Sep 10, 2021

The TERM licensing model is still not very useful. It's not helping us. They used to have a perpetual licensing model. Now Splunk is offering annual term/subscription only. That's costly and it's more expensive and it's putting some burden on us. Technical support needs to be more responsive. We would like to see more AI. Through AI, artificial intelligence, not machine learning only. We want to see more AI-enabled kinds of functionalities just to reduce dependencies on manual interventions. We do that, however, automation and artificial intelligence-based kind of automation we would really like to see.

ID
Real User
2021-08-30T22:50:57Z
Aug 30, 2021

Over time I will have more requirements and I can foresee the solution could improve the search algorithm to run and output the data faster.

SO
Real User
2021-07-22T21:41:06Z
Jul 22, 2021

The solution could be more user friendly and it's difficult to know at this stage whether our requirements will be met by the solution.

JS
MSP
2021-06-24T05:16:42Z
Jun 24, 2021

The solution could improve by making it more business analysis oriented. The way it is now is designed more for developers.

TA
Real User
2021-05-24T15:00:29Z
May 24, 2021

There is improvement needed when importing from some types of data sources. Most of the time you have to do some customization for the data because not everything is working the way it should. Additionally, in other solutions, it is easier to build use cases.

VW
Real User
Top 20
2021-04-26T07:36:34Z
Apr 26, 2021

It currently has limited default rules and customizations. If they can concentrate more on the compliance part and the security information part, it would be helpful. The platform part is good, but it requires many features from the security aspect.

SS
Real User
2021-04-19T15:09:49Z
Apr 19, 2021

Splunk is query-based, which is not the case with most cybersecurity tools. It is based on search queries and can be difficult to use. It would be good if they can make it easier to understand how to create search queries. They can improve the knowledge base for better understanding. To create your dashboard, you need to have a search query. We have multiple firewalls in our company, and we need a dashboard for them. It would be helpful if a default firewall dashboard is included in Splunk to make monitoring easier. If a dashboard is available for a security device, the operation part will be more efficient. We won't have to follow a manual process for this.

MK
Reseller
2021-04-16T06:22:53Z
Apr 16, 2021

Sometimes it becomes very difficult to find certain results from Splunk. Not all users are developers and they are not able to write code to find specific results or specific details from Splunk. From a user perspective, the solution needs to improve the search functionality. The dashboard could be improved. If it was easier for non-developers or those working in network security, it would be ideal. It would be nice if they had a built-in dashboard for those who are less knowledgeable in coding. The product is relatively expensive.

HF
Reseller
2021-04-13T17:56:34Z
Apr 13, 2021

We need to get a Splunk Cloud instance inside South Africa's borders. At this stage, we are pushing Splunk Cloud, but it is not yet within South Africa's borders. So we've got data sovereignty issues, especially with government organizations. Technical support could be improved as well. Splunk can be an expensive solution. I think that they need to change their pricing model. At present, it is based on the number of gigabytes that you ingest into the Splunk system. Their competitors are now starting with a pricing model where you pay per device talking back. If Splunk could have a similar alternative, it would then allow people to choose the data model they want such as set data or a set number of devices.

AB
Real User
2021-03-26T12:45:56Z
Mar 26, 2021

Its pricing model and integration with third-party services can be improved. We had faced an issue with integration. The alerting feature is currently not available with Splunk, but it is definitely available with Datadog and PagerDuty. They should include this feature. A few dashboards in Splunk look quite old and are not that modern. They aren't bad, but improving these dashboards will definitely make Splunk more attractive and usable. I read in a few blog posts that there were a few security incidents related to Splunk agents. So, it can be made more secure.

RU
Real User
2021-03-05T11:09:33Z
Mar 5, 2021

Being a SIEM solution with a centralized dashboard, we would like to have more options to customize it. It should be easy to customize dashboards. When we are monitoring something, we would like to have a more granular outlook. Splunk has a good dashboard that is easier to use than some competing products, but better customizability would be a great help for the users.

AA
Consultant
2021-03-04T14:36:29Z
Mar 4, 2021

Its setup is a little bit complex for a distributed environment. Their support can also be better. If we raise a case with Splunk support and by any chance we missed to respond for more than a week, they usually close the case. Sometimes, it can take us more than a week to reply. In that case What they can do is they can send a followup mail before closing.

BA
Real User
2021-02-17T16:35:30Z
Feb 17, 2021

If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide.

SD
Real User
2021-02-17T09:35:39Z
Feb 17, 2021

Technical support is lacking post-sale. The modification of firmware could be improved. We find that the maintenance process could be a lot better. The solution is more expensive than other options on the market.

it_user1415322 - PeerSpot reviewer
Consultant
2021-01-04T14:26:19Z
Jan 4, 2021

I really dislike how Splunk sales and partner manager behaves. I have faced several sales model and partnership changes. Also, the last time I wanted to by a license ro built a SIEM solution, they had removed the ability to purchase a splunk subscription or license from their website. In the past, there was a web page calculator it was possible to by online, but now it instructs to contact sales. The free version is limited to 500 megabytes and there is no alerting. Due to the missing feature on the Splunk webpage, I have ask Splunk Sales to purchase a license like 1Gyte a day or a license for max 2500 Euro/year to use it as a test or development instance for myself. Asking Splunk for a quote willing to pay for Splunk license to learn and to get used to the product, Splunk didn't get it managed to offer my a license neither arranging the partnership paperwork I have ask for. Sales people from Splunk where calling, each time after I left my details on ther trial download page. I explained my experience and concerns about Splunk in the past. All excuses received and promises that someone will contact me to solve the issues faced in the past, was leading in excactly nothing. Well Done Splunk. Inflexible and expensive and I do not have much faith in the people working there because if someone is asking for a test environment and is willing to spend up to €2,500 a year, I can't understand why they are unable to provide a license. This could be a lost opportunity because they are not able to onboard a potential new partner. They definitely need to boost their sales and partner program because it changes to often, where they are dropping partners and it is difficult to get in contact with somebody. This is something that needs to be improved. I would like to see more SIEM functionality and embedded moduled such a ticket tool to make a end to end SIEM.

AV
Real User
2020-12-27T09:14:00Z
Dec 27, 2020

An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times. They also need to update their documentation.

Santhosh Kandadi - PeerSpot reviewer
Real User
Top 10
2020-12-19T13:28:50Z
Dec 19, 2020

Over the years, I know they've been doing what they can to continue to add integration capabilities to their solution. If they continue to do that, that would be ideal. However, beyond that, there really aren't any features that I find to be lacking in any part of the solution. On-premises scaling of the solution is a bit more limited than it is on the cloud. The pricing of the solution needs to be a bit lower. It would be ideal if the hardware could meet more universal global regulatory requirements. It would be great it the solution better aligned with global standards.

DG
MSP
2020-12-16T06:34:38Z
Dec 16, 2020

I'm a security manager and Splunk is not a good solution for my needs and not as good as other products I've used. I really think they just overreached and are marketing the solution as something that it really isn't. It's really not an SIEM product. It's really not a monitoring solution. If Splunk wants to get into SIEM, they need to make a totally new product. They should just leave SIEM, it's not their thing, not what they do. They're good at log collection and indexing. Stick to it. There are some things with log collection and log retention capabilities that they could actually improve instead of trying to create products for all these other different areas. I don't want their next release, I would rather just kind of scale back on some of the extras, and just really focus on log collection and log retention. I'd like to have more options on how I can perform those features with their products. I'd like to see a lot more integration with other products.

JO
Reseller
2020-12-15T22:53:44Z
Dec 15, 2020

They could have more dashboards done or predefined so our clients could use them directly in order to have more information ready to use. The difficult part is related to integration with sources of data that are used to create the logs as this depends on the infrastructure of the client.

JB
Real User
2020-12-15T15:05:19Z
Dec 15, 2020

Splunk is very complex. The implementation and the scanning of the logs can be difficult.

MN
Real User
2020-12-09T16:02:00Z
Dec 9, 2020

Splunk needs to be able to hold more days of data. At the moment it only holds three months of data. It needs more views and colors within the dashboard and the ability to have the flexibility to create a user-defined panel.

JB
Real User
2020-12-07T22:17:33Z
Dec 7, 2020

Queries are not always as easy or straightforward as they might be, so it can be difficult to figure out what you need to look for. In the next release of this product, I would like to see it offer more recommendations as to what needs to be done.

RB
Real User
2020-12-02T20:10:59Z
Dec 2, 2020

Sometimes we experience issues when formatting and configuring files; however, this is a very technical issue that's hard to explain. When extracting the data or structuring the data in the right format, sometimes it becomes challenging. It's up to the user to understand the regex commands. Our customers often complain that the price of Splunk is too high. When Splunk is deployed on the cloud, there are certain considerations that cannot be met. Cloud-based configuration cannot be done by our Splunk admin team. It needs to be routed via a ticket. You don't have more control on the cloud from a configuration point of view, whereas, with on-premise, you are in control — you can define any configuration settings. When you install on-premise, many types of configurations can be done but when Splunk is on the cloud, you're dependent on their specific configurations.

AK
Real User
2020-12-02T19:50:00Z
Dec 2, 2020

Index performance is a bit slow but this is partly due to the huge volumes of data for our industry within our environment This makes the index very large and inefficient in terms of performance. Performance could be improved to cater to this, however. We have also had problems with the compatibility between Splunk and other systems. We have previously been on 5.3 and migrated to 5.5. We are now planning to migrate to version 7.7. It has been difficult to find documentation about the compatibility with Linux. In terms of the interface, it could include some improvements for the look and feel.

RM
Real User
2020-11-27T18:12:28Z
Nov 27, 2020

We're still going through it at this time. However, there are a few changes that could be made. It could be more user friendly, in terms of the end-user experience. The end-user aspect of it could be more enhanced, whereby you could probably have a lot more people that could sign into the tool and look at the reports, and have the reports actually laid out in plain English. Usually, with tools like Audit Vault and Splunk, if you're not the IT person and you're not trained on that system and you're seeing all of the outputs, the language is something you have to convert. Therefore, the end-user experience could be improved so that when you get those alerts and notifications, you could have supervisors and different people actually knowing what those reports mean instead of having someone convert them into something more easily digestible. There should be more enhancements done to the end-user dashboards. Improved dashboards are always good. If you have an IT tech that's up there, and they're looking at the dashboards and they're seeing everything, it would help they could do events and have a dashboard that they could log into as a supervisor and see everything, and just get specific reports for specific areas.

HT
Real User
2020-11-23T21:49:36Z
Nov 23, 2020

Splunk is a very costly solution and I think it's the most expensive in the market in terms of costing. Splunk provides an application for infrastructure monitoring. If we're monitoring the docker with containers, we can't see the container name, only the ID. That's a big drawback.

SJ
Real User
2020-11-23T17:00:05Z
Nov 23, 2020

The solution has a high learning curve for users. It's a little complicated when you're trying to figure out all the features and what they do. The solution needs a bit more functionality. For example, being able to save a search and select it when you're doing an investigation. I know you can create dashboards and things like that, however, sometimes being able to have a pre-saved search and just fill in whatever value you need would make everything so much easier.

PB
Real User
2020-11-19T12:12:05Z
Nov 19, 2020

Our two main complaints are about the difficulty of the initial setup and the licensing model. The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.

Balamurali Vellalath - PeerSpot reviewer
MSP
Top 20
2020-11-18T18:48:43Z
Nov 18, 2020

There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side. The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly. The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available. In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.

PB
Real User
2020-11-13T19:55:12Z
Nov 13, 2020

It's difficult to set up initially, and their billing model is also a bit complicated. We have to predict in advance how much data we will have and what the storage would be that we don't have. This makes the licensing complicated because when you start you don't have these numbers. In order to know how much it will cost, you need those numbers. I really wish that it was an application that was easier to use.

MS
Real User
2019-03-27T11:05:00Z
Mar 27, 2019

Due to the size limit, we could not see the full product.

it_user1048674 - PeerSpot reviewer
Real User
2019-03-26T19:17:00Z
Mar 26, 2019

A few more analysis aids might help. The next release could have more intuitive help examples.

RW
Real User
2019-03-10T16:43:00Z
Mar 10, 2019

Splunk should be able to integrate with other product using the free version. The product was difficult to back up the first time.

Emad Ul Haq - PeerSpot reviewer
Real User
2019-02-27T20:49:00Z
Feb 27, 2019

Code understanding requirement is complicated for most users.

ST
Reseller
2019-02-14T07:37:00Z
Feb 14, 2019

The security can be improved.

LF
Real User
2019-02-14T07:37:00Z
Feb 14, 2019

Cybersecurity and infrastructure monitoring have room for improvement.

AP
Reseller
2019-02-07T12:28:00Z
Feb 7, 2019

Splunk's cost is very high. They need to review the pricing. They have to go back and totally readdress the market. Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud. Its costs are too high and it should be more cost effective because it's going to be a cloud offering.

MC
Real User
2019-02-05T07:16:00Z
Feb 5, 2019

Splunk has different plugins but by default, the logs are not organized, it shows that there are roll-ups that are out of the box. I saw many plugins that can help improve or extend Splunk's functionality but I haven't tried many of them. It would be best if they can incorporate all security locks with minimal incidents.

RT
Real User
2019-01-21T16:56:00Z
Jan 21, 2019

* The amount of time it takes to troubleshoot not-easily-available data * Also, hours on the phone with VMware techs.

BW
Real User
2018-12-13T11:34:00Z
Dec 13, 2018

I would like to see future development in terms of ML (Machine Learning).

JC
MSP
2018-12-11T08:31:00Z
Dec 11, 2018

The community surrounding the product is okay, but I would like more material supplied by Splunk around some more common integration stuff. I wish there was a bigger library, because we are building stuff. Where I often feel like other people have done things before, we are reinventing the wheel. While it is not a core piece of our organization and it is not a priority, it does inform our SIEM platform. It would be nice if there was a little more cookie cutter solutioning inside of it, and that they would take a little more time to shake it out. The first year and a half was a little wacky with its usefulness, but now it is a solid piece of our infrastructure.

RB
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

I would like some additional AI capabilities to provide additional information about things going wrong and things going well.

SM
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

For on-premise, it's more about optimization. With such a heavy byte scale of data that we are operating on, the search for disparate data sometimes takes about a minute. This is understandable considering the amount of data that we are pumping into it. The only optimization that I recommend is better sharding, when it comes to Splunk, so that data retrieval can be faster. With the AWS hosted version, we have not hit this bottleneck yet, simply because we are not yet at the multiple terabyte scale. We have hit with the on-premise enterprise version. This is a problem that we run into every so often. We don't run into this problem day in and day out. Only during the month of August through October do we contend with this issue. Also, there is a fair bit of lag. We have our ways to work around it. Between those few months, we are pumping in a lot of data. It is between 8 to 10 terabytes of data easily, so it is at a massive scale. There are also limitations from the hardware perspective, which is why it is an optimizing problem.

TJ
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

The search could be improved. Now, it is a bit difficult to write search queries because they become quite long, then maintaining those long search queries is a quite challenging.

KB
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

A problem that we had recently had was we licensed it based on how much data you upload to them every day. Something changed in one our applications, and it started generating three to four times as many logs and. So now, we are trying to assemble something with parts of the Splunk API to warn ourselves, then turn it off and throttle it back more. However it would be better if they had something systematically built into the product that if you're getting close to your license, then to shut things down. This sort of thing would help out a lot. It would help them out too, because then they wouldn't be hollering at us for going over our license.

GM
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer. Splunk is good about viewing data within the last seven or 14 days, but if you want to see a year-over-year trend, you have to do a lot of work to get to that point. If there was a better way to extract the data point and put it into a long-term viewing ability for a year-over-year analysis, then compare that to your other business metrics. That is what I am looking for, as an example, for a call center you want to see the time it takes for your customer to be handled on their need comparatively to the system performance that is happening, then overlay that data.

TF
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

The query language is pretty slick and easy, but it is not consistent in parts. Some of it feels a little esoteric. Personally, some of my engineers are coming from SQL or other languages. Some things are a little bit surprising in Splunk and a little bit inconsistent in their querying, but once you get use to it and once you get use to the field names and function names, you can get the hang of it. However, if it was a bit more standardized, it might be quicker to get it up and running. I would like additional features in different programming models with the support for writing queries in SQL or other languages, such as C#, Java, or some other type of query definitions. I would also like a better UI tool for enhancements of advanced visual query editors.

JD
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved. I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier.

PN
Real User
2018-12-11T08:31:00Z
Dec 11, 2018

I have not tested the hybrid model yet. I don't know whether all its integrations and interfaces will work between the cloud and on-premise model. I also don't know if across multiple clouds all the products will perform properly. If it could be made available as a service, this would be much better than as a product.

GA
Real User
2018-12-11T08:30:00Z
Dec 11, 2018

Every product needs improvement. If we can get a faster product, we will take it. There are new services which are coming up. If Splunk can catch up with the speed of Amazon, and with the integration, instead of us waiting for another year or so, that would be good. We would like more integrations with other cloud products, not just AWS, e.g., Azure.

SO
Real User
2018-12-11T08:30:00Z
Dec 11, 2018

The search query seems slow, but I am not sure if that is just because it is searching millions upon millions of lines of text. Also, I just started using it, so I might have no idea what I am doing. I could probably speed up the queries by improving my search skills. My company could benefit from doing more Splunk training with Splunk consultants teaching us how to use it. It is possible that we have already done this and I haven't participate, but this type of training would be helpful.

KK
Real User
2018-12-10T08:57:00Z
Dec 10, 2018

Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market.

IS
Real User
2018-11-18T07:31:00Z
Nov 18, 2018

I would like to have the ability to master the management of clustering.

TS
Real User
2018-09-25T09:23:00Z
Sep 25, 2018

After a crash, the product takes a while to recover.

OS
Consultant
2018-09-09T05:40:00Z
Sep 9, 2018

The Web Application Firewall will send you too much information because it's more dedicated to security than a normal firewall.

AZ
User
2018-07-20T12:19:00Z
Jul 20, 2018

* Multi-tenancy support * Improved user interface * Non-proprietary search language * Different licensing model

Yosef Tavin - PeerSpot reviewer
Vendor
Top 10
2018-06-13T17:13:00Z
Jun 13, 2018

It needs to improve the way to install third-party apps and enable installation without logging into splunk.com.

it_user782697 - PeerSpot reviewer
Real User
2018-06-03T09:17:00Z
Jun 3, 2018

In the next release of Splunk, I think the machine learning should be emphasized. Now, it's really important to analyze Big Data, data mining. A SIEM solution, like Splunk, needs an improved data mining solution, artificial intelligence. Splunk would be the best if it improved these features.

it_user872772 - PeerSpot reviewer
Real User
2018-05-15T08:36:00Z
May 15, 2018

* Scheduled PDF generation does not work well for all visualizations, and it does not work for custom visualizations. * While scheduled reports can be embedded, Splunk dashboard can not be embedded directly without enabling cross origin. * Missing capability for audio/video and image processing.

it_user870792 - PeerSpot reviewer
User
2018-05-10T14:32:00Z
May 10, 2018

DMC should be a little more intuitive with better dashboarding. Seeing the cause of data flow can be tough to track down.

it_user867936 - PeerSpot reviewer
Real User
2018-05-04T19:57:00Z
May 4, 2018

Splunk can improve regex/asset analysis as we do not want to crawl until it is done. I could not find a timestamp for when the log was processed and generated.

it_user867087 - PeerSpot reviewer
Real User
2018-05-03T13:55:00Z
May 3, 2018

The Enterprise Security app could be improved. We have had trouble with it working from the first day.

it_user865365 - PeerSpot reviewer
Real User
2018-04-30T21:49:00Z
Apr 30, 2018

It needs more thoroughly tested releases. Every new big version (6, 7, etc.) has had so many bugs that it makes me wary of customers upgrading right away.

it_user865026 - PeerSpot reviewer
Real User
2018-04-30T12:38:00Z
Apr 30, 2018

* Custom visualizations are real hard. While the default visualizations are good, creating enhanced visualizations are complex. * Configuring a few apps is complex, not straightforward.

ED
Real User
2018-04-25T07:36:00Z
Apr 25, 2018

Make it easier to include roles and user controls, as it is horrible now.

it_user861630 - PeerSpot reviewer
Real User
2018-04-23T21:12:00Z
Apr 23, 2018

ES is very powerful, but it requires a mature security posture at the company to take advantage of it currently. The use cases provided by Splunk are a good starting point, but could cover many additional topics to ensure that a smaller or less experienced shop might maximize the value of an ES deployment.

CM
Real User
2018-04-22T15:34:00Z
Apr 22, 2018

The product was designed for security and IT with business intelligence needs, such as PDF exporting, but this has not been the highest priority. While the functionality is there, it could be developed more.

CM
Real User
2018-04-21T12:36:00Z
Apr 21, 2018

There is a definite learning curve to starting out. However, there is quite a bit of documentation out there to help you get started.

MK
Real User
2018-04-21T05:48:00Z
Apr 21, 2018

I would like to see Splunk improve its posture as a production operations tool. This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have. I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.

RM
Real User
2018-04-21T05:15:00Z
Apr 21, 2018

The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this will become a non-issue. Also, AngularJS/ReactJS inclusion could be made easier in GUI.

it_user860487 - PeerSpot reviewer
Real User
2018-04-21T03:20:00Z
Apr 21, 2018

* Certain sections of the developer documentation could use some updating and clarification. * Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. * Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).

GS
Real User
2018-04-21T00:21:00Z
Apr 21, 2018

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

GW
Real User
2018-04-20T18:39:00Z
Apr 20, 2018

* It needs integration with a configuration management solution. * It could use better password management for forwarders. * It needs a better way to export dynamic views without requiring a ton of code and user/pw.

RP
Real User
2018-04-19T21:37:00Z
Apr 19, 2018

The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement.

it_user859770 - PeerSpot reviewer
User
2018-04-19T21:32:00Z
Apr 19, 2018

I like Splunk. The only thing which can be improved is that they are too subjective on whom their Splunk4Good initiative can be applied. They market it as you only need to be a nonprofit, but there is more to it.

it_user859668 - PeerSpot reviewer
Real User
2018-04-19T18:45:00Z
Apr 19, 2018

Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run. While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged.

it_user859650 - PeerSpot reviewer
Real User
2018-04-19T18:11:00Z
Apr 19, 2018

* Free-floating panels in the dashboards are like a glass table. * It needs more formatting control without having to be an admin.

CJ
Real User
2018-04-19T16:11:00Z
Apr 19, 2018

More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it.

it_user859464 - PeerSpot reviewer
Vendor
2018-04-19T13:49:00Z
Apr 19, 2018

I would like to get visibility into the data pipelines on heavy forwarders and indexers to see exactly their source and the cause of saturation when it occurs. This would help us learn even more about our high use applications.

it_user859446 - PeerSpot reviewer
Real User
2018-04-19T13:05:00Z
Apr 19, 2018

It can be tough to determine if you are getting all of the value out of your investment at times. However, our sales seems to be flexible and will work on an organization to organization basis to negotiate license terms.

AZ
Real User
2018-03-29T12:02:00Z
Mar 29, 2018

Enterprise security: Splunk must work on clarifying the solution to customers and explain how to gain more from it.

MA
Real User
2018-03-26T05:49:00Z
Mar 26, 2018

Make it easy to use and the cost cheaper. This will help all organisations to implement Splunk.

it_user340983 - PeerSpot reviewer
Real User
Top 20
2018-01-16T14:09:00Z
Jan 16, 2018

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

Splunk Enterprise Security is a SIEM, log management, and IT operations analytics tool. The solution provides users with the ability to secure their information and manage their data in the cloud, data centers, or other applications. Splunk Enterprise Security also offers visibility from different areas, levels, and devices, rather than from a single system, thus, providing its users with flexibility. Splunk Enterprise Security can monitor data and analyze, detect, and prevent...
Download Splunk Enterprise Security ReportRead more

Related Q&As