Splunk Enterprise Platform Reviews

My usual use cases for Splunk Enterprise Platform involve all NOC and SOC activities, where SOC-related alerts will be aggregated with NOC-related alerts, allowing for correlation between them, including use cases such as abnormal travel and anomaly detection, all of which are detected by Splunk Enterprise Platform.

For instance, if there is a DDoS attack indicated by an anomaly in the traffic when WAF is integrated, an alert is generated in Splunk Enterprise Platform, which our L1 and L2 teams will then visualize and remediate based on the alert.

I do not use Splunk Enterprise Platform's Machine Learning Toolkit directly, but my team utilizes it.

Splunk Enterprise Platform's Machine Learning Toolkit has helped us with predictive analytics in our organization significantly, as it automates the anomaly detection that previously required our L1 and L2 teams to spend three to four hours on.

It immediately triggers alerts upon detecting patterns such as WAF spikes or suspicious login behavior, allowing our L1 to avoid manual analysis and triaging. The predictive analysis reduces false positives, enabling our analysts to close tickets swiftly—previously taking two to three days, and now they close them before breaching the SLA due to effective pattern discovery and outlier detection.

Splunk Enterprise Platform's Machine Learning Toolkit is efficient in detecting abnormal login attempts and brute force attacks, effectively aiding our proactive defense planning through advanced analytics and anomaly detection.

Splunk Enterprise Platform's most valuable features include its integration with AI, as Cisco, which has taken Splunk Enterprise Platform recently, is building up AI functionalities, enhancing remediation capabilities and the orchestration part in the market. Additionally, Splunk Enterprise Platform shows the correct logs at the correct time, and inventory management is very good.

I assess the effectiveness of Splunk Enterprise Platform in detecting anomalies and preventing system outages as very strong; for over two to three decades, it has provided centralized log visibility, real-time monitoring, and analytics correlation, which is robust for threat detection and incident investigation.

Splunk Enterprise Platform's machine learning capability of the toolkit predicts trends and reduces many false positives, making Splunk Enterprise Platform an essential tool for both SOC and network operations, where it effectively detects anomalies that other SIEM tools cannot.

Splunk Enterprise Platform's personalized dashboards are superb, as I have been experimenting with them extensively, and new features have enhanced their quality, making them particularly effective for presentations to leadership, including direct engagement with the CISO.

In terms of improvement for Splunk Enterprise Platform, as more companies embrace AI, adding more AI automations is crucial and could parallel what competitors such as Xplain are doing. Managing duplicate alerts efficiently can optimize costs, as the current license-based data ingestion can quickly escalate if duplicate data is fed.

Better filtering of unnecessary log sources could greatly interest clients by demonstrating cost efficiency. From an architectural standpoint, data onboarding, normalization, performance, and scalability improvements would be beneficial, particularly in optimizing search speed and query execution to handle larger searches efficiently.

I have been working with Splunk Enterprise Platform for the last 10 years as a Splunk certified power user and advanced user, and along with Splunk Enterprise Platform, I am using Palo Alto's Cortex XSOAR and Azure Sentinel continuously for over 10 and 12 or more years.

I evaluate the stability and reliability of Splunk Enterprise Platform as very high; we utilize it for both SOC and NOC operations, and our L1 and L2 teams get real-time alerts and query the SPL effectively without delays that other SIEM solutions may impose.

Splunk Enterprise Platform is scalable; we have already adapted it from SOC to NOC operations while maintaining good indexing practices that prevent overload and ensure clear searches, maximizing performance in large SPL queries.

My L1 team regularly communicates with Splunk Enterprise Platform's technical support, which is very helpful.

I would rate the technical support from Splunk Enterprise Platform around eight on a scale from one to ten, where one would be the worst and ten would be the best.

Before using Splunk Enterprise Platform, I utilized Azure Sentinel in my previous company at Deloitte, prior to leaving.

Although I did not participate in the initial setup, I provided mentoring for the team under me who managed the implementation because I have spent 14 years in the industry, which included hands-on implementations earlier in my career.

Splunk Enterprise Platform's implementation is very straightforward; I do not feel there is a significant difference from the implementation point of view, as everything is clearly documented by Splunk Enterprise Platform.

We are a customer of Splunk Enterprise Platform, currently at Aramex, and we bought a vendor from Capgemini who has actually implemented Splunk Enterprise Platform for us, so we are not directly linked with Splunk Enterprise Platform but rely on our vendor to use Splunk Enterprise Platform for us.

Splunk Enterprise Platform's dashboards significantly improve data interpretation, providing immediate real-time visibility on top trending alerts and live data without needing to run queries repeatedly. They aggregate metrics and highlight trends such as threat overviews and MITRE ATT&CK mapping, which reduces the workload for our L1 and L2 teams.

Pre-built alerts for anomalies in login attempts, failed attempts, or geolocation mapping are very visible in Splunk Enterprise Platform's dashboard, which plays a critical role in providing real-time visibility into security events and network activities.

Splunk Enterprise Platform's application management feature enhances end-user experiences by providing organized dashboards that monitor application usage and configurations, facilitating faster detection and query execution. It logs metrics into applications that reveal usage patterns, anomaly detections, and attack occurrences, while also ensuring proper governance and versioning of applications.

I consider Splunk Enterprise Platform an expensive tool because budget constraints from license-based data ingestion costs are significant. Costs can escalate rapidly when duplicate data is processed, which Splunk Enterprise Platform can identify to help clients save directly on unnecessary spending.

I leverage Splunk Enterprise Platform for advanced threat detection, which is critical for our SOC operations. Threat intelligence and detection are vital, especially since Cisco's acquisition of Splunk Enterprise Platform has integrated Talos into it, enhancing our ability to monitor for IP reputation and potential attacks, while also keeping an eye on advisories regarding application vulnerabilities. I would rate this product overall at a nine out of ten.

I have implemented the complete Splunk Enterprise Platform structure in my previous organization, implementing the platform, creating use cases, dashboard queries, creating dashboards, and onboarding different devices via Syslog and API.

Splunk Enterprise Platform has a vast and versatile powerful search engine with which I can handle all queries, and creating use cases and the search and dashboard is the main selling point, allowing me to visualize live dashboards.

The platform has a powerful search engine, allowing the integration of custom AI such as ChatGPT. Splunk Enterprise Platform also has its own Phantom as a SOAR, which is much more refined and gives more accurate results than any other AI integrated SIM tool. In anomaly detection, I can live track anomalies and change the registry.

Splunk Enterprise Platform serves as a time-saving solution because integrating other sources such as Syslog or router switch firewall is much easier.

The cost is the most significant area for improvement in Splunk Enterprise Platform, as it is quite expensive, causing many clients to differ due to this reason. Otherwise, I don't see that Splunk Enterprise Platform requires further improvement because it is the number one tool.

The cost remains a significant point of concern.

I have 2.5 years of experience with Splunk Enterprise Platform.

The stability depends on how aggressively the environment changes. If I am providing network services, it can be challenging due to continuously changing firewall configurations.

Splunk Enterprise Platform is stable when not integrating or adding new devices continuously.

I consider Splunk Enterprise Platform a scalable solution since it has different components, and if the server is down, I can upgrade the server resources or create a new node for performance optimization.

I have never used their technical support because everything is available on their website and documents. It is crucial for anyone looking to deploy Splunk Enterprise Platform to first certify for their courses, such as the Splunk Administrator and the Power User Administrator certifications, which address all troubleshooting queries.

Positive

The initial setup of Splunk Enterprise Platform depends on the user; if set up in a Windows environment, it is much easier, requiring just clicking on the wizard and following the steps. In the Linux environment, it is quite hectic, but manageable compared to Wazuh, where I have to integrate the GPC API key alongside the installation. In Splunk Enterprise Platform, I only need to download and configure a single file, making it easy to manage.

I have expertise in Splunk Enterprise Platform tools, including Splunk Cloud, having experience working with other tools such as IBM Security QRadar.

We are a managed service provider (MSP), and we provide services using Splunk Enterprise Platform.

Splunk Enterprise Platform holds the number one position in Gartner, and integrating different types of tools and creating use cases is much more streamlined compared to other tools such as IBM QRadar and AD audit, managing the log 360.

The platform has a powerful search engine, allowing the integration of custom AI such as ChatGPT. It also has Phantom as a SOAR, which is more refined and gives more accurate results than any other AI integrated SIM tool. In anomaly detection, I can live track anomalies and change the registry. While working with Wazuh, when I integrated the Cortex XDR, there was a mismatch of events sometimes, making it tedious, but in Splunk Enterprise Platform, I just need to log into the console and everything is there, making it an all-in-one solution.

I rate Splunk Enterprise Platform 9 out of 10.

In terms of using Splunk Enterprise Platform, we use it for our SOC environment where we have an ES setup separately. We collect logs from various sources like AWS, EDR logs, firewall logs, WinEvent logs, Linux logs, application logs, and specific service logs.

We gather that and based on that, we are providing users dashboards, searches, and alerts.

In terms of my favorite features of Splunk Enterprise Platform, it has vast customizability. It is very customizable. I can customize it according to my use case. Or if I have any restrictions in my environment or client environment, I can customize it according to my requirements. It is not something where I need to go with the straightforward way.

For a specific feature of Splunk Enterprise Platform, I appreciate the custom commands and custom endpoints by using which I can build my Splunk apps.

When concerning the cost of Splunk Enterprise Platform, the license cost can be a factor. The pricing is based on limited factors. There are two types of pricing where we have licensing based on the data or logs which we are indexing by size.

It can also be based on if we are purchasing the cloud platform, then it can be based on multiple factors such as how much data we are searching daily or a limit on that. Usually for 10 GB of license and two years of retention, it costs around $20,000 to $30,000.

Based on my thoughts about Splunk Enterprise Platform, I would rate it a seven or eight because the only thing I'm keeping in mind is the licensing cost. Otherwise, the overall product is good, its features, its customizability, and scalability are all excellent. The only factor is the licensing.

If they were providing a license to small customers, if they target small customers, it would be really great.

If they provide a small license to small customers, or if they bring some new licensing for small customers for the specific use case on top of Splunk Enterprise Platform, that would be beneficial.

My experience with Splunk Enterprise Platform is approximately two and a half years.

In terms of Splunk Enterprise Platform stability, I would rate it nine out of ten.

When considering scalability, Splunk Enterprise Platform is very scalable. I would rate it nine out of ten.

I have contacted support for Splunk Enterprise Platform multiple times. For our architecture specifically, we have contacted Splunk support. The add-on which is being provided by Splunk support was generating an error in our environment. For that, we contacted support and they were able to provide us with the solution which is currently working fine.

Regarding alternatives to Splunk Enterprise Platform, I have tried to use other tools, but they are very specific to some use cases only. I have preferred to use Splunk because it works with all my use cases and all the log or source types. I tried Dynatrace and DataDog, which provide observability, but that was not as useful to me.

In terms of ease of use with Splunk Enterprise Platform, it is very easy and straightforward. All the steps are mentioned in their documentation. All the guides which are required or the prerequisites that must be there before installing or setup, are in their documentation. The community is also very good. We have enough description about the installation steps, which is what makes it easiest.

Using Splunk Enterprise Platform requires maintenance. In terms of maintenance, it will be specific. If we are making any changes, then we must schedule maintenance because it will restart its services and we must accept the downtime. If we are upgrading our environment or any specific apps that are present in our environment, then we must have maintenance for it.

I would rate this review an eight overall.

In my enterprise work as a consultant, I designed most of the architecture based on customer use cases and requirements. For the use case part, we can convert data into CSV to JSON with the ingest processor, which is a good point for data reduction. We create security alerts, notifications, and many data models to monitor data for compliance purposes.

Regarding Federated Search, it is an excellent feature. We have a separate environment where we can search data from different complete stacks or different complete Splunk infra. We have one platform with a complete environment for SIEM and another environment for observability. We enabled Federated Search between both of these environments. Any observability team can get data from the SIEM, and the SIEM team can get data from observability.

What I appreciate most about Splunk Enterprise Platform is that one of the best features is its ability to support customization. You can customize anything in Splunk Enterprise Platform. We have scripted input, normal file monitor, port monitoring, and many add-ons. Splunkbase is one of the biggest app and add-on stocks available. It supports everything you need. Wherever your data is, we can retrieve it. This is one of the best things about Splunk Enterprise Platform.

What I dislike about Splunk Enterprise Platform is the props and transforms functionality. For most types of data, we have custom add-ons and everything is available, but for some data we want to parse, the add-on is not available. Then we need to write manual props and transforms. Sometimes there are many issues with the Regex. When you write Regex, it may not work properly. In the Regex101 platform, you find Regex working, but when you apply it to Splunk Enterprise Platform, it is not working. Therefore, props and transforms, such as parsing of the data, are not that reliable.

Regarding maintenance, I don't think there is a strict maintenance requirement, but we need to continuously monitor the platform. For example, when Splunk version upgrades come in, we need to upgrade. Continuous monitoring is required. Sometimes knowledge bundle size increases, sometimes an alert is not running, and sometimes we have search head cluster replication factor down. Many kinds of issues are present with Splunk Enterprise Platform because you have your own infrastructure. This could be a plus or minus at any time, which is where we need to focus on maintenance.

Regarding the feature called Trusted Control Plane, I am not familiar with it. Is it in Splunk 10x or what?

I have been using Splunk Enterprise Platform for eight years.

The stability of Splunk Enterprise Platform is very good. There are no stability concerns.

Scalability is also good. There is not much configuration required. If you want to expand anything, you can increase more indexes or add storage. There is a separate storage tier that you can expand however you want. It supports both vertical and horizontal scaling. You can grow the environment without difficulty.

I was working directly with Splunk when I worked at Splunk.com as a Site Reliability Engineer with the data system. There we directly supported all Splunk customers by upgrading their environments, installing apps, and performing Splunk version upgrades. We handled many tasks such as changing configurations. For everything that a customer raised a support case for, we were the ones who provided support.

I have contacted Splunk support myself. I worked with two clients, including Emirates Airline, which I am currently working on. I raised support cases many times, including ODS cases. Regeneron Pharmaceuticals was another customer, and I raised many technical support cases for them.

I would rate Splunk support a nine because they are very good and very technical. They provide solutions on time, which is something I appreciate.

The initial deployment of Splunk Enterprise Platform is simple and very easy. You need some training before you do it. For a single instance, it is very easy. You just need to unzip the package and install it. However, if you want to set up clustering, search head clustering, indexer clustering, and other configurations, you either need to read the documentation or complete the architect labs. For me, it was very easy because I was an architect and consultant at that time.

Regarding pricing, it is costly. I don't know the exact numbers, but it is very expensive. However, it is worth it when you are using it properly. When you have a proper SIEM, proper data, and everything is in compliance, and you use Splunk Enterprise Platform to its full potential, then this investment is worth it.

I have used alternatives, and most of the customers are using Cribl for parsing because it has the best UI and visual elements. In Splunk Enterprise Platform, we need to write the files, but Cribl offers a visual approach, which is better.

I was working with Emirates Airline, where we take a license from Splunk and use Splunk Enterprise Platform. We have our own on-premises infrastructure. I am a customer of Splunk Enterprise Platform. I would give this product an overall rating of nine.

I still work with Splunk Enterprise. I want to clarify that I am only working with Splunk Enterprise, not with Splunk AppDynamics, Splunk Cloud Platform, or Splunk Enterprise Platform. I am solely focused on Splunk Enterprise for my current work.

I have been working with this platform for almost the last five years, even more than that. Overall, it has been around 17 years that I have been working in IT and with software in general, not only Splunk but other software as well. That was really good. The primary use for us was anomaly detection and system outage prevention, and Splunk was definitely helpful to us in those areas. The personalized dashboards in Splunk have helped me significantly with my overall workflow.

We are using Splunk Enterprise Platform for advanced threat detection. The Splunk feeds go through different systems for SIEM audits, and we utilize them from there. Overall, Splunk Enterprise Platform impacts my organization positively, and I can see the benefit from using the product.

For improvement, I do see a lot of issues with Splunk support, particularly with response times. When there is an issue, finding the root cause is taking too long. The system shows some error infrastructure-wise, but that error is not directly linked with the problems. There are some delays with the response time from their technical support, and I am not very satisfied with their work in this regard.

I have been working with this platform for almost the last five years, even more than that.

There was no complexity with implementation. It was straightforward for me and my team, with no complexities involved.

I do not see any challenges with scalability right now. Integration with third-party tools is quite easy, and I have not noticed any difficulties in this area.

Regarding the technical support of Splunk, there are some delays with the response time, and I am not very satisfied with their work in this regard.

Positive

Before Splunk, I worked with Dynatrace and AppDynamics. Splunk is the one directly used for log analytics and anomaly detection. I have not worked with any competitors such as Datadog.

We were moved from AppDynamics to Dynatrace. We used AppDynamics more for transaction tracing. From there, we were strategically moved into Dynatrace. For the entire log monitoring, we still recommend Splunk Enterprise Platform. We still use Dynatrace for the other transaction trace and other services. The reason for switching from AppDynamics to Splunk Enterprise Platform was that we needed a dedicated solution specifically for log monitoring and anomaly detection.

I cannot say directly about cost reduction, but it is returning on our platform in terms of detections. In terms of finance, I do benefit from Splunk Enterprise Platform, and it provides a return on investment.

Right now, the Enterprise version is reasonable. When we go for Splunk Cloud or something similar, we recently had negotiations, and that is acceptable. When it comes to Enterprise, it is definitely reasonable in terms of pricing.

We are not using Splunk's Machine Learning Toolkit directly, but the Splunk feeds are still going back to the originating machine learning systems.

I am working with Splunk Enterprise Platform, and I have worked with Enterprise and ITSI, both. Sometimes I have worked with ES also, Enterprise Security.

I use Splunk Enterprise Platform mostly for log monitoring. In our company and our projects, we are monitoring for log monitoring, we are using Splunk. After that, we have created some dashboards according to our requirement and alerts and reports. Sometimes for historical data, we have created summary indexing. We are managing our Splunk Enterprise Platform infrastructure like search head, indexers, deployment server, and license master. We have 1,000, you could say 10,000+ UF. Some of them we are using with apps like Splunk DB Connect. For Kafka, we are using different add-ons for sending our data to Splunk Enterprise Platform from different log paths and log sources. That is the main use for Splunk Enterprise Platform. Mostly we are using it for log monitoring.

When I talk about Splunk Enterprise Platform, I can say that Splunk Enterprise Platform is, whatever the tool I have worked from my last eight, nine years of experience in my overall corporate journey, a very powerful tool where I can customize everything as per my requirement. There is no hesitation and there is no limitation for my customization. Whatever I want, I can do that from Splunk Enterprise Platform. If I am talking about tools other than Splunk Enterprise Platform, they are not very vast, or not good enough to customize. Here I can customize. If I need to customize from backend side, I can do whatever using Python, Java. If I want to create some things, that is a different thing. In every project, the requirements differ. If I need JavaScript in my platform, in my dashboard, where I want to customize and play with the dashboard according to my requirement, I can use JavaScript. I send the data, I can use Python script to send the data to Splunk Enterprise Platform. There are very different things. Mostly the SPL, which I am using, has already covered most of the things. But for what is not covered, I can use some different things also.

In my opinion, the effectiveness of Splunk Enterprise Platform in detecting anomalies for preventing system outages is very good. It is improving day by day.

When I talk about the personalization dashboard in Splunk Enterprise Platform, I can easily customize my dashboard.

Even if people do not know about Splunk Enterprise Platform, they want to create the dashboard, they can just drag and drop. They can add a widget and choose some visualization like a bar chart. If they do not know about the XML or the backend of their dashboards, they can still do it from the UI only.

The Application Management feature in Splunk Enterprise Platform may help enhance the end-user experience, but I need to check that.

Advanced threat detection in Splunk Enterprise Platform is very good enough to detect anomalies and detect vulnerabilities. Splunk Enterprise Platform has a different product called Splunk ES, which is a very good product in cybersecurity. I can easily detect some problems, and it automatically sends alerts. The anomaly detection is very good for live production data. Whenever an anomaly comes in an application, it automatically resolves and just gives the notification. It creates incidents or whatever is needed, where I can integrate with different tools like PagerDuty, Moogsoft, or even send my data into Slack if I am not using ServiceNow.

For a potential area of improvement in Splunk Enterprise Platform, I can say to try to make it easy for the user and user-friendly.

Simplifying the UI would help, because not everybody has it in their knowledge. If you want to sell your product, you will go with the company CIO, Chief Information Technology Officer. I do not think he will be working on that project; he will be working on your tool. Their resources, their employees will be working on Splunk Enterprise Platform. If you will show them the UI where they can understand, even if they do not know about any coding, they can just play, drop, and drag. If you satisfy them, then anyone will work on their tool in their company. I just want to give you the business perspective, because if you talk to any CIO, they are looking first at the UI part. They will not look into the coding part; they will just check the UI. If the UI is user-friendly, it will attract every person.

There is very much improvement needed from Splunk vendor support side because they need to check what people are raising in the requests. They do not understand the concerns people are raising. I do not think Splunk is working on their application support, I believe they hire third-party people who do not know as much about Splunk Enterprise Platform.

Regarding deep knowledge of the product, I am talking about the technical aspects. If anyone says something is not working, it seems many cases I have raised where they do not reply to my request adequately. That is why I say there is a requirement for improvement.

I have been working with Splunk Enterprise Platform for the last six years.

From one to ten, I would rate the stability for Splunk Enterprise Platform as a nine.

I would rate the scalability as an eight.

For technical support from Splunk, I can say it is a two only.

Neutral

The setup process for Splunk Enterprise Platform is very simple.

In my opinion, the main competitors for Splunk Enterprise Platform in the Enterprise Platform market are Dynatrace and DataDog. Recently, at a Dynatrace conference, they mentioned their goal to beat Splunk Enterprise Platform in the future.

DataDog is also relevant. For open-source options, ELK is available for those who need a more budget-friendly solution since Splunk Enterprise Platform is not open source and is quite costly.

I am working with Splunk Enterprise Platform and Dynatrace, and my feedback was really valuable for us.

I am using Splunk Enterprise Platform, and I am combining it with a Cloud platform, AppDynamics, and SOAR.

I worked with Splunk Machine Learning Toolkit, but that is a different thing. I have not worked so much on the MLTK side, so I cannot say anything, I cannot give more of an idea or feedback on that.

The ability to manage applications through Splunk Enterprise Platform is something I need to check.

I am talking about Splunk Enterprise Platform, and there is a lot it provides to the end user. The first thing for Splunk Enterprise Platform is that I can organize my data, like the Common Information Model, CIM, where there are different departments in my company and different application owners. Accordingly, they can set their data, which they do not want, they can just skip that. Whenever they need, they just use the simple one, and that data will be present. In one umbrella, they can see different locations and different data. In any organization, I have to organize my data. If I do not organize my data, then it would be very difficult to find it.

Directly, if I just check my application, I can enter my application, like in Linux. I just enter index equal to Linux, and it gives me all the details. Even in the dashboard, I select Linux, and it shows all the data, including vulnerabilities, CPU usage, and memory usage.

This is a really good point. Because people are not working on their tool. If I tell any technical problem in Splunk Enterprise Platform to the CIO, I do not think he will understand. He has not worked on it; he does not know what I am talking about. But if you present to him that our UI is very helpful to everyone in your organization, no matter if they are on the leadership team, application team, development team, testing team, or application support team, they can all use our tool easily without any hesitation. Even if they need help, Splunk Enterprise Platform has introduced AI, which helps answer any questions regarding SPL.

I purchased Splunk Enterprise Platform directly from the vendor.

I rate the price for Splunk Enterprise Platform as a five because it is very high. If the price were lower, there would be no tools in the market capable of competing with Splunk Enterprise Platform. The only reason people think about moving from Splunk Enterprise Platform to another tool is the price. I would rate this Splunk Enterprise Platform solution with an overall rating of eight.

I mainly work on log management and observability for our platforms. We use Splunk Enterprise Platform for the collection of logs and primarily for the observability of dashboards related to incident management and our application performance.

The feature I appreciate most about Splunk Enterprise Platform is the Search Processing Language, which is very flexible. It allows me to write complex queries and perform statistical analysis to create better dashboards and visualization capabilities. Through this, we can visualize our systems and manage incident management properly.

Our team primarily uses the technical capabilities for log management and observability of our systems and the performance of our applications. Our team operates mainly in the technical domain.

A major factor I dislike about Splunk Enterprise Platform is the cost. Since the cost is based on data ingestion or the volume of data, large logs or large volumes of logs sometimes increase the ROI and overall cost of the product for us. This direct relationship between cost and data ingestion volume is an area I dislike and where there is room for improvement.

On a scale from one to ten, I would rate Splunk Enterprise Platform overall 8.5 out of 10. The area where it can be improved is mainly the cost. Otherwise, the features and quality of the platform are very good. Splunk Cloud and Splunk Enterprise help reduce MTTR, Mean Time to Resolution, since incident management is faster. Additionally, the visualization and observability of the entire organization infrastructure and application performance are consolidated in one place, as data is collected in a central location. Overall, the features and aspects of Splunk Enterprise Platform are commendable, but the cost aspect could be improved.

I have been using Splunk Enterprise Platform for more than one year.

My impression of the stability of Splunk Enterprise Platform is that the stability is much better, and we can also scale by cluster indices if needed. The stability and scalability of the platform meet our requirements and are functioning properly.

The scalability of Splunk Enterprise Platform is such that we can scale by cluster indexes as needed. The scalability is appropriate to the standards we require.

I have not contacted the technical support or customer support for Splunk Enterprise Platform much because the procurement part was managed by our finance team.

Previously, we were using open-source tools such as Prometheus and Grafana for our dashboards, visibility, and monitoring. Additionally, while selecting tools, we tried ELK for some time. However, we are currently using Splunk Enterprise Platform.

The initial deployment of Splunk Enterprise Platform is very easy because it was primarily done by our infrastructure team. The deployment was easy, especially since our deployment model is cloud-based. Although there is an on-premise setup available, we are not using that much, but the cloud-based deployment was very straightforward.

For the initial deployment of Splunk Enterprise Platform, two or three people were involved, though I am not entirely certain of the details because the organization was using this tool before I joined.

Granular data access is mainly for controlling data that gets ingested. I understand that granular control over data gives us the ability to restrict how much data we want, thereby helping us reduce the cost of Splunk Cloud.

I am not using the Federated Search feature of Splunk Enterprise Platform because we primarily use SPL queries for our log management and database visualization.

Splunk Enterprise Platform does not require any maintenance on our end since it is a cloud-based system, so I do not think we require any maintenance for that.

My impression of Splunk Enterprise Platform's capability to manage data sovereignty at a petabyte scale within my environment is that our data is collected at a centralized location for all our metrics and logs. Having it in one place helps us for better visualization and data sovereignty because our data is in one location, which reassures me that our data is not being leaked or used by other AI tools or any other third-party applications.

My impression of Splunk Enterprise Platform's approach to managing governance within a private network environment is that governance is managed by the security team. From my experience, the governance and compliance for the data of our organization with Splunk Enterprise Platform follows mainly SOC 2. I am not fully aware of all the details, but I know that it aligns with best practices in the market, which is why our security team has approved it.

I would rate Splunk Enterprise Platform overall 8.5 out of 10.

The most valuable feature I have found so far is the correlation rule. That seems to be very valuable for us. I can create any alert using the correlation rule, which seems to be interesting for me.

I use Splunk Enterprise Platform for advanced threat detection with the correlation rules, nothing else. We have only very few customers, just two customers. They are not interested in those higher versions of Splunk Enterprise Platform. We rely completely on the correlation rule. We highly rely on this correlation rule.

The personalized dashboards in Splunk Enterprise Platform are a good feature. We have created multiple dashboards. It is easy and understandable, and whatever we need, we can get it. It is not only with Splunk Enterprise Platform but with all the other products. I would say we can go ahead and create a customized dashboard. Since I am working for SOC, I do have an internal dashboard that I have for myself where I have all the service metrics dashboard available. I make use of that rather than going directly into Splunk Enterprise Platform creating there.

I think the machine learning toolkit is fine, but when I talk about threat intelligence, it is not that effective. Since recently, I think Splunk Enterprise Platform has acquired Cisco, which has acquired VirusTotal if I am not wrong. I think VirusTotal. Initially, what used to happen was that the threat intelligence source I used for Splunk Enterprise Platform was not regularly updated. I faced challenges there, and then finally, when I went ahead and researched, I found that VirusTotal is readily available to be used in Splunk Enterprise Platform. So I integrated it, and as of now, I am making better use of it.

The effectiveness of Splunk Enterprise Platform in detecting anomalies and preventing system outages completely depends upon the correlation rule, but when it comes to threat intelligence, I have not explored much of the source side. I am mostly on the SIEM side. Though I have some features that I have integrated, I am mainly working on the SIEM side rather than the source side.

The application management feature, which I believe refers to the interface, is not that attractive, I would say. It is a simplified version, and I am using the cloud platform of Splunk Enterprise Platform instance. It is simple, but it is okay. It is manageable.

I definitely find it problematic, and I think they could need to have more nuances and more features when it comes to the interface. It should be more extended.

From my perspective, Splunk Enterprise Platform can be improved by first making the GUI, the interface, more attractive. The second improvement should try to include all the threat intelligence into that platform, integrating all threat intelligence. The behavior monitoring is a bit of a concern because I do not see much detection. Maybe that is because I am using only the correlation ID, but still, the behavior monitoring should automatically detect. Even if it is a SIEM solution, if I create some rule, that is what I have customized it for. I am not sure if SOAR has that capability, but in case SOAR does have that capability, if not, then they have to improve their machine learning and behavior analytics. I have been in touch with different technicians from different organizations, and they have mentioned these challenges. There are a few drawbacks when it comes to Splunk Enterprise Platform.

I find the price a bit high, I would say. A bit high.

I have been working with this product for one and a half years.

I have no problem with the technical support provided by Splunk Enterprise Platform at all. I do get support whenever needed. I would rank them at an eight, with ten being the highest.

Positive

As for the initial setup and configuration for Splunk Enterprise Platform, I will not say it is easy. It is a bit complicated. But since I have support, that makes my life easier. It is a bit complicated compared to Trend Micro, compared to CrowdStrike, and compared to Microsoft Sentinel or Defender for Cloud, Defender for Endpoint. Splunk Enterprise Platform is on the complicated side.

As of now, I am pitching in for Microsoft Sentinel. I am also pitching in for CrowdStrike, which is also a bit expensive, but the only product that I pitch in is Microsoft's product, which is Microsoft Defender for Cloud for Servers, and Defender for Endpoint, Defender for Cloud Apps, Defender for Office, all those products. Defender is one of the cheaper ones. In case a customer is not okay with Microsoft, I pitch in CrowdStrike. First, I pitch in Trend Micro, and then I pitch in CrowdStrike, with CrowdStrike being at the higher price range.

One advantage these competitors have over Splunk Enterprise Platform besides lower pricing is that with one of my customers, they can fetch logs from all sources and bring them into Splunk Enterprise Platform. They can control the logs that are not required. My continuous monitoring allows me to ensure that in case there are certain logs that are no longer required, along with the architect, I can discuss that and bring down the overall log size to around 40 GB per day. I am talking about a log source that is more than 20 as of now for this customer.

The products that have this feature are CrowdStrike and Trend Micro, which have to be configured using the API. Even Microsoft has it, but Microsoft faces a lot of challenges when it comes to pulling a log from a log source that does not have an inbuilt connector. There is a challenge there. However, when it comes to Trend Micro and CrowdStrike, it is a bit easier there using APIs.

I would recommend Splunk Enterprise Platform for bigger companies.

In the future, I expect additional features such as threat intelligence, behavior analytics, log searching, and machine learning capabilities.

As for any other functionalities I would like to see from them in the future, I do not have anything to add right now. I have something in my mind, and in case I remember, I will go ahead and add it.

Splunk Enterprise Platform is very popular in my region. My overall review rating for this product is seven out of ten.

We have been working with Splunk Enterprise Platform for two years. Currently, we have been running Splunk in our SOC for two years, but we have not used the Machine Learning Toolkit yet. I believe it is a powerful tool, but we have not explored it.

I think the most valuable feature of Splunk Enterprise Platform is its capability to correlate all the logs that we ingest into our platform. Splunk offers many predefined analytic stories that we can implement for our customers, which act as playbooks for detecting suspicious activity, anomalous behavior, and other security-related events. This capability stands out as a key feature of Splunk.

We work with Splunk on-premise, especially with Splunk Enterprise and Splunk Enterprise Security. Splunk Enterprise refers to Splunk Enterprise Platform and also includes the Splunk Enterprise Security platform, known as Splunk or Splunk ES.

We implement detection rules similarly across multiple platforms, including Microsoft Sentinel, Elastic Security, and IBM QRadar, and I can say that Splunk is one of the powerful SIEM tools. It offers us the flexibility to define our correlation rules and detection rules, which is a significant strength. Compared to other platforms, Splunk is more user-friendly regarding querying, making it easier to create detection rules and correlate various log sources.

From what I have noticed across all SIEM platforms, they are beginning to incorporate AI capabilities, which is an aspect that I think Splunk could enhance. Microsoft Sentinel, for example, features a Security Copilot, but it requires an additional license for use. Other platforms such as Google SecOps and Palo Alto's Cortex XSIAM integrate agentic AI capabilities that I believe will become standard features for all SIEM solutions in the future.

For generative AI, it would be beneficial for Splunk to add features allowing users to define queries using prompts. For example, being able to ask for the top 10 malicious IPs could simplify tasks significantly. Additionally, Splunk could consider an AI response feature where triggered alerts can prompt recommendations for users on corrective actions. A noise cancellation AI might also help security analysts reduce alert clutter. There are many agentic AI improvements that can be made in Splunk Enterprise Platform.

In terms of scalability, many SIEM brands, including Splunk, provide options that adapt to a growing organization. As companies expand, the ability to scale their SIEM is crucial. Splunk allows for scalability, as you can start with an all-in-one instance and, as your deployment grows, split it into distributed deployment, such as separating the search head and indexers. I believe all SIEM solutions provide reliability, and Splunk is no exception as it also offers strong scalability.

We sometimes communicate with Splunk's technical support, but it is not often, especially regarding technical issues. When we encounter issues, we utilize the Splunk community, which I believe showcases a big advantage of Splunk due to its strong community support. Many of our technical problems are resolved by this community.

Negative

I usually participate in the initial setup and deployment of Splunk Enterprise Platform.

Regarding pricing, I remember that Splunk is generally more expensive than SIEMs such as Microsoft Sentinel and Securonix, while it is also pricier than Elastic Security. From my perspective, Splunk tends to be too expensive for smaller customers. This leads us not to recommend it for small companies due to the high cost and often pushes us to suggest alternatives such as Elastic Security, which has more volume-based licensing options.

I have experience delivering SIEM platforms to our customers, including Elastic Security, Microsoft Sentinel, Splunk, and IBM QRadar.

We have many use cases for using Splunk Enterprise Platform. We use Splunk to detect anomalies in our customers' IT environments, such as their network environments. We want to detect suspicious activity or anomalous activity from our customer environments. From Splunk, we utilize many applications from Splunkbase to support our deployment. Many of our services relate to the Security Operation Center, so many of our use cases are linked to SOC activities.

Since the query capability in Splunk is extremely flexible, creating dashboards is also very easy. Dashboard creation depends on the SPL queries, and in the latest version of Splunk, we have two options: classic dashboards and Studio dashboards. Both options can be tailored to our needs, enabling us to create highly customized dashboards, for instance, by adding images. This flexibility makes crafting custom dashboards simple.

I find deploying Splunk to be very straightforward because you can choose to install it on either Linux or Microsoft operating systems. Before deployment, we conduct sizing for the instance, including storage, CPU, memory, and network considerations. Once sizing is clear, we proceed with the installation, which offers multiple options such as Debian packages or RPMs. Overall, the deployment process is quite easy.

Currently, many of our customers prefer cloud deployment for Splunk Enterprise Platform. We do not recommend specific cloud services, but we often see GCP, Google, and Microsoft Azure being used among our customers.

I consider Splunk to be one of the best solutions available compared to other options. If budget is not a concern, Splunk stands out due to its extensive integrations, flexibility in scalability, and the simplicity of its deployment. I would rate this review an overall 8.

Ingesting massive amounts of machine-generated data and running real-time searches to identify patterns, anomalies, or threats related to specific security issues was how I used Splunk Enterprise Platform for detection and investigation. The most significant aspect, if I must prioritize, is the data ingestion capability. Splunk Enterprise Platform usually collects authentication logs from various sources such as Windows event logs and SSH, which relates to Linux logs, and some web application-based logs as well. Apart from that, I use it for detection logic. The main search I use is Search Processing Language, based upon the queries I provide related to the machines I monitor.

Mostly for brute-force detection, I use it for monitoring multiple failed login attempts from a single source or multiple IP sources followed by a successful login, which often indicates a compromised account. I also use it for lateral movement and privilege escalations. For privilege escalations, it involves detecting when a normal user is added to a high-privilege group, such as Domain Admins. Additionally, I have capabilities related to IT operations, which involve web traffic analysis, mostly identifying slow-loading web pages or sudden spikes, errors such as 404 or 403 Forbidden, or even 500 errors.

When a specific condition is met, such as any brute-force attack happening, it is easy to investigate the alert, particularly in Splunk Enterprise Platform. Integration is a notable aspect of the features in Splunk Enterprise Platform.

Before using Splunk Enterprise Platform, I used LogRhythm, but after initiating Splunk Enterprise Platform, I noticed several positive impacts in my organization.