Splunk Cloud Platform Reviews

My usual use cases for Splunk Cloud Platform involve being an admin where we used to build Splunk clusters or distributed environments from scratch on the on-premises system, but now we have everything up and running on Splunk Cloud Platform, which operates on AWS. Splunk has developed it on AWS. Currently, as an admin, I just need to maintain and configure it according to our needs. It functions as a software as a service now, meaning we don't configure it from scratch the way we used to do with installation, configuration, and setup of the configs as we required. Now, it is software as a service that we use for both Splunk and Observability.

Splunk Cloud Platform has greatly improved my daily operations through enhanced integration with third-party tools. Earlier integrations from on-premises Splunk to third-party tools were quite difficult, lacking the necessary add-ons or applications that could be directly used from the UI. Now on Splunk Cloud Platform, they have introduced new add-ons and plugins that allow us to utilize and pass credentials directly for integration with third-party applications, making the process very efficient and fast. We have multiple new add-ons that let us connect directly to clouds such as AWS, Azure, and Google, as well as event management applications such as ServiceNow, requiring only the credentials and service accounts and eliminating the need to configure from scratch.

The features of Splunk Cloud Platform that I have found most valuable and useful relate to licensing. Previously, it was a daily quota that we purchased on-premises, but currently it is based on SVC, or Splunk virtual compute, which is based on CPU and memory utilization of the cloud for billing. There are two license types: Victoria and Base. As we utilize the SVCs, we are charged accordingly, and we have the option to purchase a fixed number of SVCs or pay based on how many we actually use.

The effectiveness of Splunk Cloud Platform's search capabilities in uncovering operational insights is notable because as an admin or developer, we utilize saved searches that run on schedules that we set. The search capability utilizes the same compute assigned, and compared to on-premises, it is very efficient and fast because on-premises we had fixed compute assigned with limits set for searching per role or application. In the cloud, we find it very easy and fast to use.

Splunk Cloud Platform helps in proactive issue resolution by allowing us to set alerts based on data flow to find errors or anomalies that need identification. The saved searches run based on these conditions to find errors or identify anything unusual in the data. We get alerts based on the conditions we set, which is quite effective.

Areas of Splunk Cloud Platform that could be improved or enhanced in the future include data visualization, as the way we use data for security and other purposes could further benefit from enhanced visualization to support monitoring, threat analysis, and other aspects.

Overall, I would rate Splunk Cloud Platform an eight out of ten as a solution for us.

Regarding stability and reliability so far, we are not yet live and are still in the migration process, but comparing it to on-premises, it seems promising.

My thoughts on the scalability of Splunk Cloud Platform are that it scales up quite well. However, I haven't encountered any specific scenarios to validate it thoroughly yet, but overall, it appears to be good.

My opinion on the technical support and customer service of Splunk, based on my cases, is that it is quite good with the credits we have along with the vendor. However, when we don't have credits, they charge us based on time as well as the criticality of the issue.

In my opinion, there is room for improvement, as we used to raise multiple issues via the process, but they pick them up slowly, and the response times are not as prompt as we would like.

Regarding how Splunk Cloud Platform's ingest and visualization features help improve my data reporting, I have some insights on dashboards, but from a fully comprehensive perspective of data flow and ingestion, I haven't been hands-on that much. As an admin, I have worked on the infrastructure side of it, so I am unable to provide thorough feedback on that.

I would rate Splunk Cloud Platform an eight out of ten overall as a solution for our organization.

My major use case for Splunk Cloud Platform is for SOC, SIEM mostly.

What I like about Splunk Cloud Platform is the easy reading of the dashboards and finding the data, which brought me the biggest benefits.

The alerting mechanism in Splunk Cloud Platform is customizable, so we could adapt it to our needs and assign the right priorities and based on this, define the action.

Visualization features and ingesting in Splunk Cloud Platform helped to improve my data reporting, but that was also a different team that was providing the log ingestion.

Other features that were really great in Splunk Cloud Platform include real-life monitoring, so we could have logs right away, and parsing was fine, so when it was correctly ingested and Splunk Cloud Platform parsed it correctly, then we had no issues with receiving the correct alerts.

Splunk Cloud Platform could improve in how quickly it reacts to users reporting issues.

Splunk Cloud Platform can be complex depending on the log source in terms of deployment.

I used Splunk Cloud Platform for seven years.

Splunk Cloud Platform was stable, and I did not see any performance issues or downtime, although it happened; the issue was that we had to really fine-tune the log quality so that it would not be ingested too much and handled for nothing.

Regarding the scalability of Splunk Cloud Platform, I would say it is scalable, but maybe the pricing may affect the scalability because it may not be that beneficial to onboard too many log sources if they generate too many false positives and then you reach over the limit of the license.

I would rate the technical support for Splunk Cloud Platform probably a three, because there was some support, but I remember that we were using our proxy company to submit it for us because they were bigger and maybe more convincing to Splunk.

Negative

The biggest issue during deployment of Splunk Cloud Platform was correct log parsing.

I can describe the impact of integration with third-party solutions in Splunk Cloud Platform as limited experience since I was the only one on the receiving end of it, and I was not integrating it with any solutions or with any other vendors; we also had the company who was supporting us in the configuration part, so we didn't even have to do it fully by ourselves.

I don't see ROI with Splunk Cloud Platform, such as time saving or money saving because I'm security operations, so I don't think in management terms.

I have about the same amount of experience in this domain with SOC solutions, as I haven't worked with SOC SIEM solutions such as Splunk Cloud Platform before, so it's the same. My overall review rating for Splunk Cloud Platform is 8.

I use the Splunk Cloud Platform for security monitoring. My company is a technology company with over 40,000 employees.

The Splunk Cloud Platform offers easy data ingestion and a user-friendly interface for product teams, particularly for straightforward log shipping.

Splunk Cloud Platform offers easy integration due to its robust and well-documented APIs. These allow seamless integration into existing pipelines and other products and the flexibility to create custom integrations as needed.

Splunk Cloud Platform helps access data for compliance and privacy regulations. While some manual work remains, it assists with meeting compliance and regulatory requirements, especially regarding logging, reporting, and monitoring, solidifying its position as the industry standard.

The most valuable feature of Splunk Cloud Platform is its robustness and ability to ingest logs.

Splunk Cloud Platform needs improvement in its security offerings, specifically in cybersecurity. It has not kept pace with competitors over recent years, and integration with the Cisco ecosystem after Cisco's acquisition of Splunk has also been slow. The product should incorporate more readily available features, especially in security monitoring.

The federated search feature is costly.

Extracting meaningful insights beyond essential log data proves challenging due to the product's reliance on manual processes. Users must manually configure detections, develop logic for insights, and manage dashboards. While the product boasts numerous out-of-the-box capabilities, these often require extensive modification to align with specific user needs, limiting their practical applicability.

Splunk Cloud Platform doesn't inherently provide visibility as a standalone product. It's a platform for building custom visibility solutions. We need to feed it data and then write logic to define what insights we want to extract. While pre-built solutions might be available in the marketplace, Splunk doesn't offer out-of-the-box visibility. If we know our requirements, we can utilize code and research to create custom dashboards, but it requires effort and expertise.

The pre-built reports in Splunk Cloud Platform are generic and require manual adjustments to extract specific, granular information, which requires the user to be knowledgeable.

I have been using the Splunk Cloud Platform for over ten years.

The customer service and support for Splunk Cloud Platform are mediocre and often hit or miss. Premium support is costly and may not always provide a satisfactory experience, as even the support engineers can sometimes be stumped.

Neutral

The initial setup of the Splunk Cloud Platform is straightforward. Professional services are available to assist in deployment, including setting up Splunk forwarders and building data models. With adequate support, full deployment can be efficiently achieved.

Full deployment is a lengthy process, but achieving 50 percent deployment can be achieved within one to two quarters.

Deploying Splunk Cloud may require different resources depending on the size of the data ingested daily. Two to three people may be sufficient for smaller terabyte ingestion, whereas a team of four to five might be needed for larger ingestion.

The return on investment with Splunk Cloud Platform has been poor. There is a significant possibility we will be replacing it in the next quarter or two.

Splunk Cloud is considered too expensive, with its two product offerings both being costly. I would rate the cost an eight out of ten, with ten being the most costly.

Splunk Cloud Platform is not impacting a lot of decisions. But if we write very good reports and dashboards, then we can derive insights from them for leadership to make concrete decisions on. So we have to do the legwork to get that output.

While Splunk Cloud Platform may not be a significant factor in decision-making, generating high-quality reports and dashboards can provide valuable insights for leadership to take concrete action. However, we must dedicate ourselves to the necessary work to produce those impactful outputs.

I would rate Splunk Cloud Platform a five out of ten due to its gradual decline over the last few years. While I would have rated it an eight out of ten four years ago, its performance and features have deteriorated, leading to my current lower rating.

Splunk Cloud Platform is a product I use since my company has different platforms on Splunk, like Splunk ITSI and Splunk Enterprise Security. Splunk ITSI and Splunk Enterprise Security are the two packages known as paid packages under Splunk Cloud Platform, and my company also has an ad-hoc search head. Splunk ITSI is totally related to the infrastructure monitoring that my company does, and from it, we derive the service analyzers, episodes, and alerts and see if we want to integrate anything with ServiceNow, Jira, or any other monitoring tools we have. The product can be integrated with other tools, while my company can also use its alerting feature and its ability to notify the consumers with particular alerts, so the total infrastructure is covered under SIEM, making it possible to attach to security information. My company also created a couple of use cases, like in the case of continuous resetting of a password more than three or four times, then there will be a security incident that would be created so that if any end user is doing it as malpractice, like, phishing or something, my company can detect it and inform the user that you have crossed the four limits, and there is some attack happening owing to which we need to reset the password. Based on the aforementioned process, SIEM monitoring will be handled through its application. The aforementioned areas consist of the use cases related to the tool, along with a couple of more activities, like onboarding a user onto Splunk, creating apps for them, creating dashboards, creating alerts, and creating a couple of use cases for them as per their requirements.

In my organization, Splunk Cloud Platform has improved the issue revolving around transactions. If there are any issues with the transactions, then my company notifies the end users that their transactions failed, after which they can fix the issues so that there are no issues with the transaction part, especially regarding the application availability. The tool makes it possible to fix issues without any downtime.

I mainly work with Splunk SIEM and Splunk ITSI, and these are the two major products recommended for all consumers. If it is related to security, I recommend Splunk SIEM, and if it is related to infrastructure monitoring, I recommend Splunk ITSI to others. I used to take care of the observability part as well with the aforementioned tools. For observability purposes, I use Splunk-related applications. I also do the onboarding of the data into Splunk with the help of observability functionality.

If I focus on the observability part of the product, I see that it is an area that doesn't offer more integrations compared to what Splunk Cloud Platform or Splunk Enterprise offers. When it comes to the integrations with the other platforms, there is a little bit of a lag in the observability part, making it an area where improvements are required.

I have been using Splunk Cloud Platform for 5 years. My company has a partnership with Splunk.

It is a stable solution. Cisco has acquired Splunk recently, so I think it will be a more stable product in the coming days.

It takes a lot of time for the support team to resolve issues. In short, it takes a lot of time for Splunk's support team to troubleshoot an issue, meaning they are unable to resolve issues within a certain time frame. I rate the technical support a 6-7 out of 10.

The product's deployment phase was straightforward, especially compared to the ones I have dealt with in the past.

The solution is deployed on a hybrid cloud model.

For deployments starting from scratch, I deal with the documentation part. I prefer to look through Splunk's recommendations on the limits of how much the server configuration should be while trying to meet the configuration requirements of the consumer. In general, I deal with whatever configuration files are needed and how the consumers want to approach it, like if it should be a heavy forwarder or universal forwarder or if they don't want to directly ingest data to the indexer bypassing the heavy forwarder. Basically, I try to understand the consumer requirements before taking care of the deployment part.

For a limited deployment involving four to five servers, only a single person is required. If the deployment involves twenty to thirty servers, the number of people required to deploy the product will have to be increased depending on the requirements, and my company will also have to manage everything. The number of people required for deployment is based on the capacity at which my company plans to do the deployment.

My company has the entire Splunk Enterprise package, and we have many universal forwarders set up at fifty different locations. In around twenty locations, universal forwarders have been set up. My company also has fifteen indexes that directly send data to indexers. My company also has four heavy forwarders that collect information from applications like Azure. My company uses add-ons with the heavy forwarders in Splunk.

I was involved in the product's deployment phase.

My company has a license for Splunk Cloud Platform. My company also has a license for Splunk Enterprise. There are two packages that my company has access to when it comes to Splunk, and I am also aware of the configurations and setup phases related to the tool, from scratch to production.

Splunk Cloud Platform has improved our company's incident response time. For example, if any event is ingested into Splunk, within less than a minute, we trigger an incident to the end user based on the assignment group in ServiceNow.

There are many benefits attached to the tool in the areas of machine learning and predictive analysis. In Splunk ITSI, there is predictive analysis, which can be used for protection with the alert capabilities, especially if there is an alert storm coming up. My company can directly detect particular alerts from the trail to the attack and notify the end user about it. With the machine learning toolkit, my company does anomaly detection with the help of Splunk SIEM platform. With Splunk ITSI, my company does predictive analysis. The aforementioned area covers the two different platforms my company uses, along with two different approaches and the tool's machine learning capabilities.

My company interacts with our consumers. For example, if I am a consumer of Azure products, I would want to onboard all the data from Azure, even if it consists of user data. I recommend that more space be set on a particular index so that Azure data can be used. My company has all data related to Azure about its users and the changes if you have a license or if you have Azure Event Hubs, including any other things that it may have. I recommend more space in Azure, but if it is a network-related application like Aruba, I recommend that it has a little bit less space compared to Azure. The scalability of Splunk Cloud Platform can impact our company's data management, though I recommend the space required for a tool based on the use cases.

I am aware of the federated search features in the product. If a search is not running up, then my company needs to check whether any permission related to the search has any issue or if anything is going wrong, after which my company needs to check and fix those searches. I have not used much of the tool's federated search features.

My organization monitors multiple cloud environments with the tool's help. It is easy to monitor multiple cloud environments using the product. For example, if my company takes into account Splunk ITSI with service analyzers, then we define how one service is related to GCP. One service will be under the cloud services offered by Azure, while another service will be related to AWS. My company can divide the services based on locations and KPIs. My company monitors the total locations of the cloud so that we can get more insights from the service breakdown, which is why I recommend the use of Splunk ITSI. I used to work more with Splunk ITSI, a reason why I recommend it to others, as it is easy to understand and handle, even if you have 1,000 or 20,000 applications. With Splunk ITSI service breakdown, it is very easy to handle applications.

The visibility of the tool in multiple environments can be explained with the help of an example, where, if my company considers Splunk Cloud Platform, the visibility will be less compared to what we get from Splunk Enterprise. Splunk Cloud Platform is totally managed by Splunk's support team, so if anyone needs to do anything, my company needs to raise a request for a change in the tool, though we can modify a couple of services, like a couple of applications using ACS, which was introduced by Splunk. With ACS, if you want to update, create a token, or modify anything from the HEC token information, you can do it with the particular services offered by the solution. Considering the aforementioned area, I recommend that 30 percent of the work be done with ACS, and 70 percent of the work needs to seek assistance from Splunk's support team. Our company handles Splunk Enterprise, and we have 100 percent visibility on it compared to Splunk Cloud Platform.

The integration of the product with other services is possible. I have integrated it with ServiceNow, Jira, Slack, and Microsoft Teams, and I can say that it has been okay till now. It is good to integrate Splunk Cloud Platform with other tools. If we take a cloud service like GCP into consideration as an example and say that it is not working properly, then there will be an incident directly assigned to the support team based on the integration with ServiceNow. If you want to notify all the consumers in a scenario where GCP is not working properly through particular notifications with Slack channel particular notifications, then one can inform all the thousand consumers in a particular company about it, and it is possible with a single integration.

My company uses the tool for alert reporting. For example, if the top management of an organization is looking for the availability of websites, especially a couple of websites that are critical to their applications, then my company monitors such applications with the data in the report from the last thirty days or seven days, to ensure that availability of a particular website is 100 percent. If anything goes wrong as per the reports from the previous seven days, then the availability is reduced to 80 or 95 percent, which is based on how much time it was down, and it will be then notified to the consumer or top management, stating that the availability got reduced, and how there is need to fix a couple of applications in the back-end so that the availability can be increased. The top management will be made aware of the things that have been going on for the last seven or forty days. In general, a report is good for notifying the top management or consumers so that they can make decisions or check if their licenses or server capacity needs to be increased. With the alerting report feature, my company can be confident that the top management or consumers know about a particular issue in the tool that we can fix as soon as possible, but there will be a cost involved in doing so every time. If the consumer or top management is aware of the issues in the tool with the help of the alerting report feature, then they can make a decision.

I am currently not aware of how the product has an impact on decision-making.

The product has helped my organization with data compliance and privacy regulations since we were able to set up the terms and conditions with Splunk. In general, it is good when it comes to the terms and conditions revolving around the security part.

Maintenance is required to upgrade the applications, so we need a downtime of no more than fifteen minutes.

The product offers value in terms of resilience. Whenever my company faces difficulties, it is the solution we use for all our monitoring purposes.

In terms of the extensibility of the product, I feel it is a good solution.

Everything is supported by Splunk support, though it may take some time to find and resolve certain issues. If Splunk's support team resolves issues within a certain time frame, I can provide a nine out of ten rating for Splunk's technical team. Splunk Enterprise is totally handled by our company, so I can give it a nine out of ten.

I recommend Splunk Enterprise to others, especially when compared to Splunk Cloud Platform. If any notifications are needed, it can be done with no downtime, and it can even be completed within a week. If we want Splunk's support team to do the same aforementioned procedure for our company, then it may take a little bit more time.

I rate the overall tool a 7-8 out of 10.

We pull in information from cloud resources like AWS and Azure, and we just recently got into GCP. Just pulling data directly from there was a little bit easier than trying to do it from on-prem. We can now do that a little easily.

We have a lot of cases where business units that were not even in Splunk got compromised for whatever reason. We could get security logs from those and import them directly, more quickly, and easily with Splunk Cloud. We have had several use cases directly with that. In our company, we do not monitor logs from laptops. We have had issues with users getting compromised on our laptops. We could get the data logs from there.

I also use it to monitor my universal forwarders so that I can see what versions they are on. We had CVEs coming out on the universal forwarders. We had to replace them. I have dashboards to keep track of our progress as we are migrating and upgrading all those agents.

The biggest, heaviest use of Splunk Cloud Platform for us right now is people going and looking at our firewall logs to find the denies and to find out which firewall is being blocked. We are a medium-sized company. We are so segmented with all the PCI and SOC 2 compliance audits that we have. We have segmented everything. We have so many firewalls that there is always another firewall down the line that is blocking. The firewall team is in there every day and all day long, and then we have other teams that go in there to see if the issue that they are having with their app is a firewall issue or not.

I have done health checks several times now, and those have been very valuable in getting more information about what is going on in my platform. There are also recommendations on what is going on in my environment. Sometimes when it says something, I already know that, and when I explain why, it knows that I am aware of it. It knows that it has to be that way for compliance reasons or there are certain break glass accounts that we have to have in case our Okta is offline. It points out things like that. 

One of the things we had to do was find out how much Splunk on-prem was costing us because we had so many different groups. We had the storage group, and then we had the hardware team. The indexers and the search heads were physicals. That was being handled by the data center teams, which bought all the hardware, and then we had the virtual servers. Everything else was virtual. That was still owned by us, which is fine, but then we had storage, so we did not know the full cost. As I am trying to migrate from one data center to another, the teams do not want to buy. They do not want to migrate hardware. They want to buy new hardware, which, of course, is a cost to their department. They are a group but not our group, so we wanted to go to Splunk Cloud. We had to first find out how much the total cost of Splunk was for our company so that we could show that moving to Splunk Cloud was going to save the company money, which it did. It saved at least a million dollars a year. We are oversized in some areas, and we are running pretty close in the other areas. It is saving us money in the long term.

We monitor multiple cloud environments. We have data in multiple clouds. We have AWS, Azure, and GCP, as well as our own on-premise that is technically a cloud or our own personal private cloud. We are a cloud customer for our clients. We are in four different environments. It has been fairly simple to monitor multiple cloud environments using Splunk Cloud Platform. The documentation and the TAs have been updated and tell you which piece is what. You see no difference between a client ID, tenant ID, a secret, a key, and the tokens. That has been very handy. We had an incident where there was an S3 bucket somewhere, and one of our teams was unable to communicate with the Cloud Infrastructure team. It was set up as a file share only instead of another type, which was not available in the TA. That was not an option, so that became a challenge. We had to work with them, and they basically had to rebuild that bucket because you cannot just add it as a function to that bucket. They made a whole new bucket and put the logs in there. That was a challenge, but other than that, it has been very smooth and easy. We have had teams that had incidents. They took all the data and put it into an S3 bucket, and it took that right in.

Splunk Cloud Platform has helped reduce our mean time to resolve because they can get the data in faster. I have even automated things. We have a Python script. I can take CSV files and send them to the endpoint and just pop them with all the data they need to do their evaluations, such as if they went to bad sites. They can see all that information. I can get that in quickly. With on-prem, I could do that, but it had to run through so many hoops because of the PCI requirements that our company has. It is still PCI-compliant, but it is just so much easier to work with. I know we have had mean times of 60 days. We are reducing it to one or two weeks now, so it is getting a lot better.

Splunk Cloud Platform has helped improve our organization’s business resilience. That was something with which I have had issues with the on-prem. I have had issues with an index. It could be a hardware issue, a software issue, or an OS issue. By having Splunk Cloud Platform, everything has been a lot more stable. I do not have as many worries or problems there. I have fewer things. I can even troubleshoot on my side if it is a heavy forwarder. That is on me, but there are a whole lot fewer things to look at and worry about. It took away a lot of headaches.

In terms of Splunk’s ability to predict, identify, and solve problems in real-time, real-time is a touchy word because being real-time means you are indexing directly. There are a few people in my company who have or are allowed real-time access, but it is pretty close. It is pretty much within seconds. You have access to all that data, so it has been handy. I had to explain to the teams how searches work in the background. If you are running a search every 5 minutes, it sounds great, but if there is any kind of delay in the data, you can miss something, so 15 minutes is a little better, but still, you are seeing things within minutes and getting alert about them. We connect to Microsoft Teams and Slack. We are sending things to ServiceNow for the monitoring team. It is 24/7, so if they need something to watch 24/7, there is a group. They are now tied into ServiceNow, so they can get all that data right there in one place for that team, pulling it from different monitoring tools besides Splunk. It is handy to be able to just pop it all in there quickly.

The firewall stuff is huge. Everybody is in there. All day long, people are hitting that dashboard searching for firewall blocks or denies. Sometimes, they access it just to see if it is connecting because we do drop a lot of data. A great thing about Splunk is that we can drop some of the data if we need to when it is ingesting. We do not keep all the connects, but we can see whenever a connection is closed. We can see that the connection had been made successfully and then closed. We are able to see that one way or the other. We can see whether things are being blocked or it is able to connect. That information is handy now. We have a complex network, and there are times when we have routing issues. We can see that there is no route in the logs and say that it is a routing issue. They then bring the network team. The firewall is the front point for all that, but the network team has to work closely.

Just the fact that it is cloud-based is valuable. We are still on the classic one. I am waiting for the VE to come to the GCP. That is where our stack is. It is in GCP. They say it is coming somewhat soon. We will see when that is.

There is the flexibility of not having to manage all the indexes and searches myself. I was doing that with on-prem before. That was quite a bit of work. When you have an issue with an upgrade, you have to upgrade all of that. They are handling that on the backend now. I still have to do my heavy forwarders and my deployment servers, but it is a much lighter load for me on my end as an admin.

For one of the areas I am working on right now, they did an update this week which gave me back something. It was a feature that I have been using, but they took it away last conference. They just gave it back to me now, and I had to go through the setup again to make it work with our Okta. We have had issues with the maintenance windows. Sometimes I get informed about those at the last minute. They are getting better about informing us when they are going to do maintenance, but there were times when they did maintenance, and then I came in the next day and something was broken. They have gotten a lot better about that. I am still working on a couple of issues. They have cases open for them, so they know about them. They are working on them. The communication is getting better. That was an area that had a lot of feedback. I can see that they are accepting the feedback and taking it to heart, which is great.

Some of the Victoria Experience that was rolled out is not yet fully everywhere.

The AI assistant is going to be good, but we are on GCP, so I am worried about how fast it is going to get rolled out and if it is going to be nine months late for the GCP customers or not. That would be a bad thing because that would put a black eye on the whole marketing part of that. The same thing is with the Victoria Experience. They already have a black eye on that one. It has been two years since it came out and they still do not have it on GCP, so they need to get that fixed up. I would like to see the AI assistant feature as it rolls out. That helps with me wanting to roll out ITSI and the O11y suite with them bringing that AI assistant over there. I have teams right now that hit me up. They have been using some kind of AI assistant. We have Microsoft CoPilot. It is allowed in our company now. They tell us not to use ChatGPT right now because it is not approved for whatever reason. I have had some of our people hit me up who are not Splunk users but they have access to some dashboards and want to do a little bit of searching. If they use generic AI to find out how to do a generic Splunk search, it is not going to work in my environment at all. They will wonder why this is not working. That is because the AI does not know our environment. It will be handy to have an AI assistant that knows our environment.

I have been using Splunk Cloud Platform for a year and a half.

It has been quite stable. The fact that we are on GCP has been causing some pain. That is the only thing.

That has been very nice. When we renewed our last contract, we had seen that our long-term storage or archive storage was not enough, so we had increased it. It is nice to have enough visibility. It tells you that you are getting close to over or you are over, so you can see where you are. The new improved monitoring console that just came out has more information in there for that. That to me is even more valuable, so I am happy to see the new console they have released.

For the most part, their technical support has been pretty handy. Sometimes you get someone a little bit newer, and they may ask some basic questions because they do not know our knowledge level. If we are putting a case in, we have already tested steps a, b, and c. We have already tested all those, and we already know. We would not put the case in otherwise. However, in some of the cases, you get in there, and they immediately bump it up to the next level. They can recognize and see quickly that it is a problem, and they are able to bump it up. I like the fact that they are able to do that somewhat quickly and escalate things a little faster than in the past when we were on-prem. With us being on Splunk Cloud, they are able to see the issues faster and verify them faster. I would rate their technical support an eight out of ten. They are doing pretty well.

When it comes to customer service, the only issue we have seen is that they changed the sales team three times in the last two years. That has been frustrating. I meet them all at Splunk conferences, and I feel like half the Splunk people there know who I am because they have been our support team for some reason or another. Their teams are great, but it takes time. There is a transition time for them to get everything moved from one person to another because they have to finish up the team that they were with while adding in the new team that they are moving to. I understand that it takes time, but it is getting frustrating on our side. They can give us at least a year before they switch the team again.

Positive

We had used Enterprise Security before, but one team was using Splunk core with their own built-up dashboards and other things. They were not using the Enterprise Security pieces and parts specific to that, so we decided to not use that temporarily, but it might return because whatever they have switched to is not particularly helpful. It is not as helpful as we were hoping.

We worked with a third-party provider. We were in a bit of a hurry to get it done. We were able to do it quickly. 

Because we were getting GCP, we were getting help from Google, and they ended up paying for the service provider who was helping us migrate. We paid for it upfront, but then Google paid it back to us as a part of the contract we had with them. The good news was that we were able to get it done quickly, but it was quite a rush to do that. It went fairly smoothly. There were a few blocks, but we were able to migrate.

It took us a full six months to move from on-prem to cloud. Moving the data took me a couple of days, but getting everything fully migrated and tested and making sure that all the teams were fully in there took a full six months, which for our company was pretty much lightning speed. It normally takes two to three years or something like that.

We had a Splunk partner called TekStream.

We are seeing cost efficiencies with the move from on-prem to the cloud. We found out how much on-prem was costing us. It is not just the cost of the storage or the hardware. There is also the cost of the time of those people who do the setups of all that. We definitely saved quite a bit of money.

We have greatly seen an ROI. We have been able to add more and more data that we were dropping before because we did not have the license. We started opening that up. We have some more events from Windows event logs and some more things related to the firewall. We do not have to drop all that. We can bring some of that in now.

We were on ingest. We were on-prem, and when we switched to the cloud, we went to an SVC model, and that has been a huge help. We are now able to ingest more data than before. I was known as Doctor No because I had to say no so many times because we were on an ingest model and we were maxed out. I am not that way anymore. A lot of times, our use cases are one-shot because security needs the data. With our SVC model, we do not worry about it as much. I know that it is saving us huge amounts of money because of the SVC model.

Unfortunately, we did not evaluate any other tools, and that was the issue. We were handed down a tool to use, and that is something that our team did not like, and we have made that very clear. That is why we say that Enterprise Security might come back. We will see.

End-to-end visibility is something that we are working on. I have talked with the Gigamon vendor. We have Gigamon to do packet captures, but we want the metadata from that to come into Splunk so that we have longer retention times at least on some of that metadata. We do not necessarily have the package, and that is okay, but we can at least see the trending of some of the things a little bit longer than we are currently. It gives more visibility to more teams. I have 350 users in my Splunk Cloud Platform. On the network side, we have the network teams with 20 to 30 people looking at things over there, so it gives visibility into more of the organization. That is one of the big benefits. We can see the network layer and then all the way up to the App layer. When we want to get the O11y suite, we already have AppDynamics. We will be integrating that pretty soon. It will probably be the next month when we get that integrated in. The other piece is going to be getting the network cleared up. We are also seeing issues with GCP with some applications that we have migrated there. We will be able to see whether it is a slowdown in the cloud provider or not. Having this visibility and the end-to-end data and being able to correlate it is pretty helpful.

Splunk's unified platform can help consolidate networking, security, and IT observability tools. That is what we are working towards, and that is exactly what we are hoping for. I am hoping to bring in ITSI and the O11y suite. We already have AppDynamics. We are going to be able to pull that in which will start helping with that full visibility, but to fully integrate that, I am going to bring the O11y suite as well because eventually, I see AppDynamics moving in that direction. 

I would rate Splunk Cloud Platform a nine out of ten because it is very good. It is pretty stable. 

We use Splunk Cloud Platform for data aggregation and correlation for centralized logging and monitoring.

Splunk Cloud Platform has helped our organization reduce risk and allow for threat investigation to catch potential malicious traffic before it causes damage.

The most valuable feature of Splunk Cloud Platform is the ability to correlate events together and combine the data into one event.

The benefits we saw from using Splunk Cloud Platform are the time to detect and the ability to investigate faster.

Our organization monitors multiple cloud environments. Splunk Cloud Platform's direct cloud connection capabilities make data transfer easy.

Splunk Cloud Platform's end-to-end visibility into your cloud-native environment is key for security posture.

Splunk Cloud Platform has helped reduce our mean time to resolve by a significant portion.

Splunk Cloud Platform has helped improve our organization’s business resilience.

We have seen time to value using Splunk Cloud Platform. We immediately saw time to value after implementing the solution.

The consolidation of tools gives one place to look for logs and events. I wish there were more ways to consolidate the consoles.

Splunk Cloud Platform is easy to use, and users can quickly understand and do pretty much anything that their minds can create.

Splunk Cloud Platform should have better integrations with its suite of tools. Splunk Cloud Platform should include a more seamless connection with ES.

I have been using Splunk Cloud Platform for eight years.

The solution provides good stability.

As long as you have money, scaling the solution is easy.

Our direct customer support team is very responsive. However, it's very hit or miss with Splunk tickets and trying to reach out. Most likely, we get escalated because they can't help us. It's very hard to work through issues that need to be resolved quickly via email. The conversations back and forth take a long time, and technical support takes a while to resolve urgent issues.

Neutral

The Splunk engagement in the deployment was helpful, but there were many issues after implementing everything. So, it was smooth but with many hiccups.

Splunk Cloud Platform is an expensive solution.

Overall, I rate the solution an eight out of ten.

We use Splunk Cloud Platform to ingest data from on-prem environments. Most people have Splunk Enterprise Security running on a server, but Splunk developed the Splunk Cloud Platform to ingest the data into the cloud. It works like Splunk Enterprise, but you must download apps to get some features. Our clients are mostly large enterprises in the financial industry. 

Splunk Cloud Platform improves our visibility and decision-making. Splunk helps us meet compliance standards. It's certified for multiple standards, such as PCI, GDPR, and HIPAA.

The Cloud Platform interface is cleaner than Splunk Enterprise's monitoring console. You can easily understand what's happening with your indexes. It's more refined than Splunk Enterprise's console, but they have the same feel and function. 

It's easy to monitor multiple cloud environments because you can create custom dashboards for any use case you may have. It offers good visibility because it integrates with the ITSI app, providing a clear overview of your environment. 

Integrating Splunk with other components on the cloud and network resources is effortless because it can collect data from various sources, including stored data from long-term storage.

Splunk's reporting offers a good visualization of your data. You can visualize the statistics based on your searches. It produces some helpful graphs that enable you to easily compare what's happening in your search. It's very comprehensive. 

The only disadvantage of Splunk Cloud compared to Splunk Enterprise Security is that you only have two options for long-term storage: AWS S3 Buckets and GCP.

We started using Splunk Cloud Platform in January 2024, so it has only been a few months. 

I rate Splunk Cloud 10 out of 10 for stability. Okay. Splunk is trying to push more people to the cloud, so they've made it really stable. 

I rate Splunk 10 out of 10 for scalability. Scalability depends on whether your on-prem deployment is stable and deployed properly, as the Splunk Cloud Platform is an extension of Splunk Enterprise Security. It's easy to build another use case. or add servers, so I feel it's highly scalable. 

I rate Splunk support nine out of 10. We provide frontline support to our clients, but we periodically pass them on to the vendor. 

Positive

We previously used IBM and Fortinet. We prefer Splunk because of its integration. You can integrate multiple solutions and customize it for your environment depending on your use case. 

Deploying Splunk Cloud Platform is pretty straightforward once you have the enterprise environment set up on-prem. You download the cloud app and extension. The deployment time depends on the size of your environment. It takes about a day for a small environment. A large-scale deployment can take up to a week if you have multiple tiers and a disaster-recovery site. 

After deployment, the product requires continuous engagement with the Splunk team. You must continue to fine-tune it to ensure everything runs smoothly. However, there isn't much maintenance once it is tuned and deployed properly. 

Splunk is a bit more expensive than some solutions, but customers can derive more value from it due to the features it has.

I rate Splunk Cloud Platform nine out of 10. I recommend ingesting data into the cloud if possible. Even if you have an on-prem environment, it still helps to ingest data into the cloud. 

We use the Splunk Cloud Platform for phishing correlations, sifting through data loss prevention information in P2, and threat reporting.

The Splunk Cloud Platform has improved our observability. We can see a lot more information both good and bad, but at least we have the information.

It is important that Splunk Cloud Platform has visibility into our cloud-native environments. It comes to observability. And with the visibility, we're able to link, especially with our cloud environment, with Azure the correlations for threat reporting, correlations for account breaches, and correlations for compromised data ex-filtration that's going in and out.

Splunk Cloud Platform has improved our mean time to resolution. It stepped down our investigation times. An investigation that used to take ten minutes is now down to five or six minutes per incident.

It offers real-time threat detection by continuously analyzing incoming logs and correlations. These trigger pre-defined alerts, and any suspicious activity will be reported within five or six minutes.

Splunk Cloud has saved costs through time savings. I can focus that time on other tasks improving productivity.

We saw time to value within the first month of implementing the Splunk Cloud Platform.

Splunk Unified Platform helps consolidate networking, security, and IT observability tools. We're primarily focusing on the security area and building out the correlations. We haven't moved to the infrastructure side yet. That is something we have on our company roadmap. 

The most valuable feature is the SPL because without it we wouldn't be able to correlate and build our use cases and manage what we have for our data inside Splunk.

The Splunk Cloud Platform deployment process could be improved to reduce the time required.

I have been using Splunk Cloud Platform for three years.

I have not experienced any downtime with the Splunk Cloud Platform.

Splunk Cloud Platform is highly scalable.

The customer support is quick and helpful.

Positive

We had an old SIEM through our MSSP Trustwave and through them, we migrated to Splunk.

We made the switch to Splunk because of the usability, and observability. We can build out the product a lot better. We're able to customize it and mold it to our environment.

The deployment took 30 days to complete.

Trustwave and Splunk helped us implement the Splunk Cloud Platform. I was highly satisfied with Trustwave. They were the ones that sold us on Splunk initially.

We have seen ROI through metrics, data points, observability, and time saved. The observability provides visibility into our environment, allowing us to see real-time events and threats in our network and act on them faster.

The pricing was negotiated through Trustwave and for our first contract in three years, we got a good deal.

I would rate the Splunk Cloud Platform ten out of ten. I'm satisfied with what Splunk offers and where it's going, I see the growth path and am happy with that. Splunk answered a lot of what I would like to see in the platform and shortly they will be implementing those things. The platform is stable, can be accessed from anywhere, is easy to use, provides the information we need, and is super powerful.