Splunk Cloud Platform Reviews

We use it for IT security and observability.

We did not have anything prior to this that could perform the same function. Previously, if we needed to trace a security event, we had to search across logs on multiple systems to figure it out. Since Splunk, we have got it all in one place, and we can dashboard that out and save searches.

It has reduced the time for root cause analysis. It gets us to the logs quicker, so it has reduced our mean time to resolve (MTTR). The time saved is entirely dependent on what the problem is, but it shaves a good hour or two off the initial investigation per incident.

It would improve our company's resilience if it was used effectively. It has helped the technology teams that do use it improve their business resiliency. It needs either evangelizing or being made more accessible to the front-end teams or departments that do not use it today. That is largely on us. We can do that in Splunk, but there is a never-ending list of things to do, and a part of that is building Splunk outs so that we can provide that centralized logging, and then give users access to it while maintaining the privacy of their data within our organization.

We have probably not seen any cost efficiencies. The benefit of any cloud platform such as Splunk, AWS, or Azure is that you do not have to look after it, but you pay a premium for that. For example, for VMware, you pay a premium for vCenter, vSphere, etc. You can do the exact same thing with OpenStack, but you need to hire five people to look after it versus two people for VMware. You pay for Splunk Cloud, but you run into other challenges. You do not own your data anymore because it is now stuck there, and you have to export to AWS, and then rehydrate into a different Splunk instance if you want to get access to it, or you pay through the nose for the data or retention history. It is horses for courses. 

Do you want to host it yourself and save money on the OpEx but spend more on headcount and CapEx, or give it Splunk Cloud and spend more CapEx, but save money on CapEx and headcount? I prefer to have it on-prem. I prefer to go down the CapEx and headcount route because it gives me more control over my data, and it gives me more flexibility of my data. It gives me easier access to troubleshooting when something is wrong. It gives me easier access to scaling when we are seeing performance issues. I can bulk my hardware. It does not lock me into Splunk Cloud Platform. I know that Victoria promises some improvements around that with being able to manage my own applications and being able to have auto-scaling on search heads, but I will believe that when I see it, and I have not seen that yet, so I would personally prefer to put money in somebody pocket and food on their table than to give money out to a cloud provider.

I do not really like it, but being able to correlate events across platforms in a single place is valuable. I can trace an event back to its root cause. I can find the root cause instead of just looking at the symptoms across different things.

Its stability and performance can be better. Very rarely does a day go by when we do not see an error in the console, such as a health check error. Because it is cloud-hosted, we do not have access to the backend to figure it out ourselves. We are reliant on their support to figure it out, and a couple of days later, the error comes back or it is a different error. It is a never-ending cycle of support tickets. Their support is also not great.

In terms of performance, we are on the classic version of Splunk. We are not yet on Victoria or the new version, so we do not get auto-scaling. Therefore, we are limited. 90% of the time, Splunk is not doing anything. It is just reading logs, and 10% of the time is when we need to use it, but when we actually need to use it, there are five or six different teams trying to use it at the same time, and there are speed issues with search.

I have been using this solution for about eight years.

I could not interact with them very much, but I have people who do. It is not often a pretty experience. From what I understand or from the complaints that I hear, you are often told that this is not a problem or you have done something wrong, and then magically, it manages to fix itself an hour later. 

Before Splunk, we used distributed instances of Elasticsearch, Logstash, Grafana, and Graphite. This was ten years ago. Splunk was in its early days. Everybody had heard of it, but it had not become apparent why people need something like Splunk, so people had been building their own little instances. A lot of that still exists today in the organization because of the Splunk pricing model, the performance issues that we have on Splunk Cloud, and the stability. People want access to their data, but they also want to own their data. They do not want it to go into the black hole that is Splunk Cloud, so they keep it on-premises. They keep it in their own systems, such as Elasticsearch or Logstash, mostly because they can maintain sovereignty over data.

When compared to not having anything, we have seen an ROI. If we were going into it today, and that today was ten years ago, I do not think I would be at this Splunk conference. I would probably be at an Elastic conference and an Open Compute conference.

The value is definitely there, but it needs more performance around it. It needs to be more responsive. The value is definitely there in terms of a centralized point of visibility, but this value is provided by Splunk, as well as all of its competitors. Splunk potentially suffers from the same problems as ServiceNow, which is, if you want to do something clever with your data, you need a Ph.D. in data sciences to figure out how it works. It is hard to put in front of end-users who do not necessarily want to do something clever with their data. They want to be able to link it to the tools that they are familiar with.

It is a touchy subject because we are locked into it. That goes back to the rehydrating data. We cannot have the retention that we want to store for legal and compliance purposes because that is seven years' worth of data for some of the indexes, so we ship them off into S3 buckets and install them there, at which point they are invisible to Splunk, so we have to rehydrate them, but we cannot rehydrate those pockets into Splunk Cloud. We have to rehydrate them into a self-hosted version of Splunk, which can take days to set up and get going. I would not call Splunk's licensing and pricing predatory, but they have made it very difficult to maintain the independence of your own data.

There are a few solutions out there that are similar to Splunk. You can get something similar with CloudWatch, BigQuery, Azure Monitor, and Azure Sentinel. In the cloud, Azure Monitor for the analytics platform and Azure Sentinel for the SIEM platform are the biggest competitors of Splunk. When you put dollars next to them, they all cost about the same at the end of the day. I probably would not trade Splunk for another cloud provider or another cloud-hosted solution.

We are heavily AWS compared to every other cloud. If that was not true and we were heavily Azure, I would probably move everything to Azure Monitor and Azure Sentinel to get that single ecosystem, but we are not going to live in that world. I also do not like AWS CloudWatch, so we are not doing that. On the cloud-hosted side of things, Splunk does not really have a competitor out there. Despite being very mature, Grafana is not as convenient as Splunk, but Splunk definitely has on-prem competition. Ten years ago, everybody was itching to get to the cloud. Everybody was pushing everything to AWS. It was like, "We have got to go to the cloud. We have got to be the first. We have got to be hybrid." Now, everyone is like, "I can do this cheaper in my own data center and have more control over it and not go offline every Friday when AWS East goes down." The competition for Splunk Cloud is with Splunk on-prem and probably Elastic on-prem, which is significantly cheaper and offers 99% of the same functionality.

In terms of Splunk's ability to predict, identify, and solve problems in real time, if this capability exists, I have not seen it.

We monitor multiple cloud environments with it. We also have the on-prem environment and a lot of SaaS providers. We are largely dependent on the people who are deploying to the cloud. They are configuring their services and their platforms to talk to Splunk. We provide Splunk as a centralized service, but it is largely up to them whether they consume it or not. Some departments are eager to get in there so they can get visibility. Some want to build their own little greenfield internally, and some have not reached the maturity of realizing why they want it.

I would rate it a six out of ten. We have frequently run into many performance problems with it. The search is slow. We cannot scale it. We cannot troubleshoot it. We cannot get access to some of the functionality that we wanted, which is changing because we are moving to the new version. We also want to be able to manage our own applications. We are just locked into this parted sandbox, and we send our data off to it, and all of a sudden, it is no longer our data because it is trapped in the Splunk cloud. If we wanna get it out, it is going to cost us money. Their support is also not great, but it does provide single-pane access to data from a whole bunch of different places.

We use it for security investigations and alerting.

The most valuable features are reliability and logging. It's in the cloud so it has more stability and easy maintenance. 

The support from the Splunk team is generally good, but sometimes, there's a lack of coordination between our account reps and the hands-on technical people. This misalignment can lead to issues with getting what we need done and what is happening.

I have been using it for about two years.

From what I've seen so far, stability has been great.

The actual technical reps we've had have been fair. I'd rate them a seven on a scale from one to ten.

Neutral

We previously used LogRhythm. We switched to Splunk. It was an on-prem setup, so it was tough to maintain. It wasn't very reliable, and we always had to deal with hardware issues.

I haven't been hands-on with the deployment, but Splunk's deployment has been smooth. We also have Enterprise Security, which has been a little more difficult.

We have not calculated in dollars, but it has definitely saved us time.

We evaluated other options. I wasn't directly involved in all the decision-making processes, but from a user standpoint, it was the cost and the future possibilities of adding SOAR that made Splunk Cloud Platform seem like the best option for us.

I would rate it an eight out of ten, mainly due to the difficulty we've had with the Enterprise Security side.

The Splunk Cloud platform is for anyone who wants to save money and doesn't want to manage an on-prem infrastructure. I like the Cloud platform because we don't have to handle any maintenance. Any server downtime, upgrades, or patches are no longer our responsibility, which is great. That's the biggest advantage of Splunk Cloud.

Before COVID-19, the Splunk Cloud platform was much more difficult to manage. I've heard it causes a lot of frustration. Thankfully, it's come a long way since then. Now, it's user-friendly and allows app and add-on installations without worrying about accidental breakdowns.

I wouldn't have released Splunk Cloud myself when they did but the shift to remote work during COVID-19 drove everyone to the cloud, making the Splunk Cloud platform a great solution. While the updates focus on features, patches, and maintenance, there's nothing about the Splunk Cloud platform itself that I love other than the fact that we can use it in the cloud without the hassle of any on-prem requirements.

The importance of having one cloud platform depends on an organization's data goals, but at the end of the day, we onboarded the data because it's important. So as long as we have a use case, it's high up there.

Splunk Cloud Platform has improved our mean time to resolve incidents 100 percent. The cloud eliminates the need for upgrades to multi-cluster environments and the risk of errors during configuration, which can cause major problems. While we are not responsible for any Cloud maintenance, Splunk's support is helpful for escalations. Their clear communication about maintenance minimizes the need for their involvement.

While I can't speak to personal cost savings, moving to Splunk Cloud likely saves on storage costs compared to on-premises setups. This is especially valuable because many organizations use Splunk alongside other security products for specific needs. However, some competitors offer better data storage and faster results as add-ons for Splunk. Overall, the biggest cost savings come from eliminating the need for in-house server maintenance, storage management, and future data migrations. This reduces headaches and frees up IT resources, even if the migration itself wasn't a major issue.

I like the idea of being able to list the IPs that we want without having to open up a ticket to get it done so that way if anything changes we can add a new IP. The platform itself is the most valuable because if we're using the product, we're paying a lot for it. So we're searching our data and doing the triage we need to with the events. In reality, our biggest benefit of the Splunk Cloud Platform is not having the hassle on-prem.

Splunk Cloud's SVC licensing model lacks transparency. Customers are unsure of how SVC consumption translates to costs, and there's no easy way to identify what's driving SVC usage within the platform. While some external applications provide limited insight, Splunk Cloud itself doesn't offer a clear view into SVC consumption. This lack of clarity makes it difficult to explain cost spikes to customers, as the cause could be anything within the platform.

I have been using the Splunk Cloud Platform for four years.

The Splunk Cloud Platform is stable.

I have some concerns about the SVC licensing model for deployments under 1 terabyte, and it's separate from Splunk Cloud. The bigger challenge customers face is managing the surge of data and historical information they ingest. This can lead to situations like an admin setting up numerous queries and then leaving, making users hesitant to disable them for fear of breaking something. While this can happen with any product with unchecked admin access, Splunk and Splunk Cloud themselves function as intended for large-scale environments. Ultimately, it's up to the customer to manage their Splunk instance effectively.

Many people complain about back-and-forth interactions with Splunk support. It feels like a repetitive loop of explaining the problem, being asked for information and questioning why it's needed. There's frustration on both sides: support needs details to diagnose the issue, while users might feel it's a simple problem and supplying extra information is unnecessary. This can be true for any customer support experience.

Splunk Cloud deployment complexity varies by use case. Starting fresh is simple: install, configure, and point data to the cloud. However, migrating from on-premises to the cloud with existing data can be complex. Deciding what data to migrate and the migration process itself adds significant challenges, although these are likely to become easier over time.

Splunk Cloud's value is clear: it eliminates maintenance headaches and simplifies connection, offering a hassle-free experience.

The lack of transparency around the SVC licensing makes it difficult to explain the costs to our clients.

I would rate the Splunk Cloud Platform nine out of ten. The rating is not because of customer service. I am strictly looking at the product. I've worked with it for seven years. I've been on over 70 engagements with other customers over those years, and I rarely find a use case that a customer can't solve when it comes to an architect-type scenario, which is great. It's the same thing for data. For the most part, if you know you have data and can get it written down to a file, you can adjust it, which is phenomenal. The on-prem infrastructure consists of only 12 CPUs and 12 RAM if it's hardware, and then you double it if it's virtual. Overall that's very inexpensive to stand up major components. I'm not including storage or any other sizing that can get more complicated. Overall, it doesn't ask much from actual servers if you want to host it on-prem. Even managing it yourself on-prem, is not terrible. The commands are still there, the resources are there to do it yourself. You have community groups out there that help you with questions. There are tons of providers out there that can get you from point A to point B. 

I have always used Splunk but I am open to learning Chronicle soon depending on industry trends. While I believe Splunk remains the top SIEM tool. According to Gartner, competitors like Azure and Oracle are emerging. However, I have not needed to look for other solutions.

We are onboarding everything on it. We have infrastructure, applications, and network-related things on it.

The availability has improved. There is the ease of upgrades. We are able to show value quicker with some of our add-ons and things like that because of the stability in the base.

It is extremely important to me that Splunk Cloud Platform has end-to-end visibility into our cloud-native environment.

Splunk Cloud Platform has definitely helped reduce our mean time to resolve. It is a little hard to measure. It has at least saved 3% of our time.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. There is ease on resources.

There is definitely the ease of the infrastructure administration. It frees up a lot of time.

I would love to be able to manage my own apps. 

I have been using Splunk Cloud Platform for two years.

Stability and scalability have been the main benefits of this solution.

We have had some confusion around some of our requests, but I understand. We have to work through and get proper responses.

Neutral

We were using on-prem Splunk.

There was a professional service involved. I came into the team right at the time of the cutover. They were pushed into the cloud because things had gotten so out of control on-prem, so we had to clean that up first, and then finish the migration. It was kind of bumpy, but we got through.

We are using AWS. It is managed by Splunk.

We had Aquila as our partner for help with implementation.

We are definitely starting to see an ROI. We have been focused on metrics because we are trying to get very comprehensive and overall monitoring of the environment both from the security standpoint and the infrastructure standpoint.

We have not yet seen any cost efficiencies by switching to Splunk Cloud Platform. We are still maturing it out.

As far as the pricing goes, it was what was expected. It is a premium product. There were no surprises there.

We did not evaluate other solutions. We have always been with Splunk.

We are not monitoring multiple cloud environments, but it seems it would be easy to monitor them.

Overall, I would rate Splunk Cloud Platform an eight out of ten. There is always room for improvement, but it has been good.

My manager typically requests dashboards, alerts, and scheduled reports. Based on their specific requirements, I create reports and dashboards that visualize the data. We leverage the Splunk Cloud Platform to fulfill these needs.

Additionally, my teammates may approach me for insights. I analyze the data and provide them with these insights, which they then use for team meetings and further data analysis. This ultimately helps them make informed decisions.

Splunk Cloud Platform improves our incident response time by enabling the retrieval of large data volumes. The platform offers impressive search speeds, and we don't need additional SQL commands to optimize response times.

We saw immediate benefits from the Splunk Cloud Platform. Being able to access and analyze logs provided valuable insights.

Splunk's impact on decision-making is significant. I have access to all the data I need, and it is always reliable.

Splunk Cloud Platform's search modes are a powerful feature. There are 3 main modes: Fast, Verbose, and Smart. These modes allow us to customize our search based on our needs, which can significantly improve our response time.

Splunk Cloud Platform's dashboard could benefit from some improvements. While it functions adequately, it appears very minimalistic. It's built using a simple XML format, and while newer dashboard options have been released, it still lacks the visual capabilities of tools like Power BI and Tableau. While I understand these are different platforms, having a more powerful dashboard option for the Splunk Cloud Platform would be valuable.

There is a lack of comprehensive learning materials offered by Splunk to prepare for their certifications.

Splunk uses SQL as its search language. One challenge I've encountered is with subsearches used in joins. These subsearches can only handle a maximum of 50,000 entries. If our data set is larger, we won't be able to join it using a subsearch. This limitation has been a significant obstacle for me. I've searched the Splunk community forums, and even reached out to my colleagues and seniors for a solution, but haven't found a definitive answer yet.

I have been using Splunk Cloud Platform for 2 years.

It is reliable. In my experience working with virtual machines, any search lags are likely due to the VMs themselves, not Splunk.

I would rate the stability 8 out of 10.

Splunk Cloud Platform is horizontal scaling. So it is easy to scale based on the data we are using.

I would rate the scalability of Splunk Cloud Platform 9 out of 10. 

Deploying Splunk Cloud Platform requires knowledge of the Splunk architecture, the deployment server, and the components.

We have seen a return on investment.

The certifications are costly.

I would rate Splunk Cloud Platform 8 out of 10.

The maintenance required is minimal.

The resilience of Splunk is good.

I recommend the product.

Splunk Cloud Platform is a powerful tool for handling big data. To get the most out of it, understanding both the developer and administrator sides is beneficial. The platform offers broad compatibility with various technologies and allows for easy scaling to accommodate your needs.

It's a better pricing model. The main aspect is that we don't have to manage our infrastructure. Since we migrated, we've found we don't have as many outages. 

This allows our admins to focus more on the day-to-day onboarding instead of wasting time dealing with outages.

Our organization monitors multiple cloud environments. We monitor AWS. We have other logging platforms that monitor our infrastructure as well.

It's very important for our organization that Splunk Cloud Platform has end-to-end visibility into our cloud-native provider environments. With the increasing changes in technology, being able to consistently get insights into those new data sources in a quick amount of time is everything.

Moreover, we have seen a reduction in our mean lead time to resolve (MTTR). Our enterprise has some of those dashboards for incidents. Splunk is mainly used to resolve those incidents and identify what's wrong. Over year over year, these times are lower. And Splunk has helped with that. There's other operational things that are probably helping too, Splunk plays a big part, so it is helpful.

I like the Splunk Monitor console. I like how Splunk continually updates it with new features. We don't have to do anything on our end, we just get access to that. 

Splunk has some good dashboards that show us search or user search activity. There are some things that could cause the environment to go awry, like skip searches or searches that are more intensive. 

By being able to identify those, we could reach out to those customers and work with them on improving their standard practice. Since moving to SaaS, we're able to focus more on that.

There's one specific use case I work with. I work with some Splunk experts, and it lacks workload management rules.

It can identify specific dashboards e.g., or all-time searches. When I try to track back to the user, I don't have additional information within those logs to help me know, "This is the dashboard this guy accessed."

Instead of relying on those particular workload management logs, I have to do an investigation that takes time. It takes too much time when it shouldn't.

It's only been a full year so far. We migrated recently.

Stability has been so far, so good. Data is growing, not just for us but for everyone. From what we've seen, it looks like it's handling it accordingly.

We frequently engage with support now since we have a lot of incidents. They consistently ask for feedback on our support cases. We recently had something that was very urgent. Splunk was able to escalate it accordingly and get back to us with a solution. It means a lot to my management.

We've been with Splunk for several years now.

For the cloud, the deployment is easy. 

We just have the standard. We download our packages, upload them via the cloud, upload our apps, and use the App Inspect. 

Before on-prem, we had some CI/CD pipelines to deploy on-prem. Those change calls lasted up to an hour and a half just to verify the change was successful and that everything was coming in as expected. 

Cloud is just uploaded and deployed in a matter of minutes. That's a big plus. It saves us time and a lot of hassle. 

We use our valuable time and do not waste effort. We just work on more important things like onboarding new data sources as log data continues to grow.

By being able to have more time to onboard data sources with customers, we provide our company more visibility and value into our entire environment.

I have no major gripes other than some detailed grievances, so I would rate it an eight out of ten. 

We use the solution for application status alerting, user activities, and active directories. We use the solution for visualization, alerting, and analyzing events or incidents.

The most valuable feature of Splunk Cloud Platform is the alerting feature.

Currently, Splunk Cloud Platform is very easy to use and read. The solution's visualization for the end users is also good. However, setting up the solution or an alert is not straightforward. There's a lot of incompatibility and areas that you have to consider while setting up the solution.

All those things make setting up the solution very complex for regular people who know the business operation. So, they have to hire a third party or a technical person who doesn't understand the business to set it up for them, which usually creates a gap.

When someone who cares about the business and understands its operation sets up the solution, they would set it right. There's always a gap when a technical person or third party sets it up. It may lead to many workarounds to fix issues like alert fatigue or false security. Splunk Cloud Platform needs to be made more user-friendly because it's not user-friendly.

I have been using Splunk Cloud Platform for four to five years.

Splunk Cloud Platform is pretty stable, and I don't have any issues.

Splunk Cloud Platform is a scalable solution.

I usually go to forums and discussions to get answers to my issues. You might need a Splunk account username to talk to technical support. When most users I have talked to face a problem, they Google it. I don't know if the technical support would provide you with support if you were stuck.

I have previously used different solutions like DataStage, Datadog, Grafana, and ClickView.

We evaluated other options before choosing the Splunk Cloud Platform. But when a company buys Splunk services, the end users have to use what they have as a resource.

Splunk Cloud Platform is a really good tool for getting alerts and better information about incident management and maintenance. Because of the solution's complex setup, most alerts are set by developers or people who create multiple unnecessary alerts, creating alert fatigue. Compared to other systems, like Dynatrace, Splunk Cloud Platform is not a smart system for analyzing alerts.

As a project manager, I oversee the process of contacting the concerned parties, knowing what needs to be monitored and why they need the alerting mechanism. I was not directly involved in the scripting and adding Splunk Cloud Platform in the back end.

As business requirements change, Splunk Cloud Platform needs maintenance in terms of setting up different parameters, which is not an easy task.

Everybody uses the Splunk Cloud Platform in a different way. I would advise users to share their experiences about technical difficulties in the forums and community. Sometimes, others might go through the same problem without much documentation, and sharing your technical problems might help others.

Overall, I rate Splunk Cloud Platform a seven out of ten.

We use Splunk Cloud Platform to monitor our environment.

Monitoring multiple cloud environments is made easy with the Splunk Cloud Platform due to its fast ingestion and data recovery times.

Splunk's visibility into multiple environments is excellent. I have found that a hybrid environment works the best, as the login portion remains on-premises while the rest is in the cloud. This reduces the maintenance required on-premises.

There are two types of integration. The first involves bringing something into Splunk, while the second entails moving something out of Splunk. Bringing data into Splunk is relatively straightforward, with multiple options such as RAS, SysLog, and Splunk's built-in functions. However, exporting data from Splunk is more challenging and not as straightforward as the process of bringing data into Splunk.

Splunk Cloud Platform has influenced our decision-making processes. Splunk is primarily employed for security purposes; thus, it excels particularly in SIM. It encompasses an asset and identity framework that effectively gathers information about an organization's assets and individual identities, encompassing all users. Therefore, when considering Unified Business and SIM, Splunk proves to be highly proficient. 

The cloud performance is good.

Not having to perform any maintenance because it is handled by Splunk saves our administrators time which is valuable.

Splunk should offer various options for real-time monitoring. If we could enhance the speed of data ingestion or data retrieval, that would be an added advantage. Additionally, there is room for improvement in SaaS-to-SaaS integration. I believe that reintroducing HTML dashboards would be beneficial, as they provide dedicated web features. This, in turn, gives users the flexibility and freedom to create custom dashboards more easily.

I have been using Splunk Cloud Platform for five years.

I would rate the stability of the Splunk Cloud Platform as an eight out of ten. We still encounter some lagging and errors, but not as much as with the on-premises deployment.

I occasionally get in touch with Splunk technical support, usually regarding data onboarding. These include routine activities like installing or uninstalling applications, as well as making changes to existing ones. On average, we submit at least one ticket per week to them.

Positive

I have used many tools including Elastic, Grafana, Tableau, and Sumo Logic.

Splunk is indeed superior in many cases, but other tools are also making progress to catch up, with Elastic being one of them. They have begun developing their own SIM offering, complete with its own SIM features. Similar to Splunk Cloud, Elastic also has its Elastic Cloud Stack. Some of the features provided by Elastic seem to outperform Splunk. Therefore, there is room for Splunk to enhance these aspects. As for pricing, it could be more competitive, considering that other tools also provide the freedom to choose the Cloud Stack. Although Splunk offers this flexibility, the process often involves extensive discussions, making it less adaptable compared to other tools.

The initial setup is somewhat complex regarding the CI/CD pipeline, and Splunk manages the deployment. Splunk provides a feature called ACS, which enables us to manage the deployment ourselves if desired, but it's simpler to have Splunk handle the deployment on our behalf.

The deployment took around one month and required ten people from Splunk's DevOps team.

The implementation was completed by Splunk.

The pricing is high for small organizations. The cost makes more sense for organizations that have a large amount of data ranges.

I would rate Splunk Cloud Platform an eight out of ten.

There are numerous tools that offer real-time reporting and alerting capabilities. Splunk is indeed effective, but due to the prerequisite of registering logs beforehand, a delay is inevitably introduced. Therefore, while Splunk is suitable for real-time reporting alerts, it may not be as optimal as some alternative solutions.

Resilience has added value and contributed to the improvement of our organization. This is highly significant. In most cases, the SOC team relies on the tool for issue mitigation and ticket resolution. Therefore, it is crucial for Splunk to remain consistently up-to-date and respond as quickly as possible. This holds immense importance.

The extensibility is good, but there is room for improvement, especially in integrating certain logs. Enhancing the process of incorporating raised logs is possible. In most cases now there are limitations on log creation. Previously, a direct option existed to import logs. However, this process has been altered, requiring users to develop an add-on for log integration, leading to increased complexity. Furthermore, users are expected to have knowledge of Python. This can be problematic in cases where users lack such expertise. Therefore, this aspect could certainly be enhanced.

For those who want to evaluate Splunk, it comes down to the volume of data. If they are dealing with a substantial amount of data flowing into their SIM, Splunk would be the superior option. Splunk effectively manages extensive datasets in comparison to other technologies. It also offers numerous additional functionalities, such as an enterprise security suite, assets, and identity framework. Moreover, it has undergone industry testing and has been employed in the field for a considerable duration. In contrast to other organizations, they provide a wealth of features.