Splunk Enterprise Platform Reviews

I am not currently using Splunk Enterprise Platform, but in my previous company, PwC, I used Splunk for almost six months, and before that company, I had a total exposure of almost three years to Splunk Enterprise Platform. My main use case for Splunk Enterprise Platform was detection and investigation.

Ingesting massive amounts of machine-generated data and running real-time searches to identify patterns, anomalies, or threats related to specific security issues was how I used Splunk Enterprise Platform for detection and investigation. The most significant aspect, if I must prioritize, is the data ingestion capability. Splunk Enterprise Platform usually collects authentication logs from various sources such as Windows event logs and SSH, which relates to Linux logs, and some web application-based logs as well. Apart from that, I use it for detection logic. The main search I use is Search Processing Language, based upon the queries I provide related to the machines I monitor.

Mostly for brute-force detection, I use it for monitoring multiple failed login attempts from a single source or multiple IP sources followed by a successful login, which often indicates a compromised account. I also use it for lateral movement and privilege escalations. For privilege escalations, it involves detecting when a normal user is added to a high-privilege group, such as Domain Admins. Additionally, I have capabilities related to IT operations, which involve web traffic analysis, mostly identifying slow-loading web pages or sudden spikes, errors such as 404 or 403 Forbidden, or even 500 errors.

The best features in Splunk Enterprise Platform are the Search Processing Language, which includes pipe syntax, and real-time alerting and dashboards. The dashboard is an interactive tool, and I use it for visualizations such as heat maps, graphs, and glass tables. The dashboards I use depend upon the widgets that are most helpful to track and monitor. I can also set some thresholds to trigger real-time values based upon the log information available in Splunk Enterprise Platform, which can be useful for the remediation of scripts.

When a specific condition is met, such as any brute-force attack happening, it is easy to investigate the alert, particularly in Splunk Enterprise Platform. Integration is a notable aspect of the features in Splunk Enterprise Platform.

Before using Splunk Enterprise Platform, I used LogRhythm, but after initiating Splunk Enterprise Platform, I noticed several positive impacts in my organization.

For Splunk Enterprise Platform improvement, I think it would be beneficial to focus on particular areas such as system performance, cost management, and detection accuracy. Based upon system performance, I generally look into errors, status errors, or forbidden errors. I could also build some pre-indexed summaries so that Splunk Enterprise Platform can search much faster than raw logs.

In my current field, I have worked for around six years, and at my current company, I have been working for the last three years.

There is no proper downtime for Splunk Enterprise Platform; whatever downtime occurs, the IT team handles it. There is no significant downtime to report.

It is easy to differentiate the type of logs based on Splunk Enterprise Platform. If it is a phishing email, I can easily identify what kind of phishing alert it is. If it is a brute-force attack or something such as password spraying, it is easy to identify in Splunk Enterprise Platform.

I usually reach out to customer support for Splunk Enterprise Platform whenever I need specific data. I contact the technical support team immediately, and on a priority basis, I receive a resolution. If not, I raise a ticket so that I can get a proper solution for the issues I am facing.

My experience with pricing, setup cost, and licensing has been notable.

I have seen a return on investment from using Splunk Enterprise Platform, illustrated by tracking how the daily data volume has been indexed, the estimated cost, the monthly actual report, and the annual report. Biquarterly and mid-year reports can be easily tracked in Splunk Enterprise Platform.

I do have other options such as DataDog for one, and Microsoft Sentinel, Azure Sentinel. In my current company, I am using DataDog currently as a SIEM tool.

Splunk Enterprise Platform is deployed on-premises in my organization. I rate this product an overall 8 out of 10.

Splunk Enterprise Platform serves as our SIEM solution from Splunk, which is a market leader. It is a SIEM solution for log management and correlations. We have multiple logs from most of our infrastructure tools and security products. We obtain these rules and logs through many protocols including syslog and API. We then normalize and correlate this data and create incidents based on the activity running on our infrastructure.

I appreciate the API, the protocols, and the workflows as it functions as a SIEM solution. The main function is correlation.

The best features I value about Splunk Enterprise Platform include a great correlation rule that allows me to edit and generate alerts based on any event in an easy and fast way. I can accomplish this in a short period of time, and afterward, I can see incidents based on the correlation rule in a very professional and effective way.

I value the incident management and the correlations.

Splunk Enterprise Platform helps in detecting anomalies and preventing outages. The main core function for any SIEM is to have correlation. For example, if you receive user activity on a VPN logging in from Egypt, then after a while you receive logs from the firewall showing the same user logging in with a VPN from Ukraine, it is not logical that the user would move from Egypt to Ukraine in just five minutes. Splunk Enterprise Platform will create an incident and detect this as a credential compromise because we have a successful login from another location. This is the magic of correlation. We receive many events, we correlate these events, and then we can create an incident. After that, we have Splunk SOAR to take actions in an automation process to stop this incident without any management or any actions from the team.

The end-user experience is enhanced by the security product, as we have a return on investment on lower security incidents. After we implemented it with the SOC and Splunk SOAR, we can stop phishing and spam. The end-user experience will not see many phishing domains; they will be reduced. Security incidents will be reduced. Network performance will be very good after we implement it because we can detect who is scanning our network and creating a bottleneck on the network. We can stop and detect this with Splunk, whether it is SIEM from Splunk or SIEM with SOAR.

I use the machine learning toolkit with Splunk Enterprise Platform. The machine learning is very good on Splunk, but it sometimes makes searching for events become slow, so we have stopped using it. I think this needs improvement on Splunk.

The machine learning has room for improvement.

I think threat management needs improvement when compared to other vendors.

I compare Splunk Enterprise Platform with other solutions and vendors and see a very good point on pricing. We have Splunk at a very high cost, but I can say that other vendors working with mid-size customers can compete against Splunk. However, compared to Splunk, it is very expensive compared to other vendors. I think after the acquisition from Cisco, we can get discounts for licensing, and I believe Cisco will reconsider the pricing for Splunk Enterprise Platform.

I would prefer to see improved pricing for Splunk Enterprise Platform.

My thoughts on the pricing are that it is not cheap.

I have thoughts on the advanced threat detection, and I see that it is integrating with threat intelligence, and I believe this needs improvement.

I have been using this solution for about two years. We have deployed many services from Splunk here in Egypt. Most of it is a SIEM solution from Splunk. We also have SOAR from Splunk, and we are running it on the largest bank here in Egypt. Most of the portfolio from Splunk that I have worked with was over approximately two years.

Regarding scalability, Splunk Enterprise Platform, like any SIEM solution, provides scalability. Whenever we receive more logs, we can easily scale. I rate this aspect as a ten.

I rate the technical support as very good.

Positive

The deployment was not easy, nor was it complex. It requires a professional and certified engineer to deploy the product, as many SIEM solutions do. One cannot easily deploy a SIEM solution. You have to work on correlations and personalize the dashboard. There is a lot of configuration for any SIEM solution, not only Splunk Enterprise Platform.

I would advise others looking to implement this product to totally recommend it. I recommend this both before and after the acquisition. I totally recommend acquiring Splunk Enterprise Platform portfolio, whether it is Splunk SOAR, Splunk Cloud, or Splunk Enterprise Platform. I rate this solution a ten overall.

On-premises

Other

I use Splunk Enterprise Platform and Splunk Cloud for our Splunk solutions. I work with Splunk Enterprise Platform for the Enterprise, not with Enterprise Security.

I use Splunk Enterprise Platform for monitoring systems, analyzing logs, and building dashboards that support our operations, visibility, and business insights. I perform log analysis, create dashboards, and set up alerts using SPL. We query large volumes of logs, identify patterns, and troubleshoot issues.

I definitely use Splunk Enterprise Platform's machine learning toolkit. It helps us with predictive analytics in our organization. I have set alerts for daily ingestion using the Machine Learning toolkit in Splunk Enterprise Platform directly. I use SPL commands such as fit, apply, and score for regression and classification analysis, including yes or no category alerts. I mainly use it for anomaly detection in our company.

It is very efficient for us in assessing the effectiveness of Splunk Enterprise Platform in detecting anomalies and preventing system outages. I also set alerts for daily ingestion. Overall, it is a great tool for security analysis and log monitoring, and it is one of the best tools we have been using.

I have a custom add-on for forwarder management. Instead of having different instances, I made a different app for forwarder management. Anything that happens to that forwarder, I can see using that particular app and add-on SPL. That is how it helps us. I have many different custom add-ons for Splunk Enterprise Platform, and I have directly published them in Splunkbase. Even if our new employees need to see and debug what is the problem in our forwarder, that is how Splunk Enterprise Platform custom add-ons work for us.

I definitely leverage Splunk Enterprise Platform for advanced threat detection. It integrates with our existing security tools by aggregating logs from multiple sources such as servers, applications, and network devices. It makes it easier to correlate events and identify suspicious patterns that would not be visible in isolated systems. I use real-time alerts for suspicious activities. I have also set alerts in our organization for users; if multiple failed login attempts occur, then we get an alert. I monitor security events in real-time through dashboards.

The number one valuable feature is its powerful search capabilities in Splunk Enterprise Platform. Using SPL, we can fire a query and get so much results from that. The number two is its dashboard; we have built dashboards and alerts for different use cases. We use dashboards for visualization, which is also one of the best features. It is integrated with other tools; we have our custom add-ons there. It integrates with other tools as well. Additionally, it handles large volumes of machine data well, as we ingest daily TBs of data in Splunk Enterprise Platform.

In terms of improving data interpretation, it shows only the most relevant information for a specific user or role. Instead of going through large volumes of raw logs, we can directly see key metrics and alerts that matter to us. In our use case, we have set a system health and error rate, which we can directly see on our personalized dashboard. It makes our data more actionable, improves our efficiency, and allows both our technical and non-technical users to interpret insights without deep querying knowledge.

The number one area for improvement is cost; it is not cost-efficient for small organizations. Better cost management should be the first priority. Performance optimization is also important. Large queries or poorly optimized searches can sometimes slow down our results. Better recommendations or automation for query tuning would help us. It would be better if this is added in the near future versions.

I have been using Splunk Enterprise Platform for a year.

It is super stable, which is why we use it. It is one of the best tools.

It is super scalable for us; I would rate it eight out of ten regarding scalability.

It is superb because whenever we raise a support case, they answer us instantly. Customer service is also good.

It was straightforward for the initial setup.

We have Splunk dedicated employees here who have trained in Splunk Enterprise Platform. It was installed directly by our own employees.

We definitely have approximately thirty to forty percent ROI from Splunk Enterprise Platform.

We have directly integrated to Splunk Enterprise Platform because we have become Splunk partners.

This is my first time, so I do not know much about this platform. We have our custom application, and we can directly use that to enhance end-user experience. My piece of advice will be if you are looking for a SIEM tool to monitor and have personalized dashboards, then Splunk Enterprise Platform is definitely for you. If your team has the budget and your company has budget, then you should definitely move to Splunk Enterprise Platform. I would rate this product a nine out of ten overall.

Public Cloud

Amazon Web Services (AWS)

I work in the data and analytics space where I deal with large data sets and system-generated logs. I use Splunk Enterprise Platform for monitoring systems. I analyze logs and create dashboards that help our technical teams.

Splunk Enterprise Platform is very efficient for us. We monitor logs and troubleshoot our issues, then create dashboards for tracking system performance. We bring in logs from different systems like Windows Event logs and AWS logs, so it is highly efficient for us. It is one of the best SIEM tools.

We use the Machine Learning Toolkit.

I love its search capabilities. It has a very strong search functionality using SPL. The dashboards are very flexible and easy to customize. One of the best features is how it can handle large-scale machine data efficiently.

The cost is definitely an area for improvement. The cost increases significantly as data volume grows. We ingest terabytes of data, so I can say Splunk Enterprise Platform is somewhat costly. Poorly written queries can impact our performance, so there should be suggestions provided to write queries in SPL.

As Splunk partners, as our data volume grows, our cost also increases significantly. From a pricing perspective, Splunk Enterprise Platform is somewhat costly for us.

I have been working with this solution for the past one year.

We have experienced no stability issues. It is highly stable and scalable for us. We are increasing our team vertically and horizontally dedicated to Splunk Enterprise Platform.

We have experienced no scalability issues. It is highly stable and scalable for us. We are increasing our team vertically and horizontally dedicated to Splunk Enterprise Platform.

During an upgrade we were having some issues, but after some time, they resolved our issue and we were satisfied with that.

I would rate their customer service nine out of ten because our issues were solved quickly after two to three hours.

We directly became Splunk partners. When I joined this firm, I directly used Splunk Enterprise Platform.

We had training sessions for the onboarding process. Since I come from an observability and SIEM background, it was quite easy for me to integrate Splunk Enterprise Platform.

We had training sessions for the onboarding process. Since I come from an observability and SIEM background, it was quite easy for me to integrate Splunk Enterprise Platform.

The cost is a concern. The cost increases significantly as data volume grows. We ingest terabytes of data, so I can say Splunk Enterprise Platform is somewhat costly.

We have an add-on of the Universal Forwarder that helps us check whether our forwarder server is down or not. We have our custom add-ons that are definitely helping us and easing our work.

We use alerts about licensing every day. We have set an alert that triggers if our daily license exceeds 500 GB. We came to know that our licensing limit has been reached, so we had to remove unnecessary data. That's how we use that feature.

We have just integrated Splunk Enterprise Platform with Amazon Web Services. It integrates well without any issue.

It helps with suggestions about regression and has pre-built functions and algorithms to build with. I would rate my overall experience with this solution nine out of ten.

I focus on threat detection against stock trading systems. I am in charge of five to seven stock trading companies' B2C systems for detecting threat attacks. Our customers include several stock trading companies, banks and and large mobile careers in Japan.

We built a threat detection system for our client company, one of the biggest security company in Japan, using Splunk Enterprise Platform. We started a new business on this platform to provide threat detection systems to stock trading system companies and banks, expanding our customer base.

One valuable feature of Splunk Enterprise Platform is citizen programming, which allows users to manage and compute huge stream-based datasets easily using SPL language. The second feature is its ability to perform matrix-like stream calculations concurrently, improving upon traditional SIEM tools. Finally, Splunk's Machine Learning Toolkit is offered without charge, allowing users to incorporate machine learning in their business logic, aiding in procedures like threat hunting.

Splunk could improve by enhancing its graphical view functionality. Compared to other BI tools, Splunk's graphic features are limited; part of customers desire detailed, rich visual effects, like world maps showing threat attacks as animations. Additionally, the deep learning capabilities need enhancing, especially on Splunk Cloud, where customers find it challenging to use deep learning tools without setting up backend computing resources.

I have over 14 years of experience with Splunk Enterprise Platform, beginning my first evaluation in 2011.

I would rate the stability of Splunk Enterprise Platform as a seven. While it requires managing configuration files and processing scale-out operations manually, limiting its auto-scaling capabilities, it still performs adequately.

I rate the scalability of Splunk Enterprise Platform as an eight. Some products can automatically scale, but Splunk Enterprise requires manual configuration changes to achieve scale, which is slightly outdated compared to modern technologies.

I rate Splunk Japan's customer service as an eight. Although I generally provide support myself and do not often rely on Splunk support, this rating reflects general consultant feedback.

Positive

I previously used Elastic Search and Kibana, but switched to Splunk for ease of use and to define business entities such as branches, channels, and stock accounts.

Standalone Installation was very easy. Designing and capacity planning for a distributed cluster environment was not easy.

I am a Splunk consultant and implement customer solutions myself.

I rate the pricing of Splunk as nine out of ten. The pricing model is based on ingesting data sizes, not user count, and includes a free tier for up to 500 MB of daily data, differentiating it from user-based pricing BI-tools.

I evaluated ArcSight and Manage Engine and made our selection.

# After using Splunk for several years, I conducted further evaluations, but our selection remained unchanged.

# Datadog was ideal for bug traceback during APM operations.

# Exabeam was ideal for use case-centric threat detection.

Overall, I rate Splunk Enterprise Platform ten out of ten. I am dissatisfied with Splunk’s graphics view and deep learning capabilities; they could be better, especially on Splunk Cloud. While I was able to enhance the platform using technologies like JavaScript, most of my clients struggle.However, it will be sufficient for the next few years with it's strong Machine Learning capability.

 Also, it would be preferable for Splunk SOAR to include sequential Splunk task execution and MCP/A2A support features.

Hybrid Cloud

Amazon Web Services (AWS)

The use cases for Splunk Enterprise Platform vary depending on the specific scenario.

Splunk Enterprise Platform has different purposes, including data visualization and other applications.

In Splunk Enterprise Platform, the most impactful features for data analytics allow you to get into the repository.

There are financial benefits from using Splunk Enterprise Platform, and as a retailer, it provides better profit margins.

Splunk Enterprise enhances data analytics with its AI capabilities.

For future updates of Splunk Enterprise Platform, I would like to see integration by GUI.

The integration should be improved with the UI.

I have been using Splunk Enterprise Platform for about two years.

There are no significant challenges in deploying Splunk Enterprise Platform.

The challenges or pain points others should anticipate before implementing Splunk Enterprise Platform are mostly related to the integration part.

The time it takes to deploy Splunk Enterprise Platform depends on the use cases.

It may take anywhere from a couple of hours to a couple of weeks for Splunk Enterprise Platform deployment.

The same three people take part in the deployment of Splunk Enterprise Platform.

I do not take part in the deployment; my team does.

My advice for those looking to implement Splunk Enterprise Platform is to know the product well and have hands-on workshops or create a lab to gain complete knowledge before proceeding.

Regarding maintenance, it does not require much as it is on-premises.

Overall, I would rate Splunk Enterprise Platform an eight.

On-premises

Other

We use Splunk to create dashboards and do analysis.

Splunk can be used primarily to port log files, allowing for easy and quick management of large amounts of logs. However, this can also be a drawback due to the configuration, parsing, and dashboard creation limitations. Communication is stream-based, which means you need to do a lot of pre-emptive setup to get a nice export. Another issue with Splunk is its streamlined nature; it reruns the query whenever you refresh a dashboard. This becomes problematic if you have a large volume of log files, as it can be slow, resource-intensive, and require significant storage space.

It is designed to process and analyze log files. You feed log files into the platform, automatically extracting different fields. This allows you to filter and manipulate the data in a stream-based manner. Essentially, you pass a log file through various filters sequentially, enhancing or reducing its size by adding or removing information. However, this stream-based approach can make it challenging to create detailed dashboards easily. The platform primarily focuses on log files and is unsuitable for real-time data analysis.

I have been using Splunk Enterprise Platform for one or two years.

The product is stable.

I rate the solution’s stability a six out of ten.

It can be very slow if you have a lot of data, and scaling it up for better performance can be quite expensive.

A thousand users use this solution. We have many systems and a lot of data.
It is centrally deployed and used extensively across various systems. I use it daily, but sometimes I only use it once a month. It depends on the data I need or the issue I'm investigating.

I rate the solution’s scalability a four out of ten.

The initial setup is straightforward.

I wouldn't recommend Splunk Enterprise Platform because it's slow and has significant limitations.

Overall, I rate the solution a six out of ten.

On-premises

I normally use Splunk Enterprise Platform for review purposes. It is very easy and convenient. Its GUI is easy for me to review and approve all those things.

Splunk Enterprise Platform is very easy and convenient to use. The graphical user interface is easy for me to review and approve tasks. It saves time by allowing me to perform actions on a single platform instead of managing them separately. Additionally, its real-time processing capability is very good.

The only problem I have with Splunk Enterprise Platform is that sometimes when I update a review, it takes time to receive confirmation emails. This happens very rarely, maybe once or twice a month. I feel this can be improved in terms of performance.

I have been using Splunk Enterprise Platform for three years.

Splunk Enterprise Platform is very stable.

Splunk Enterprise Platform is scalable to some extent, which is acceptable. However, when I connect via VPN, it may take time to launch.

I haven't got any support yet, so I can't comment on this as of now.

Splunk Enterprise Platform saves approximately 20 to 30 percent of my time without having to perform different actions separately.

My overall experience with Splunk Enterprise Platform rates around seven out of ten points. The main issues are regarding updating reviews and scalability, which may take some time when connecting via VPN. I would rate the overall solution 7 out of 10.

On-premises