Splunk Enterprise Security Reviews

Our use cases are mostly for security and detection, basic use cases. It's always been a security use case. We never used it for observability or ITSI. 

Our analysts use it a lot.

I like that it's a review panel, you can see all of your alerts. Another valuable feature is that it integrates with other apps like UBA and SOAR. 

I also like the guided alert creation. The guided alert creation is useful, especially for new people who don't know CPL. 

It's a premium app, it's easy to use and intuitive. 

Enterprise Security has one pane of glass for all of our alerts. We still use the Enterprise Security page where we keep track of everything. 

It's very important to us that Splunk offers end-to-end visibility into our environment. It has the ability to identify any security events or if data is reingested, we'll get an alert for that. End-to-end visibility is very important for a mature security program.  

Splunk helped to ingest and normalize data. Anytime that we put data in, we always normalize the SIEM model. ES runs off of that so it helps us to dot our I's and cross our T's. It helps us to use our data effectively.

It has tools to reduce our alert volume. We get a lot of alerts. It's more of a tuning thing than anything that the app can help with. 

It provides us with the relevant context to help guide our investigations. It's really useful in that aspect. 

It hasn't reduced our MTTR. SOAR would do that. It has helped our mean time to detect. 

It has increased our business resilience. It's a top-of-the-line SIEM security product. It's the best tool for our security analysts which helps them do their job better. That then protects our company from adversary actors. 

I have been using Splunk Enterprise Security for about five years. 

I've never had too many issues with the stability. Years ago we had indexes crash but that was more on us. We didn't understand how to properly size Splunk. If you work within the required parameters, it's stable. 

Their support is great. I've never had any issues with them.

Positive

The setup was pretty straightforward unless you add a search head cluster. Then it becomes a lot more complicated very fast. Other than that, it's not too bad. It's pretty simple and intuitive. I've done it before and it's not difficult especially if you have the docs to help you. 

I can't speak to the dollar amount but we see ROI in the way that it helps the analysts to better do their work. It helps keep track of things and having one pane of glass for all things data. 

I would rate Splunk Enterprise Security a nine out of ten. It's a top-of-the-line product. It allows analysts to do their jobs better. It's a single pane of glass. It's a fantastic tool that we couldn't do our work without. 

We use Splunk Enterprise Security for a lot of use cases. We use the predefined use cases and dashboards for AWS, notable events, endpoint detection network, and audit notable events.

The most valuable function is the notable events. When I joined the team, I asked them what they could currently see, and they said nothing. I was pretty shocked. I know that they were using Enterprise Security or at least they had purchased it. I told them that there are several dashboards within Splunk that we can leverage. There is also notable events where we can see potential incidents or potential alerts about the infrastructure and the network itself. 

The dashboards give us numbers for malware infection. So long as those dashboards are actionable, they help the SOC team a lot.

It's important to respond to incidents in a timely manner. Having end-to-end visibility across the board equips the team to make sure that whatever incident happens, it has a very minimum impact on the business. It also allows us to fix things that need to be fixed immediately. That's the asset of having end-to-end visibility across the board.

Enterprise Security really helps us normalize our data because it comes with predefined dashboards, so we only need to ingest the logs and Splunk will do the work to display what we need to see on a day-to-day basis.

When we started using Splunk, we had tons of false positives. We reduced our alerts by 90%. Most of our alerts now are actionable.

I would like to have fraud detection features. Fraud is within the same turf as with security operations. Fraud and cybersecurity work hand in hand. I would like to have detection capabilities, or at least dashboards in Enterprise Security for fraud. 

There's already a fraud offering from Splunk for fraud use cases but it's different. I need to get professional services for me to get that feature. It would be much more cost-efficient for customers if all those dashboards could be readily available within ES.

I have been using Splunk Enterprise Security since I joined my company in 2019, so it's been roughly five years.

Cisco just acquired Splunk so I expect the stability to still be the same since Cisco is established. 

I would rate support a nine out of ten because there's always room for improvement. 

Positive

I would rate Splunk Enterprise Security an eight out of ten. To make it a perfect ten, I would like to see them implement the fraud detection features. 

We use the solution for detection, basic building searches, and creating many dashboards for investigation purposes. We have also been using it recently to create some RBA detection rules.

The solution's newly developed dashboard is pretty amazing. The full platform is quite useful, and there are a lot of tools that we can use to leverage and modify for our own purposes. Clients don't necessarily know about it, but the tool is powerful because it saves so much time.

The solution has so many features that it's easy to get lost. Many of my clients want to get better at Splunk, but they're afraid of using the tool because they feel it's too complex for them. They also need to go through a certification to use the tool.

I have been using Splunk Enterprise Security for five to six years.

The solution's stability is a lot better on the cloud than on-premises.

The solution’s technical support is good. Sometimes, the technical support team's response time depends on the severity of the alerts. Sometimes, we don't get the right person on the call.

Positive

I use solutions like ArcSight, Exabeam, and Sentinel for different clients.

The solution’s initial setup is easy and not that difficult.

Our clients have seen a return on investment with the solution.

Splunk Enterprise Security is an expensive solution.

It is extremely important to our organization that the solution provides end-to-end visibility into our environment. Usually, a lot of companies don't have full visibility on their endpoints or servers.

Splunk Enterprise Security is a really good tool for helping us find any security event across multi-cloud, on-premises, or hybrid environments, like finding a needle in the haystack.

The solution has improved our organization’s ability to ingest and normalize data. Splunk Enterprise Security has also helped us identify and solve problems in real-time.

When processed correctly, the solution provides us with the relevant context to help guide our investigations.

If everything works correctly, Splunk Enterprise Security helps speed up our security investigations by 50%.

The solution has helped reduce our mean time to resolve by 20%.

When something breaks with the solution, troubleshooting and figuring out the problem is hard. The solution runs better on the cloud, with fewer problems and errors, than on-premises. We may not have the right hardware on-premises.

Splunk Enterprise Security is a great app that has been really innovative in the past. I would recommend the solution to other users. There's a cost to it, like anything that is of quality. However, if you want the best, Splunk is at the top right now. The solution is deployed on AWS and Microsoft Azure clouds.

Overall, I rate Splunk Enterprise Security a nine out of ten.

Being in an air-gapped environment, we pretty much look for insider threats and other notables related to improper configurations and against security best practices.

We are 100% on-prem and in an air-gapped environment, so there is no Internet connection.

There have been some improvements, especially related to centering. We added user behavioral analytics, so it imports everything. Any threat generated inside of that goes into Enterprise Security. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. However, it would be nice if I could select certain anomalies that would be helpful with notables. This way, I can track down security events before they become threats.

I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics.

Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. It probably saves them a couple of hours considering it is colocating everything in one location. It would be nice if there were better ways to search for the data. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in.

We are a small environment, so we do not get a lot of alerts. We work on the issues as we get them and I am sure it saves a couple of hours.

In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. The predictive analysis is more cloud-based. Trying to find ways to do it on-prem in an air-gapped environment with no Internet connection can be a pain. There are some ways to do risk-based analysis, but we are still hamstrung because we do not have the Internet connection and the larger data sets that they have.

Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

We have been using Splunk Enterprise Security for about five years.

The solution is not going anywhere. As long as they continue to support and develop it, and not make it a cloud solution, we will continue to purchase it.

We have a total of 500 devices, and we ingest around 150 gigs a day.

The scalability is pretty easy. They recently enabled it to be able to go into a search head cluster. Previously, the only way to install this was on its own dedicated search and it could not be connected to a cluster. Over the last four or five years, they have been pushing harder and harder for clustering everything up for shared resources. Enterprise Security is one of the few apps where you were not allowed to do that. Having scalability with the search head cluster is nice, and it is one thing I am looking at implementing in the future.

Splunk's support is pretty good. I contacted Splunk's support a couple of times. In total, they are helpful, and we are able to get the support where we need it, but unfortunately, it is self-inflicted because we are air-gapped. It takes me anywhere between 45 minutes to an hour and a half to get the logs required. I need to get them sanitized, approved, and transferred over so that I can get them to Splunk. I would rate them a nine out of ten because a couple of times, I found the answer before they did.

They have the best documentation in all of the tech sector, and it is not behind a paywall where you cannot find information. There is certain information in Splunk Knowledge Base under the support page that I believe should be searchable through Google.

Positive

The return on investment is very good because, with ELA, we purchased the products at a reasonable price. We did not have to pay significantly more for licensing than we could possibly use. We were able to combine and get it at a much lower cost point.

In terms of the time to value, it took us a couple of months to get used to the interface and get people trained. Unfortunately, we had some turnover during that time, so we had to constantly retrain or train new people. The newer versions of Enterprise Security that came along made things a little bit easier. Luckily, we had some free training provided to us because we have an enterprise license agreement.

Luckily, we come under a large federal agency, and before the pandemic, they signed a large enterprise license agreement. It worked out great and to our advantage because we are a small organization. We got a 300 gig license, and we just did not have the buying power to be able to get products cheaply. Because we all partnered together under the agency umbrella, we were able to get Splunk Enterprise Security, UBA, and ITSI for cheap. This was good considering the fact that some of these premium apps require a minimum number of users, and we do not have the number of people needed to even justify buying it.

I would rate Splunk Enterprise Security a seven out of ten. There is definitely some room for improvement. I have not installed the newer version. Once I get into it, I will see what new capabilities there are, but there is a decent lift that is needed for the setup. Professional services help with that, but the customer generally does not like paying for that more than once.

Because of the ELA, I am able to come to Splunk conferences for free instead of having to pay my own dime. That helps tremendously, especially considering the fact that education is included. I believe that is because of the enterprise license agreement with the government contract. That helps out a lot. I have been coming to conferences since 2017. There are a lot of good people and a great community. 

We wanted the solution to enhance the SOC ability. We were having trouble with some of our data being SIEM-compliant.

We hope the solution meets some SOC-like abilities.

Splunk Enterprise Security gives us a single pane of glass so that we can use just one tool instead of having to use different solutions.

It is pretty important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment, and it gets more important every year.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

It has helped us reduce our alert volume.

Splunk's unified platform helps consolidate networking, security, and IT observability tools. It gives us a single pane of glass, so instead of having to go to different tools, we just go to one tool.

It is deployed as an app on its own server.

It'd be really nice if Splunk Enterprise Security had a better and solid configuration guide.

I have been using Splunk Enterprise Security for roughly one year.

Splunk Enterprise Security is a very stable solution, and we haven't had many issues in five years.

The solution’s technical support team is very knowledgeable.

Positive

It was a little difficult for us to set up the solution mainly because some of our data sources were not SIEM-compliant.

We did engage with Splunk professional services, but it still didn't work. Although our experience with them was good, the tool was still not set up correctly.

We have seen a return on investment with Splunk Enterprise Security.

My experience with the solution's setup cost, pricing, and licensing was really good.

Overall, I rate the solution a seven out of ten.

I use Splunk Enterprise Security for monitoring, threat hunting, and quick response. By implementing Splunk Enterprise Security I aimed to address security challenges and threats for both myself and my clients.

Splunk Enterprise Security has significantly improved our organization by centralizing data and enabling efficient correlation across multiple vectors. The benefits were realized quickly after deployment, with noticeable improvements within the first three to six months.

Splunk Enterprise Security has sped up my security investigations, approximately by 30-40%.

The most valuable features of Splunk Enterprise Security are its high-performance data collection, flexible query language, and its versatility across the organization. The unique query language, once mastered, provides flexibility, and the tool extends beyond just security, benefiting network and development teams. This versatility and speed in searching and trend identification enable quick defense for my clients. For me, it is about fast detection, rapid response, and easy access to crucial data.

Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box. The effort required for tuning and management is higher compared to some other solutions. Focusing on automation and reducing the engineering effort would enhance its effectiveness. I would like a store platform similar to what Sentinel offers to be included in the next release of Splunk Enterprise Security. Additionally, the pricing structure needs improvement.

I have been using Splunk Enterprise Security since 2016.

The stability of the solution is quite good.

The scalability of Splunk Enterprise Security is good. The solution is stable and performance-driven, making it well-suited for scalability.

The community support for Splunk is excellent, with an engaged user community. However, for the standard technical support, unless you opt for the premium, I would rate the support as three on a scale of one to ten. It is not as helpful as desired.

Negative

Before Splunk Enterprise Security, I used various solutions, including LogRhythm. I chose Splunk because it proved to be more stable and reliable, especially compared to the issues I experienced with LogRhythm. With Splunk Enterprise Security, it takes my analysts approximately 30-40% less time to resolve alerts compared to our previous solution.

Monitoring multiple cloud environments using Splunk Enterprise Security dashboards is moderately easy, around a six out of ten. Setting it up requires a fair amount of engineering effort, especially for non-Splunk Cloud environments like Azure and GCP. Once configured, monitoring becomes straightforward, allowing easy creation of use cases and efficient log monitoring for improved cloud security.

The initial deployment of Splunk Enterprise Security was complex, involving significant engineering effort and tuning. It took anywhere from three to twelve months, which is considered a relatively long time. In comparison, deploying Microsoft solutions typically takes around six weeks on average, which is a significant difference in deployment efficiency.

The implementation strategy for Splunk Enterprise Security involved workshops, high-level design approval, and phased deployment covering physical deployment, log collection, testing, and tuning. Typically, three people from my team (project manager, lead engineer, and lead analyst) and around half a person from the customer's side are involved. Maintenance is substantial, requiring a team of 13 engineers for 60 customers, ensuring not everything breaks simultaneously.

I find Splunk Enterprise Security to be overly expensive, and their pricing model lacks flexibility. There is no consumption-based pricing, and dealing with Splunk can be challenging. They seem rigid, less accommodating, and often don't listen to customer needs. A more flexible and customer-friendly pricing approach, aligning with industry trends, would be appreciated.

Before choosing Splunk, I evaluated other options, including QRadar. However, if I were to evaluate them today, my choice might be different.

If you are willing to invest in engineering effort, Splunk Enterprise Security provides excellent visibility into multiple environments, including cloud, on-premises, and hybrid setups. While some solutions may require less effort, Splunk is capable and versatile, making it a strong choice for comprehensive visibility across diverse IT environments.

Assessing threat detection capabilities in Splunk Enterprise Security is like evaluating how easy it is to drive a car. It provides powerful tools, but mastering the query language for utilizing these features requires effort. Once you know how to use them, it becomes an effective tool for detecting unknown threats and monitoring user behavior.

I use the Splunk Mission Control feature, which is highly important to my security operations. It is particularly valuable for multi-tenant and multi-site mission control scenarios. The Splunk Mission Control feature is effective for centralizing threat intelligence and ticketing system data when dealing with a single entity or group. However, its usefulness diminishes when managing multiple customers with diverse policies and groups.

The features in Splunk for discovering the overall scope of an incident, including the topography aspect, are considered industry standards. However, the topography feature is not particularly useful in my case, so I don't extensively use it.

Splunk Enterprise Security is effective for analyzing malicious activities and detecting breaches, especially if you invest the effort. However, newer solutions are considered better and more flexible. While Splunk was an industry leader five years ago, today, platforms like Microsoft Sentinel may outshine it in terms of ease of use, especially for users unfamiliar with Splunk.

Splunk Enterprise Security has helped me detect threats faster compared to other solutions. It stands out in terms of speed and effectiveness.

My advice to others is that if you are looking for the cheapest solution, Splunk may not be the right choice. Consider alternatives like LogPoint or Arctic Wolf, but be cautious as they might not offer the quality and capabilities needed for effective security. Sometimes it is better to invest in a more robust solution than settling for a cheap option that might not meet your requirements. Overall, I would rate the solution as a six out of ten, mostly because of its pricing.

The primary use case is security and data analytics. In general, we manage and maintain it for our customers.

Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.

I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.

I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.

The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.

It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.

The technical support is good. 

However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.

Still, the people I have worked with there are all an eight-plus out of 10.

Positive

It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud. 

The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.

The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing,  or designing and handing it over to them.

If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.

Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.

We do it ourselves.

The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.

IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.

I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm. 

If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.

Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search. 

If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in. 

Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.

We are using Splunk in the standard information security use case. We're also using it for various application use cases around identity management, windows active directory, and those types of use cases.

Splunk has provided a venue for us to determine student engagement during COVID, for which we didn't really have any other way except by looking at data that we captured off of our student systems and our authentication servers to see who's logging in, and who's logging out, and for how long they've been logged in.

The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.

We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.

Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.

By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.

I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective. 

Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.

That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.

I have been using Splunk for probably 10 years.

At least in our environment, it is super stable. When you think about how much time you spend working with other applications, just Windows Server requires more feeding than Splunk does, you see that Splunk is a very low maintenance care and feeding product.

We have probably 150 users in the environment and their roles vary from being application management folks to application engineering folks to the executive suite, so lots of different use cases. The executive suite tend to prefer more curated content and the application owners have a mix of curated content and dynamic search functions they can perform. Then the engineering tier basically gets some curated content and some free reign to do whatever they want for the most part. I'm the guy that supports this instance. So there's one person.

I support not only Splunk, but I am also the campus security engineer and I'm also the dude that runs or is responsible for all of our campus monitoring infrastructure. So that tells you how little maintenance is required.

We are adding new use cases on a fairly regular basis and we are adding more licensing to our indexing license. I don't see Splunk going away. There's nothing else that I think provides the ability to do this much data analytics from just the numbers of equipment that you need to run it. Also, the number of people that you need to actually make sure that it's functioning well. In higher ed., everybody always says we should do open source. And I respond that what I do in Splunk with 20 systems, I would need three racks of equipment to do on an open source platform. I have basically 70 - 75% of the racks now and I'd need three times that or more to run this as an open source product. And it wouldn't be as cute and it wouldn't be as beautiful or as flexible.

I know other folks in the higher ed. space that are running petabyte size instances with Splunk. So I would have to say it scales very well just from talking to the folks in my market silo.

Their technical support sucks.

My engagement with their technical support was for a product which they basically took over from an open source product and they just seemed to not be able to figure out why it's not doing what it's supposed to do. The number of times I've had to engage with Splunk for solutions has been for a couple of use cases. And in every one of those use cases, support was very painful. It took a very long time and it seemed like they were more interested in burning their queue volume than actually satisfying me as a customer.

I work in higher ed. Here in higher ed., it costs us a lot of money to run it. The support from the company that you spend a lot of money with is pretty poor. I get most of my support through the Splunk sales folks because they seem to know more and they're more incentivized to keep me as a customer. When I call in to open a ticket with Splunk support, they really don't know, and this is going to sound terrible, they don't really care whether I have a 50 Meg license or a 50 petabyte license. If it's not on their workflow, their pre-programmed triage, they can't do it.

Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.

Splunk is a complex critter to put in and it's a more complex critter to keep running. We have 10 search heads and four indexers and universal and a heavy forwarding cluster. We have clustered indexers and clustered search heads. This is definitely not a drag and drop product.

We engaged a third party Splunk integrator to help us do our Splunk deployment and they did our initial deployment. We used a different integrator to do some of our upgrades, which we probably won't use again. Our implementation strategy was we really just wanted to look at the classic security use case when we put this in 10 years ago. Then after that came in, and everybody was happy with what it was doing, we added some other use cases and universal forwarding and so on and so forth.

We used an integrator.

The integrator we used to do our initial deployment was excellent. The integrator we used to do our last round of upgrades was less than excellent.

When I hire an integrator to do an upgrade in an environment, I expect them to come back and say "all of your application layer apps are upgradeable, but your OS's need to be upgraded. Do you want me to do that? Or should you do that?" I now have different versions of OS's under Splunk running in my Linux world and it would've been nice to upgrade the system OS and then upgrade Splunk, even if it was more disruptive. I guess I have to read the statement of work more closely in the future.

The TCO and ROI are really great if you're in the private, non-public sector and you're in a more standard business sector. The return on investment in total cost of ownership on Splunk is from somebody who doesn't fit into that neat silo. Do we calculate that stuff? So our return on investment is by being able to solve problems that we never knew we could solve. My answer to it is the flexibility to be able to figure out student engagement when COVID hit. This was the only platform we could do it on.

I can comment on price in this way - in education in Ohio, we're part of the Ohio supercomputer consortium, and they act as a collective bargaining agent. So we get our licensing as a piece of the State of Ohio's Splunk license. So my pricing is very much not list or even reduced list because of the volume that the state buys.

We generally spend about $20,000 a year in third party integrator costs to get us past some of the rough edges that we get with Splunk support.

We briefly looked at the open source product and we obviously looked at a Check Point product. When we looked at Splunk it seemed like they had a smaller cost to procure it, and a much smaller cost to maintain it than all of those other solutions. So it was kind of why we went with Splunk. This is very non-intuitive since everybody says they love Splunk but it costs too much.

My advice to anyone considering Splunk is to understand exactly how much data you want to look at and you want to bring in on a daily basis. Then create a rational strategy to bring the data in, in reasonably sized chunks, that fulfill a use case at a time.

On a scale of one to ten, I would rate Splunk a really good nine.

I'd rate it a really good nine because it's really versatile. You can do a lot of things with it. It allows you to do a lot of analytics in the platform without needing a bunch of other third partyware to help you figure it out.