Splunk Enterprise Security Reviews

We are a software development company and Splunk is one of the products that we have implemented for our clients. It is used for log analytics as well as the mobile SDK for checking the stability of mobile applications.

It's the completeness of the solution that we like the most. It has a solution for backend log analytics, but also one for mobile applications.

Our two main complaints are about the difficulty of the initial setup and the licensing model.

The billing model is a little bit complicated because you have to predict in advance how much data you'll have and how much storage you'll need. When you start, you don't really have those numbers but to get the licensing, you need them. It is only at that point that you'll know how much the product is going to cost you.

I have been working with Splunk for more than five years.

There have been no issues in particular. What we are using has not been that heavy.

We have not had any problems with respect to scalability.

Based on when we have been in contact with them, I think that technical support was fine.

I'm not sure if they have different support models but I think it took a long time for them to respond. It may be a consequence of the support contract our client had with them.

This is a complicated product to use and you need constant help to set it up. I really wish that it was easier to set up and use.

We do not have any dedicated people who are working on Splunk, but we have a team of approximately 100 people that are responsible for the development of mobile applications, backend systems, DevOps, etc.

I think that most of the log analytics solutions are expensive and I'm not sure if it's worth it. However, I wish that they were less expensive. I am not talking about a single product but rather, all of the ones that are in the domain of log analytics.

Splunk is a good product but I would definitely tell people to analyze their requirements to see if Splunk fits their use case, or not. The licensing model is very complicated, so if there is a product that has a better licensing model then it would probably be good to start with that. Then, later on, if the product is not working well enough, then they can switch to Splunk. At that point, they will have knowledge of the data they are using and will understand the costs that they might incur while using it. 

The only way that I would suggest somebody use this as their first solution is if they already had all of the data that is required to get a cost estimate.

I would rate this solution a seven out of ten.

Imagine a single application with 17 application servers and dozens of log files per server that rotate as often as once per hour. How do you track and analyze anomalies in those log files with the ability to go back and correlate data for the past X weeks? That was use case for just our team, not to mention the hundreds of other application teams.

Splunk has a single purpose in life: ingest machine data and help analyze and visualize that data. The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data. It does a great job at handling unstructured data. Breaking data into key/value pairs so that it can be searched is relatively painless.

Deploying Splunk as scale is not easy. It requires a significant amount of relatively complex architecture once you push past the single server instance. Breaking out your search and indexing layer requires someone with Splunk experience. Want to add search layer replication for HA? Want to host in AWS and do cross-region index replication?

Splunk expertise is in high demand today and finding talented engineers to pull off your large-scale implementation is hard. Do your homework.

Out-of-the-box functions are nearly flawless, but when you push at the edges, then things start to get a little flexible in their eloquence. There is a robust community of support to help through most issues and the documentation is exceptional.

There were no issues with scalability, but we invested some serious time and resources to design a scalable infrastructure up front.

Customer Service:

Customer service is excellent both during the purchase and ownership lifecycle.

Technical Support:

Technical support is mediocre. Splunk is struggling to deliver a consistently exceptional support experience. Their senior engineers are very talented, but those folks are in short supply and many of the most experienced engineers are making hundreds of dollars an hour as consultants not answering your support issues.

No enterprise solution was in place.

The initial setup was done without any prior experience and was up and running, including ingesting data, within a few hours. Setup at scale and scalability took months of effort.

We hired a contractor with significant experience with Splunk, Elastic.io, AWS, and custom development. They were expensive, but worth every penny.

TBD.

You will eat up whatever you purchase quickly. The level of insights that Splunk empowers is addictive.

We evaluated Graylog, Elastic.io, etc.

I work for a government agency and we use Splunk to monitor our Cisco equipment. I'm a senior network engineer and we are customers of Splunk. 

This is a very capable and flexible solution. It's based on Linux and even Windows installations use the Linux file structure. You can use it to gather syslog messages from anything; jet engines, fin-tech financial institutions, banking, regular enterprise, etc. You can gather the messages from network equipment, elevators, anything you can think of that generates syslog, and Splunk it. They also have a good API so you can write your own code to talk to it or interact with it. The solution has a lot of applications that people have written. It's the best solution on the market. 

It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics. 

I've been using this solution for 10 years. 

The product runs on Linux so it's very stable. It's important to have a well-run SAN environment to store the data. 

The solution can be scaled up to any size of enterprise or agency. I have heard of Splunk installations of over 100 terabytes of licensing.

We used Logrhythm previously but it was not a good fit for our environment. That is why we switched to Splunk.

The initial setup is fairly complex. There's a certain architecture that Splunk utilizes to handle its indexing and it also depends on the size of your deployment. If you have a relatively low amount of gigabytes per day, deployment is simple. And of course it scales to terabyte, so if you have a terabytes installation, there are a lot of additional services that need to be implemented such as licensing servers and clustering. We sometimes configure syslog NG servers to front end the date before it ends up at an indexer. If it's a large terabyte installation, you definitely want to use professional services.

This was implemented through a combination of in house and vendor developers.

n/a

Splunk charges on the basis of gigabytes of incoming log messages per day. Also I would recommend that funds be set aside for Splunk training and certification.

There is a large number of options for training and certification. The more training you have the more useful Splunk becomes. However, right out the gate you can do useful searches due to the search bar design.

We are currently using it with SIEM, and SOAR which is Security Orchestration, Automation, and Response.

Splunk is primarily used for security, incident response, and security analytics.

Using Splunk, give us the visualization we need, we can easily observe things such as user behavior analytics, irregular traffic, frequency, and any spikes in unusual activity inside the network.

The additional vendors we've brought on board, particularly the Elastic, have been quite beneficial.

It's a solid platform.

Other than the pricing modules, I have no issues with the product itself.

The configuration had a bit of a learning curve.

I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications.

If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.

I did a POC, but we have recently procured it. We did a rudimentary setup to get an understanding of how it works. We are into our sixth month of using it now.

Splunk is a very stable solution.

This solution is quite scalable.

In our organization, we have 10 users, who use this solution but we have plans to increase our usage.

The technical support has been quite helpful.

The previous solution was limited in its functionality. 

We were looking at the additional controls that enterprise security may have, as well as visualization, to gain greater visibility.

Splunk offered us more visibility.

The initial setup was complex.

We had some assistance with the actual deployment, but while I was doing the POC, I was working with a vendor. There were things I had to do myself, such as the configuration, which was a bit challenging for me, it was a big learning curve.

For the installation, we received some assistance from the vendor.

It's too early to know if there will be a return on investment.

The pricing modules could be improved.

The licensing fees are paid on a yearly basis.

There is a standard license with provisions for more. As we are still exploring the functionality, there may be other departments that want to use it.

Those who are interested in implementing this solution should be prepared to dig deep into their pockets.

I would rate Splunk a nine out of ten.

We started using Splunk to serve as a SIEM. In addition to correlating security information, we have begun to use it as a developer and customer advocate by analyzing user behaviors and system response times. 

Log files which were previously either not reviewed or reviewed incompletely are now being used in operations daily. Security and operational events are discovered and resolved with greater efficiency than we have ever before. The way Splunk allows for data to be correlated together has given our organization a more complete picture of our system security status and how users organically move through our applications. This information has allowed us to focus development efforts which will directly benefit our customers the most. 

The ability to manipulate data in Splunk is unparalleled. Splunk’s powerful, flexible query language can morph difficult to understand log formats into usable data. 

Correlating data across different systems via one interface will allow you to know your environment or identify incident data in ways you never imagined.

There is a definite learning curve to starting out. However, there is quite a bit of documentation out there to help you get started. 

The community (Splunk Answers/Slack Channel/User Groups) can help get you started. 

We previously used ArcSight, but found Splunk to be more cloud capable.  

Truly evaluate the data you want to ingest and go slow. Pulling in data that can provide no use to your mission only wastes data against your license.  

Other options were evaluated, such as ELK, but Splunk was identified to be more feature rich out-of-the-box.

Pick it up and jump into the community!  It can help get you started a lot faster.

Splunk helped reduce development cost since it provides free applications on Splunkbase that can save a huge amount of time and effort. It also gave us the ability to dig into logs to find not just one needle but many needles in the haystack of data, and that helped solve multiple production issues and reduced system downtime.

A great improvement brought by Splunk is the ability to remove sensitive data before displaying it in reports. This allows Splunk administrators to filter data according to the user’s clearance level.

Splunk can be seen as a huge box that allows the storage of all sorts of logs. This allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar. Splunk allow schema on the fly and therefore simplifies all the data onboarding process. All that leads to flexibility when it comes to defining the metadata since it is not necessary to have all the fields defined and extracted to be able to use Splunk.

Another great feature is the field extractor that allows persons with little or no experience with Regex to define fields and extract valuable information from the data.

Finally, the ability to connect with various sorts of databases, NoSQL solutions, makes it a very powerful tool, not only as a SIEM but also as a datalake for machine learning and data analysis.

Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources.

Released versions are quite stable. We encountered some visual bugs following major upgrades but that was due to custom CSS that we had edited into Splunk.

Splunk is a data analytics platform and is designed to scale easily. Adding or removing machines from a splunk index can be done without affecting any of the existing members of the infrastructure.

In my opinion Splunk has three levels of support. First level is their forum (Splunk Answers). The Forum is very rich and solves 90% of the issues that can be encountered. Then comes the real technical support team that replies quite fast, depending on the SLA. Finally comes the professional services team, which provides a very advanced level of expertise and can solve any issue.

Yes, ArcSight. We switched because of how slow the support can be with HPE sometimes and also because Splunk is simpler to use, is more data oriented, and is more adapted for business security use cases.

We started Splunk on a stand-alone server. Installing that was very easy, a basic RPM install for Linux and an installer for Windows. When we moved to a distributed environment, it was a bit more complicated but the documentation on Splunk Docs was clear and easy to use so we had no problem there.

Splunk licensing model might seem expensive but with all the gain in functionalities you will have compared to traditional SIEM solutions I think it’s worth the price. Also, when you have small volumes of data to index daily (which might account for high EPS) you will be gaining the full advantage of using Splunk for a very low price.

Yes, Graylog and QRadar.

You're in for a nice surprise, Splunk is fun, easy to use, and will give you the results you are looking for and more. It's a great tool for security and business analysis, you're looking at a big data platform that will allow a lot more than what the good old SIEMs could do.

We are using it for logging and monitoring.

Splunk Enterprise Security helps with application events. It provides end-to-end visibility into our environment which is most important for us. It reduces the time to react to an event.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. It can help identify and solve problems in real-time, but we have mainly utilized it for post-identification correction.

It provides us with the relevant context to help guide our investigations. It is easier for developers to take action once an anomaly is detected. We have been leveraging Splunk dashboards for that.

Splunk Enterprise Security has helped speed up our security investigations, but I do not have the metrics.

They are a good partner for Google Cloud. It provides great visibility, threat detection, and proactive mitigation of risks for our mutual consumers.

We have been selling Splunk Enterprise Security along with Google Cloud for about two years.

We had a very bespoke solution. It was a shared model. The scalability was good.

Their technical support has been good. I would rate them an eight out of ten.

Positive

We have not used any other solution previously.

Our customers have seen an ROI, but I do not have the metrics.

The variables and the flexibility that Splunk provides are helpful, especially in a hybrid and multi-cloud environment.

I would advise others to start early.

Overall, I would rate Splunk Enterprise Security a ten out of ten.

We will have clients that generate events through our platform and wish to export those events as data points to Splunk.

The solution improves our customers' integrations. They really want insights into what their users are doing. They want to be alerted to anomalies, general pain points, or popular areas in the integration to understand what's working and what's not.

The metrics and trends that Splunk Enterprise Security generates using all the data points we send allow customers to understand better what their users are doing.

Splunk Enterprise Security should provide a better and richer integration. It has a regimented integration, where we had to build a Python library. It was a very tough way to integrate officially and get into the marketplace. We'd like to see more options so that we can better send data over to the Splunk platform.

The requirements of building the integration had to be a very specific and certain way to get onto your marketplace. Once it's there, it's fine, but it took a little effort to get it exactly that way. That's not as maintainable as we like, so we'd rather that be a more robust integration.

We've had an integration available for the better part of three or four years.

The solution provides good stability.

We haven’t seen any issues with the solution’s scalability.

We mostly interacted with the marketplace community. Although our support experience was not great, the issue was straightforward.

Our customers have seen a return on investment with the solution. We have seen customer satisfaction as it was a highly sought-after integration, and they're happy now that it exists.

The end-to-end visibility that the solution provides into our environment is incredibly important to our organization. We like to see it as the total answer. Any data point can be picked up, and you can really build anything you need from the integration. It's incredibly valuable with the data that it's generating. What the tool provides once integrated is highly valuable and sufficient for us.

Finding any security event across multi-cloud, on-premises, or hybrid environments with Splunk Enterprise Security has been incredibly easy. Using the rest of the Splunk platform, you can trigger whatever you need off the data coming in through the integration.

The solution has helped improve our organization's ability to ingest and normalize data. It also generates more customer activities so that there's a stickier relationship.

The Splunk integration triggers the necessary events so that downstream alerting isn't necessary.

Splunk Enterprise Security has helped speed up our security investigations. It's a great direct integration so that our customers can react quickly when necessary.

In principle, the solution has helped reduce our mean time to resolve, but not necessarily data points that we see as the integrator.

Overall, I rate the solution an eight out of ten.