Splunk Enterprise Security Reviews

It is a very well-organized solution. I find it more user-friendly than ArcSight and QRadar. I can search, and I can do whatever I need in terms of dashboards, reports, etc.

It is the best tool if you have a complex environment or if data ingestion is too huge.

The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues.

I would also like to be able to see all the data for internal logs. When we search for internal logs, sometimes, we are not able to find some of the data. For example, when Splunk crashes or something happens, we don't get to know what happened. We tried looking into the internal logs, but we could never figure out the reason from the logs. The information is limited, and it should be improved.

We have been using Splunk for more than four years.

Its scalability is very good. Companies nowadays are totally dependent on tools like Splunk. It is widely used in our organization. We have a huge team that uses it on a daily basis. For onboarding, we have another team, and we also have a team for Splunk monitoring. We have a large amount of data ingestion per day, so our team has more than 25 people in it.

In my current company, I have seen the tickets getting resolved soon. In my previous company, which was a startup, a P1 ticket generally took 24 hours or less. They called us back and resolved it as soon as possible, but if it was a P2 or P3, I have seen them taking a month or more.

We worked with QRadar for some time, but after that, we just came to Splunk.

It is straightforward. The deployment duration totally depends on how you are working.

We have it on-premises as well as on the cloud.

We have an unlimited one, and we pay yearly, but I don't know how much it costs. Previously, I worked for a startup, and when they started building it up, it was complicated for them because they didn't have the budget for that many licenses. It was very costly for them. So, startups might find it a little bit problematic because of the licensing, but for bigger companies, there is no issue.

If it is a complex environment and data ingestion is huge where you want to ingest Syslogs or networking devices logs, you should go with Splunk. It is better than QRadar. Nowadays, the usage of AWS is growing, and that should be taken into consideration when deciding about on-premises or cloud deployment.

I would rate it a nine out of 10. I find it great. I'm very eager to do the Splunk certifications as well.

We are using Splunk as a SIEM tool. We're using it for monitoring.

The ease of log connection has been great. 

Its compatibility with other SIEMS is very useful. 

They have many basic use cases that we like. 

The cloud version of the solution is especially scalable.

The product has been quite stable so far.

The initial setup is very easy.

Technical support is lacking post-sale.

The modification of firmware could be improved.

We find that the maintenance process could be a lot better. 

The solution is more expensive than other options on the market.

We haven't been using the solution for too long at this point. It's been about four months or so.

The stability has been good. It offers good performance and doesn't seem to be buggy. There aren't glitches. It doesn't crash or freeze. It's reliable.

The solution is scalable. This is especially true for the cloud deployment model. There really isn't anything holding you back if you use that version.

We have around 100 people on the solution currently. 60 to 70 of those are technical users.

We do plan to keep using Splunk. 

Technical support services are lacking, especially after you buy the product. They aren't as helpful or responsive as we need them to be. However, when we do reach them, they are good and they help.

I have used McAfee Nitro in the past and IBM QRadar as well.

The initial setup is not complex. It's very straightforward. In fact, it's far easier to install than other log tools on the market. A company shouldn't have any issues with the process.

That said, I did not work on the installation myself. Other people at the company handled that aspect of the process.

The maintenance process could be better. It's a bit difficult once the deployment is done. We need about five people for maintenance tasks.

When you compare the services and features, the pricing is reasonable. That said, if you compare Splunk to other options on the market, it is more expensive.

As we recently purchased the solution, we are using the latest version right now.

I would recommend the solution to other users. 

I would rate the solution at an eight out of ten. If the solution offered a better price and better support services, I would likely rate it higher. However, for the most part, we have been satisfied with the product and its capabilities.

We use it for log aggregation. 

If you have a large number of devices, you need to aggregate log data to make more sense of it for parsing, troubleshooting, and metrics. This is all we use it for.

If I need to track logs for certain application, I will push all of those logs to Splunk so I can run reports on those logs. It is more about what you are trying to do with it and what you need from it.

We use it primarily for troubleshooting. We had an issue with SaltStack recently and were able to look for the same log entry on a thousand servers simultaneously, making the process easy.

The ability to create dashboards.

You can run reports against multiple devices at the same time. You are able to troubleshoot a single application on a thousand servers. You can do this with a single query, since it is very easy to do.

When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved.

I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier.

It's been very stable for us. Most of our stress in not from Splunk, but from disk I/O, like input and output for the disk that you are writing logs to. We have had more issue with our own hardware than Splunk. 

You have to make sure if you're writing an enormous amount of data that you have your I/O sorted out beforehand. 

It scales fine. We haven't had any issues scaling it. Our current environment is about 30,000 devices. 

The integration of this product in our AWS environment was very simple. We just forwarded our logs to it, and that was about it. 

It has agent-base log forwarding, so it is very simple, not complicated at all. This process is the same from on-premise and AWS.

If you have a large number of servers, even a few hundred servers, then you need to track specific data and log information from a lot of servers. You can either go to each server individually or set up jobs to ship those logs somewhere with rsync or Syslog. The other option is use Splunk and push them all to Splunk, then from Splunk you can just create alerts and run reports against all that data in one place with a single query rather than having to do all that work repeatedly. It saves us a lot of time, just in man-hours, and being able to look at hundreds or thousands of servers simultaneously.

Splunk has no real competition. It is just Splunk, and that is it.

Build your environment a lot bigger than you think you will need it, because you fill it up quickly. We log somewhere in the neighborhood of two to four terabytes a day per data center.

We use both AWS and SaaS versions. With the SaaS version, you don't have as much control, but it functions the same, so there is no real difference. Though, the AWS version is probably easier to scale, because it is AWS. 

I work in the HIPAA industry. I work at a healthcare company in Puerto Rico. HIPAA requires us to go over security risks. Our use case right now is to be compliant.

In our hierarchy, we have 1000 servers and 16,000 endpoints. We also have 100 entry points and 3000 VPN connections. It's huge.

Manually, it used to take us a whole day to do strong monitoring. Now, it takes a maximum of two hours because of this product.

It creates a single pane of glass. Plus, it gives us the liberty to do more in terms of use cases, especially since HIPAA wants use cases. We must monitor them. Therefore, we can also add our own correlations for all our use cases.

The dashboard centralizes the daily routine. We used to do this by hand. Now, we go through daily checklists, using the dashboard and setting up the alarms. It helps us to cut down the time on this routine. 

I am a cybersecurity director. I manage five different business lines. Every morning, we used to have to go to different tools to get our daily routines done. With Splunk, centralized as it is, we can see everything in one place. We use it not only for monitoring events, but in case we need to do a group call. We can see what's going on, viewing all of the offenses and security events which are happening in our infrastructure.

The Web Application Firewall will send you too much information because it's more dedicated to security than a normal firewall.

It was pretty straightforward. I even did a couple of logs myself. 

We implement through a vendor.

We were using QRadar as a POC. We were using for real at our cloud but also it was a POC for us because we were watching the product. But, QRadar needs a lot of fine tuning.

The network department, for example, has improved its efficiency by 30%. Security relies on this for event correlation and alerts.

• The speed of the search engine

• All the types of data sources that you configure can be forwarded to Splunk.
• The ease-of-use

Cluster management can only be done via a command line. I would like them to add some GUI options for that. Permissions are not very flexible, so it would be nice to have more granular options, such as double factor authentication.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

It is very stable.

It scales out horizontally.

The quality of support depends on the support and license. On the average, I would give them a rating of 6/10.

We previously used ArcSight. Splunk is at another level. It is easier, more stable, and faster.

It is very easy to set up on a standalone server. Of course, if you want a cluster, it is more complicated. In order to manage it, you need skilled people.

It is not cheap :-)

We were using ArcSight before.

My advice is to go ahead with it.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc

We typically use it for centralized log management and SIEM functionality.

I am using the most recent version of it.

As per government requirements, a lot of government sites have to have the active monitoring of logs. So, we use their security appliance add-on that essentially combs through the log. It pre-filters and brings out the critical events so that you can focus on those instead of having to create your own searches and whatnot. It helps simplify the process of monitoring security events in the logs for people.

The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard.

It is a good product, but the Achilles heel for a lot of organizations is the cost model for it because it gets expensive. That's because the model is based on how much data it processes a day, which can be prohibitive, especially if you have a lot of data. A lot of customers may not be ready for the sticker shock on how to fully leverage the product. I realized that the reason for that is that when it was originally designed, it was kind of like a big data modeling application. If they want to have a bigger customer base, they can come out with subsets of their product that are focused on specific things and have different pricing models. It may help with the cost.

To actively use the interface, you have to be able to speak their language. You really need to have Splunk training to use the tool. Integrations are not that bad, but once you get into that developer mindset and you understand the programming query language, then you're pretty flexible in making it work with other products. It could be daunting if you don't have the training. It is akin to being thrown and asked to go write a Python script when you don't know any of the Python language or PowerShell. If you don't know how to form the queries, the words, or the syntax, it can be a hurdle if you're looking everything up.

I have been using Splunk for about seven years.

It has been very stable. It is pretty rock solid.

It is as scalable as you can afford. We have a pretty small user base of 75 users, and it is mostly data center administration staff, application administrators, and security people. It is more of an in-house solution than a customer-facing solution.

Our usage is moderate. We're okay right now. We primarily use it as a SIEM and log aggregator. We could use it for other things, but the cost is what is preventing us from that at this point.

We've had a few calls, and they're very responsive.

We were using an assist log backend with Rsync and Kiwi prior to that. It was more of a co-solution than a cobbled-together solution. Splunk was a big improvement. The main reason for going for it was just the rate at which we were growing. We needed to have something that was more scalable than what we had before.

It was pretty straightforward as compared to most applications. It had the ability to auto-deploy agents to end devices. Splunk infrastructure itself wasn't difficult to deploy or set up. They package that process, and it is pretty well-rounded. They even offer a jumpstart install service to help get it off the ground when you buy in, and those components work really well together.

It was all done within a day. Some of the endpoints took a little bit longer, but the basic install was done in the day.

We used packaged professional services from a partner of Splunk. Our experience with them was very good.

In terms of maintenance, it is pretty simple. There are fewer patches than there would be for supporting a Windows device. There is not much labor to maintain it.

It can be cost-prohibitive when you start to scale and have terabytes of data. Its cost model is based on how much data it processes a day. If they're able to create scaled-down niche or custom package offerings, it may help with the cost. Instead of the full-blown features, if they can narrow the scope where it can only be used for a specific purpose, it would kind of create that market for the product, and it may help with the costing. When you start using it as a central aggregator and you're pumping tons of logs at it, pretty soon, you'll start hitting your cap on what it can process a day. Once you've got that, you're kind of defeating the purpose because you're going to have to scale back.

They're kind of pushing everybody away from perpetual licensing into subscription-based models, which a lot of companies are doing too, but in most environments that I've been in, they prefer to go the perpetual license and then just pay maintenance on top of it. That's because it's easier for them to forecast the big expense up front.

I would advise definitely taking advantage of their professional services and making sure that the administrators and whoever is going to be using the tool go through the training. The cost for the training, which depends on if you're commercial or government, is not that much, and there is a definite value there because if you're trying to learn it on your own with a book, it is going to take forever.

I would rate Splunk a seven out of 10. 

We primarily use the solution for monitoring our infrastructure.

The models that we use are pretty mature at this point, which means we can be assured we are given the best use cases right out of the box.

We can just plug into the applications and everything is set up. There's very little configuration necessary.

The integrations that are offered with different tools are all very good. They offer integrations for all levels of security and have offerings from some of the other major solutions in the space.

The initial setup is pretty straightforward.

Over the years, I know they've been doing what they can to continue to add integration capabilities to their solution. If they continue to do that, that would be ideal. However, beyond that, there really aren't any features that I find to be lacking in any part of the solution.

On-premises scaling of the solution is a bit more limited than it is on the cloud.

The pricing of the solution needs to be a bit lower.

It would be ideal if the hardware could meet more universal global regulatory requirements. It would be great it the solution better aligned with global standards.

I've been working with the solution for three to four years at this point.

In terms of the cloud, scalability is very straightforward. It's just about as expansive as we want to go. When it comes to an on-premise deployment, there might be some scalability limitations. We've found we just have to cut hard on the resources as it does a lot of processing. Whereas the cloud is easy and has very little limitation, I'd advise others that on-premise may have some difficulties. 

On-premises, it's definitely on the customer to ensure they have the right plates. If they're concerned and they need 100% scalability, it's best to be on the cloud.

Technical support is very good. They know their product and they are responsive to requests. We're satisfied with the level of service provided to us.

We didn't have any issues with the initial setup. It's not too complex. We found the process to be very straightforward and very simple.

While I do understand that it is a premium tool, they could work to make it a bit less in terms of cost. It's a bit expensive.

We use a mixture of public and private cloud deployments.

I would definitely recommend the solution, having seen it work for others so well. Its ease of usage and its man integrations make it a great product. The way you can access whatever you need on the solution is very similar to a Google bar where you can search for anything you need. It's just a super quick responsive, product.

Overall, I would rate it a perfect ten out of ten. We have no complaints.

We use it for security incident event management and for IT service intermediates.

We sell it to clients so clients benefit from Splunk in terms of live security monitoring of their parent IP infrastructure base. Their IP security and network application base is where we have a 24/7 monitoring interface.

Splunk has many good apps and has a contribution from all security vendors. That's where Splunk wins.

Splunk's cost is very high. They need to review the pricing. They have to go back and totally readdress the market.

Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud. 

Its costs are too high and it should be more cost effective because it's going to be a cloud offering. 

Stability is perfect. It's a good product. The market right now is moving towards cloud. We will use cloud in our option strategy. One thing that Splunk does not have is a partner consulting base so Splunk depends heavily on its own consulting, which I think should not be there. They should promote more partners for consulting. In fact, their education program is also very costly for all partners. For example, if you want to get your guys certified it's really costly. Because they have a good solution, they're completely inflexible with pricing. I don't see a lot of enablement from Splunk. 

The initial setup is simple, not very complex. Initial deployment takes around 10 to 15 minutes to set up the entire base for Splunk including all three tiers.

The client has to bear that cost plus the initial infrastructure, Splunk does not come in and install it. The client, retailer or the partner has to do it. Secondly, then comes the software installation part of Splunk wherein you go and install the Splunk components. Then you have the configuration part which includes the revenue use cases on the Splunk apps on the Splunk platform which is another big phase. You can build your project the way you want to. It's a life phase. Use cases are not something which cannot be quantified. Initial set up can be done through the Splunk apps and then, later on, you can modify the use cases as per what the client needs.

Pricing is one factor that hurts everybody on the market; the client, the reseller, everybody that touches it. Only Splunk makes money. It is hard to have it for the long term if it's a stretch for your budget. Pricing becomes a problem and people are just focused on numbers rather than creating a vision for the entire product. That is the biggest factor I found with Splunk, that they just want to make money and they don't care about anything else. They lost national, country-level projects because of this attitude.

I will rate it as a security product an eight out of 10. There's no product which is perfect unless you go back and you create a psychic of the solutions.