Splunk Enterprise Security Reviews

We are using Splunk to look at the logs, and see what is happening.

The most valuable feature is that it's very good for log aggregation.

Splunk is very complex. The implementation and the scanning of the logs can be difficult.

I have been using Splunk for approximately three years.

In general, Splunk is stable.

It's a scalable product. it's pretty good.

Technical support is usually pretty good.

They are responsive, knowledgeable, and helpful.

The initial setup was relatively straightforward.

The price is comparable.

I would rate Splunk and eight out of ten.

100%. VMware needs log information to troubleshoot; it's not easy finding problems.

Downloading and uploading logs have become an issue.

• In-depth logs
• Add-ons 
• The ability to ingest data from other tools
• The detailed log view
• It's easy to read

• The amount of time it takes to troubleshoot not-easily-available data
• Also, hours on the phone with VMware techs.

The primary use case is for log analytics. Although, we have been using it as a hammer which hits all the nails. We have sort of overused it in some areas where it doesn't need to be used.

We have a one stop dashboard for health of some of our services where you can click in and it takes you to other dashboards that have custom near real-time metrics that show the application's health. From there, you can drill in to see the real deep dive example of what is happening in your environment. It has reduced our time to resolve incidents. 

The most valuable feature is its centralized log analytics.

The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer. Splunk is good about viewing data within the last seven or 14 days, but if you want to see a year-over-year trend, you have to do a lot of work to get to that point. If there was a better way to extract the data point and put it into a long-term viewing ability for a year-over-year analysis, then compare that to your other business metrics. That is what I am looking for, as an example, for a call center you want to see the time it takes for your customer to be handled on their need comparatively to the system performance that is happening, then overlay that data. 

We put a lot of trust in it. It has been pretty rock-solid outside of a couple of changes that we made. Upgrades sometimes don't always go smoothly, but otherwise the system performs, and operates. 

When we were trying to implement an enterprise solution on-premise, we had scaling issues. It was very difficult to search the data retention beyond a few days. A lot of talent was given to the ability to go into AWS and scale with our need. We still had to do some administrative things to prevent consumers from trying to search all records for all time in very inefficient searches. This could sometimes bring our core system functionality to a halt, so we had to do some user administration in it.

I don't engage with the support directly. Another member of my team does. Any time that we have needed support, he hasn't had an issue opening a ticket and receiving the help that he needs.

The integration and configuration in the AWS environment was pretty good. They have a consumption method for pretty much every service. They might be able to do a little better at advertising different patterns for best practices for different service, but overall there's a method to get everything.

We have had a reduction in the time it takes to resolve issues and correlate what has failed. This has significantly helped.

We looked at the Elk Stack, Kibana, and Sumo Logic.

We chose Splunk because their cost is better, the maintenance factor is a little higher, and the core functionality is higher than what other products provide. The core functionality is out-of-the-box. E.g., with a Toyota Scion, you can customize the parts to make it whatever you want, but it's a lot of work to get there. Where if you buy a Cadillac, you pay the Cadillac's price, but it's a Cadillac. It will work right out-of-the-box.

It works well when searching logs. If you looked to try to do things beyond this, the problem that we ran into is that we treated it as the hammer which hits all nails. That is not really feasible, and there are other tools out there that can do more specialized things.

User administration is key. Trying to prevent users from being able search records all the time is a huge problem. You need a tight approval process on dashboards, making sure the dashboards are queried in the most efficient way possible. 

The on-premise version that we had was not scalable at all. It was very difficult to use. We have EC2 instances in the cloud with Splunk installed, which is more scalable and easier to use. It now works much better.

The primary use case is to analyse and monitor big data, creating various dashboards, alerts, etc.

• We can do things in minutes instead of days.
• We solve issues that we previously could not since we now have the data.
• We can quickly search for almost anything across many log sources in seconds.
• Teams have the dashboards or alerts that they need.

There are too many features to list, but here are a few:

• Schema on the fly

• Ease of onboarding data

• Machine learning

• Apps or Splunkbase.
• Great list of apps to use and build upon once you learn more about how Splunk works.
• Ease of correlation, creating correlation searches (easy), and you can combine multiple sources with little effort.

• Data Models Acceleration for super fast searches across tens of millions of events.

• Common Information Model

• Security Essentials App

• Enterprise Security

• Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities.

• Log storage or compression is great and retention is not an issue.

• Dashboards are simple to create and has input options, like time range and text.
• Drop-downs are simple to create.

• The integration with cloud solutions is great and keeps getting better.

The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this will become a non-issue.

Also, AngularJS/ReactJS inclusion could be made easier in GUI.

Personnel costs are saved by not having to involve domain developers from multiple teams when tracing a problem that spans multiple platforms.

We build many of our own apps by leveraging the logic in others.

We use Splunk primarily to provide our security and ops groups with important insights to more efficiently make decisions and take action.

My favorite example of improving of organization is saving a $60k/mo in payroll fraud and $10k/mo in wasted API credits by using simple searches and clear reports.

Splunk's schema on demand is incredibly useful. I do not have to worry about what my users will need when we onboard their data. They can make connections that we could not have foreseen. They dig deeper when they are searching.

Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run.

While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged.

Security and incident management, which is helpful when organizing the data from different systems and running analysis on all the data together.

We have a more secure, robust environment, which keeps the harmful software out of the zone required.

The most valuable features are:

• Risk analysis
• Machine Learning Toolkit
• dbConnect
• Cisco products
• eStreamer
• SIEM. 

Visualizations are the best way to understand deviation techniques from the norm.

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

• Monitoring IT and other processes for a large university.
• Leveraging alerts and dashboards to detect and predict security breaches and other events.

Splunk has enabled us to detect, even predict potential security issues, before they become severe. It has enabled our operations and development teams to more efficiently monitor and troubleshoot their systems.

The search language is easy to understand and teach to new users. The SDK is comprehensive and has incredible levels of integration with the platform and data. 

• Certain sections of the developer documentation could use some updating and clarification.
• Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. 
• Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).

Support is quick and competent.

We use Splunk for operations, application monitoring, and security. We are both cloud and on-premise based, so it has been very versatile for us. 

It helped us consolidate all our solutions into an easy tool to use for various employees.

• Unstructured data
• Linking things together
• Building out stuff which is actionable.

Once you learn SPL and what data you need to obtain and merge together, it is really useful. 

More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it. 

No stability issues.

No scalability issues.

While we did not have a previous solution, we took what little of Splunk that we have been using and have increased it greatly.

We are a nonprofit, so it is hard to quantify. 

Be upfront about your needs and expectations. Splunk is one of the top SIEM solutions to work with. 

No.