Splunk Enterprise Security Reviews

The ability to see logs and correlate them using Splunk has greatly improved our organization's functionality with auditing and troubleshooting.

Splunk's capability to receive any types of logs and index them is a very good feature. To get visibility from your network devices, servers, and security devices is a great feature.

Better directions on search head clusters. A lot of the documentation that I saw was either old or out of date. I believe I ended up doing a lot of searching and ended up not completing the feature. I opted out of creating a search head cluster.

Not at all.

None.

Customer Service:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

Technical Support:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

No solution was available at the time.

No the initial setup was fairly basic.

In-house. We had professional services however, we did the install prior to the consultant arriving. So, his workload was light considering we had already installed and configured the Splunk servers.

We purchased and paid for it as an annual subscription for three years and working on purchasing the Perpetual edition.

Pricing is pretty fair. However, I would suggest you trial for at least 90 days if you can get the sales person to offer you the option to renew your 30 day trial a couple of more times to evaluate. The 30 day trial is not enough.

The other SIEM solution providers we looked at were ArcSight, QRadar and SolarWinds LEM.

Splunk is a good product. Pricing is a bit high however, after it's installed you can understand why and get caught up in reading the logs that are available.

We primarily use the solution for monitoring and security.

We can use the solution to try to find some correlational data. For example, in banks, there is usually a protocol whereby users cannot withdraw more than a certain amount of money from an ATM. However, we find that, when people are on holiday, they are trying to withdraw more than the allowed amount. It's a use case we can deploy in our country. You can set certain rules and watch the data in order to gain insights.

I cannot speak to a specific example of how the solution has assisted our organization.

The solution's capability is its most valuable aspect.

The initial setup is very straightforward.

The solution has proven to be quite stable.

We've found the solution to be very mature.

The integration capabilities are excellent. They have apps that integrate quite well with Palo Alto and Cisco, for example.

Sometimes it becomes very difficult to find certain results from Splunk. Not all users are developers and they are not able to write code to find specific results or specific details from Splunk. From a user perspective, the solution needs to improve the search functionality.

The dashboard could be improved. If it was easier for non-developers or those working in network security, it would be ideal. It would be nice if they had a built-in dashboard for those who are less knowledgeable in coding.

The product is relatively expensive. 

I haven't been using the solution for very long just yet.

The solution is very stable. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

We do not plan to increase usage at this time.

We've used technical support in the past. We've found them to be very helpful and responsive. We're satisfied with the level of support that we receive when we reach out for help.

I've previously used LogRhythm, among other solutions. We sell a few different solutions.

The initial setup is not too difficult. It's not overly complex. It's straightforward. The code is very easy.

The deployment took two or three months or so.

We used an integrator to assist us in the initial setup.

The problem with the product is that the price of Splunk is very high. It is an industry leader and therefore it's high in terms of price. That is the issue in our country. Sometimes people want to buy Splunk, however, due to the budget, they are not able to.

We are resellers.

We use a variety of deployment models, including private cloud and hybrid.

This solution is the best security solution. If a company is looking for the best, they have to buy Splunk. It is a very good and very mature solution. It is very easy to integrate with some other service or security solutions. If they have specific solutions that need to be integrated for monitoring purposes, it should be a problem. For example, it integrates very well with Cisco.

I'd rate the solution at a ten out of ten. We are quite happy with its capabilities.

There are quite a lot of things that we find useful. Splunk agents are useful and good. Its UI is quite impressive.

Its pricing model and integration with third-party services can be improved. We had faced an issue with integration. 

The alerting feature is currently not available with Splunk, but it is definitely available with Datadog and PagerDuty. They should include this feature.

A few dashboards in Splunk look quite old and are not that modern. They aren't bad, but improving these dashboards will definitely make Splunk more attractive and usable.

I read in a few blog posts that there were a few security incidents related to Splunk agents. So, it can be made more secure.

I have been using this solution for almost two years. I am using its latest version.

It is a stable product.

Splunk is definitely scalable.

I have not interacted with them. Another team is taking care of raising tickets with their technical support.

It is quite simple.

Its pricing model can be improved.

A few years ago, I would have definitely recommended Splunk, but nowadays, better alternatives are available. We are currently exploring a few other alternatives, so I won't recommend Splunk as of now.

I would rate Splunk a seven out of ten.

My reason for implementing it was just to learn more about the product. I wanted to learn about the Splunk programming language, how to pipe searches, add logs, verify the logs, create fields, extract data into fields, build dashboards, and to get hands-on experience with the product.

The Splunk programming language allows you to pipe searches into another searches.

What I really like is that even if you have already collected the data, you can extract data and  add fields which improves building searches. This is not the case with Elasticsearch, where this needs to be done upfront.

I really dislike how Splunk sales and partner manager behaves. I have faced several sales model and partnership changes. Also, the last time I wanted to by a license ro built a SIEM solution, they had removed the ability to purchase a splunk subscription or license from their website. In the past, there was a web page calculator it was possible to by online, but now it instructs to contact sales.

The free version is limited to 500 megabytes and there is no alerting. Due to the missing feature on the Splunk webpage, I have ask Splunk Sales to purchase a license like 1Gyte a day or a license for max 2500 Euro/year to use it as a test or development instance for myself. Asking Splunk for a quote willing to pay for Splunk license to learn and to get used to the product, Splunk didn't get it managed to offer my a license neither arranging the partnership paperwork I have ask for. Sales people from Splunk where calling, each time after I left my details on ther trial download page. I explained my experience and concerns about Splunk in the past. All excuses received and promises that someone will contact me to solve the issues faced in the past, was leading in excactly nothing. Well Done Splunk.

Inflexible and expensive and I do not have much faith in the people working there because if someone is asking for a test environment and is willing to spend up to €2,500 a year, I can't understand why they are unable to provide a license. This could be a lost opportunity because they are not able to onboard a potential new partner.

They definitely need to boost their sales and partner program because it changes to often, where they are dropping partners and it is difficult to get in contact with somebody. This is something that needs to be improved.

I would like to see more SIEM functionality and embedded moduled such a ticket tool to make a end to end SIEM.

I have been using Splunk for a few weeks.

As I was using a test environment, I can't comment on scalability. It was just myself and a colleague who was using it as a test instance.

I have not been in contact with technical support.

I have worked a little bit with Elasticsearch. I also have an instance of SIEMonster running, and I'm trying to get used to it. I found that Splunk provided a good benefit compared to Elasticsearch.

With Elasticsearch, if you have already inserted the data then it's gone because you need to do the pre-filtering. Once you've inserted or ingested the raw data, using Logstash, for example, you are no longer able to build the fields such as IP address, hostname, username, and the other fields that you want to export. This unsorted, raw data that you have is really a drawback for Elasticsearch and some other products. This is something from Splunk that I consider to be a heavy feature, where you can just insert data and ingest it later on.

really fast and easy to install a test instance.

The pricing model is expensive and could lead into a budget nightmare based on the amount of data.

A better pricing plan would be an improvement.

I have done some research on LogRhythm, IBM QRadar, and ArcSight, but I don't have any hands-on experience yet.

I did a comparison for a customer two weeks ago and the outcome of my comparison was SIEMonster, effortable price model, even though it's a niche player, it's quite powerful. I also provided Splunk as a recommendation because it is a market leader, really powerful, and really good to use. I also recommended LogRhythm; it is also expensive but it's also really powerful, and the feedback of customers is really good.

With respect to Splunk, I would recommend it but when a customer is budget-driven then Splunk is not the solution. Money shouldn't be the question.

This is a solution that I could recommend for somebody who wants a really powerful product. It is not an end to end orchestrated SIEM yet.

This is a product that I would generally recommend, although I would not do so if the customer is really budget-driven.

I would rate this solution a six out of ten.

We use Splunk for log analysis and security monitoring.

Splunk allows us to look at logs from different groups within NIH and see if there's a widespread threat or issue.

The most valuable feature is the log aggregation, being able to scan through all of the logs.

Queries are not always as easy or straightforward as they might be, so it can be difficult to figure out what you need to look for.

In the next release of this product, I would like to see it offer more recommendations as to what needs to be done.

We have been using Splunk for between two and three years.

In terms of stability, the product seems to work just fine. We haven't had any problems with it.

It can be somewhat of a resource hog; some of the scans can take a while. We do plan to increase our usage in the future.

Technical support for Splunk is good.

The initial setup is relatively straightforward.

There were consultants involved in the deployment.

I would rate this solution a seven out of ten.

• Log mining
  
• Log analysis

It has helped us look at modern technology, as well as penetrate our legacy systems, to see where the bottlenecks are.

• The product is adept at log mining.
• It has the flexibility to do multiple analyses.
• It works across heterogeneous environments in different ways. 

I have not tested the hybrid model yet. I don't know whether all its integrations and interfaces will work between the cloud and on-premise model. I also don't know if across multiple clouds all the products will perform properly.

If it could be made available as a service, this would be much better than as a product.

It is stable under production environments.

The scalability is decent. We have implemented it in our production environment, and it scales.

We have seen ROI and improvements as we have continued to use the product, but they are more reactive. We want to be proactive on an enterprise-wide scale.

We considered Oracle Enterprise Manager, but Splunk is way more powerful. Splunk is product-agnostic, as it can move across different platforms and products. 

Explore Splunk. The product has a lot of depth.

It works with multiple products which are scheduling systems to ERPs to legacy, and it works perfectly fine.

I use the on-premise version. I have not had the opportunity to explore the AWS on Splunk version yet.

We use Splunk Enterprise Security for our enterprise security.

Adding more use cases to Splunk can improve our threat detection speed.

It has helped normalize our data.

Splunk Enterprise Security has helped reduce our alert volume and speed up our security investigations.

The graph visualization is the most valuable feature.

Splunk Enterprise Security needs to improve its stability.

The UI can be difficult to understand for non-technical people.

I have been using Splunk Enterprise Security for four months.

I would rate the stability of Splunk Enterprise Security a four out of ten. Some bugs cause downtime.

I would rate the scalability a six out of ten.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security's robust framework enables it to support a wider range of use cases, making it more adaptable and versatile for tackling diverse security challenges.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security's visualizations are detailed and help users normalize data, making it extremely useful.

The vast array of use cases enabled by Splunk Enterprise Security empowers security teams to address diverse threats and enhance overall security posture.

We primarily use the solution for log management and security purposes.

The log management is great.

It has a very good alert tool that you can create with the logs that Splunk gets.

You can check up on security from the dashboards. We use some custom applications which we have created by ourselves. It's very helpful to have custom dashboards with knowledge of the system of what we monitor.

The initial setup is simple. 

We have found the solution to be stable.

Its scalability is quite good.

Right now, everything is good. I don't really have notes for aspects of improvement. 

There can be a bit of complexity around some fields during the initial setup. There are some places where you have to use regular expressions to parse logs. The part of parsing logs correctly is the most, let's say, difficult thing, and when this is done, all of the other things are easier. Anyway, the regex part is a very good feature and in my opinion, it should stay like it is, because it gives a lot of flexibility. Customers may learn to use it or use technical support.

The cost of the solution is a little bit high.

I've used the solution since 2016. I've used it for around six years at this point.

In terms of stability, it's reliable. There aren't bugs or glitches. it works well. It doesn't crash or freeze. 

The solution is scalable. If a company needs to expand it, it can do so.

We have a technical support contract.  

For the most part, we can do it probably ourselves. When technical support helps us, however, everything goes pretty smoothly. We are quite satisfied with them. We typically get immediate support and assistance.

The ease or difficulty of the initial setup depends on the infrastructure of the organization. However, when we have installed it, it was pretty simple. That said, there are some fields that are complex, and for this, we have support.

We did get support to assist us with a few complex fields.

We pay a yearly license. You do need to set up a contract for technical support.

While I don't have details about the exact pricing, my understanding is that it can be a bit expensive. 

We are a customer and an end-user.

I would rate the solution at a nine out of ten. We've been very happy with its capabilities in general. 

The only downside is the pricing. If the price would be lower, you would have the possibility to buy more capacity for parsing logs per day. In Splunk, you have a daily limit of logs that will be parsed. If you place that limit several times, the Splunk license will be blocked and you have to talk with support to get a recovery license. With the capacity, you can include, let's say, 30 servers, but if you want to include another 20 servers, you have to buy an additional license, which is very costly.

That said, for medium and large enterprise businesses it's really necessary to have. Even in smaller businesses, it is good to have. It's just the price that would stop small businesses from taking it on. 

If a small business has less than 500 MB logs/day, they may use a splunk free license.