Splunk Enterprise Security Reviews

It is a very well-organized solution. I find it more user-friendly than ArcSight and QRadar. I can search, and I can do whatever I need in terms of dashboards, reports, etc.

It is the best tool if you have a complex environment or if data ingestion is too huge.

The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues.

I would also like to be able to see all the data for internal logs. When we search for internal logs, sometimes, we are not able to find some of the data. For example, when Splunk crashes or something happens, we don't get to know what happened. We tried looking into the internal logs, but we could never figure out the reason from the logs. The information is limited, and it should be improved.

We have been using Splunk for more than four years.

Its scalability is very good. Companies nowadays are totally dependent on tools like Splunk. It is widely used in our organization. We have a huge team that uses it on a daily basis. For onboarding, we have another team, and we also have a team for Splunk monitoring. We have a large amount of data ingestion per day, so our team has more than 25 people in it.

In my current company, I have seen the tickets getting resolved soon. In my previous company, which was a startup, a P1 ticket generally took 24 hours or less. They called us back and resolved it as soon as possible, but if it was a P2 or P3, I have seen them taking a month or more.

We worked with QRadar for some time, but after that, we just came to Splunk.

It is straightforward. The deployment duration totally depends on how you are working.

We have it on-premises as well as on the cloud.

We have an unlimited one, and we pay yearly, but I don't know how much it costs. Previously, I worked for a startup, and when they started building it up, it was complicated for them because they didn't have the budget for that many licenses. It was very costly for them. So, startups might find it a little bit problematic because of the licensing, but for bigger companies, there is no issue.

If it is a complex environment and data ingestion is huge where you want to ingest Syslogs or networking devices logs, you should go with Splunk. It is better than QRadar. Nowadays, the usage of AWS is growing, and that should be taken into consideration when deciding about on-premises or cloud deployment.

I would rate it a nine out of 10. I find it great. I'm very eager to do the Splunk certifications as well.

I work for a government agency and we use Splunk to monitor our Cisco equipment. I'm a senior network engineer and we are customers of Splunk. 

This is a very capable and flexible solution. It's based on Linux and even Windows installations use the Linux file structure. You can use it to gather syslog messages from anything; jet engines, fin-tech financial institutions, banking, regular enterprise, etc. You can gather the messages from network equipment, elevators, anything you can think of that generates syslog, and Splunk it. They also have a good API so you can write your own code to talk to it or interact with it. The solution has a lot of applications that people have written. It's the best solution on the market. 

It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics. 

I've been using this solution for 10 years. 

The product runs on Linux so it's very stable. It's important to have a well-run SAN environment to store the data. 

The solution can be scaled up to any size of enterprise or agency. I have heard of Splunk installations of over 100 terabytes of licensing.

We used Logrhythm previously but it was not a good fit for our environment. That is why we switched to Splunk.

The initial setup is fairly complex. There's a certain architecture that Splunk utilizes to handle its indexing and it also depends on the size of your deployment. If you have a relatively low amount of gigabytes per day, deployment is simple. And of course it scales to terabyte, so if you have a terabytes installation, there are a lot of additional services that need to be implemented such as licensing servers and clustering. We sometimes configure syslog NG servers to front end the date before it ends up at an indexer. If it's a large terabyte installation, you definitely want to use professional services.

This was implemented through a combination of in house and vendor developers.

n/a

Splunk charges on the basis of gigabytes of incoming log messages per day. Also I would recommend that funds be set aside for Splunk training and certification.

There is a large number of options for training and certification. The more training you have the more useful Splunk becomes. However, right out the gate you can do useful searches due to the search bar design.

The most valuable feature of Splunk is security information and event management(SIEM). Additionally, the solution is easy to use, has useful reports, and good interface.

I have used Splunk within the past 12 months.

Splunk is stable, and this is why many customers want it.

The scalability of Splunk is good. Customers can purchase 100 GB now and if they wanted more, they can immediately add an additional 100. The customer will have to only pay for additional licenses.

I hear that customers usually have support on time from the Splunk team. Generally, they are satisfied with the response they receive from Splunk.

The total time of the implementation depends upon the customer's requirement. The factors that affect the implementation time are the type of use case, the environment of deployment, one location or multiple locations, number of devices, and applications. The requirements play a large role in the time it might take for implementation. You cannot simply explain in one week or one month.

There are two to three people required for the implementation of Splunk.

The price of this solution is expensive. However, it has great features. If you want a great solution you need to pay a price matching the features.

If this solution matches the needs of your use case then I would give it a try.

I rate Splunk a nine out of ten.

We are using Splunk in the standard information security use case. We're also using it for various application use cases around identity management, windows active directory, and those types of use cases.

Splunk has provided a venue for us to determine student engagement during COVID, for which we didn't really have any other way except by looking at data that we captured off of our student systems and our authentication servers to see who's logging in, and who's logging out, and for how long they've been logged in.

The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.

We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.

Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.

By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.

I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective. 

Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.

That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.

I have been using Splunk for probably 10 years.

At least in our environment, it is super stable. When you think about how much time you spend working with other applications, just Windows Server requires more feeding than Splunk does, you see that Splunk is a very low maintenance care and feeding product.

We have probably 150 users in the environment and their roles vary from being application management folks to application engineering folks to the executive suite, so lots of different use cases. The executive suite tend to prefer more curated content and the application owners have a mix of curated content and dynamic search functions they can perform. Then the engineering tier basically gets some curated content and some free reign to do whatever they want for the most part. I'm the guy that supports this instance. So there's one person.

I support not only Splunk, but I am also the campus security engineer and I'm also the dude that runs or is responsible for all of our campus monitoring infrastructure. So that tells you how little maintenance is required.

We are adding new use cases on a fairly regular basis and we are adding more licensing to our indexing license. I don't see Splunk going away. There's nothing else that I think provides the ability to do this much data analytics from just the numbers of equipment that you need to run it. Also, the number of people that you need to actually make sure that it's functioning well. In higher ed., everybody always says we should do open source. And I respond that what I do in Splunk with 20 systems, I would need three racks of equipment to do on an open source platform. I have basically 70 - 75% of the racks now and I'd need three times that or more to run this as an open source product. And it wouldn't be as cute and it wouldn't be as beautiful or as flexible.

I know other folks in the higher ed. space that are running petabyte size instances with Splunk. So I would have to say it scales very well just from talking to the folks in my market silo.

Their technical support sucks.

My engagement with their technical support was for a product which they basically took over from an open source product and they just seemed to not be able to figure out why it's not doing what it's supposed to do. The number of times I've had to engage with Splunk for solutions has been for a couple of use cases. And in every one of those use cases, support was very painful. It took a very long time and it seemed like they were more interested in burning their queue volume than actually satisfying me as a customer.

I work in higher ed. Here in higher ed., it costs us a lot of money to run it. The support from the company that you spend a lot of money with is pretty poor. I get most of my support through the Splunk sales folks because they seem to know more and they're more incentivized to keep me as a customer. When I call in to open a ticket with Splunk support, they really don't know, and this is going to sound terrible, they don't really care whether I have a 50 Meg license or a 50 petabyte license. If it's not on their workflow, their pre-programmed triage, they can't do it.

Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.

Splunk is a complex critter to put in and it's a more complex critter to keep running. We have 10 search heads and four indexers and universal and a heavy forwarding cluster. We have clustered indexers and clustered search heads. This is definitely not a drag and drop product.

We engaged a third party Splunk integrator to help us do our Splunk deployment and they did our initial deployment. We used a different integrator to do some of our upgrades, which we probably won't use again. Our implementation strategy was we really just wanted to look at the classic security use case when we put this in 10 years ago. Then after that came in, and everybody was happy with what it was doing, we added some other use cases and universal forwarding and so on and so forth.

We used an integrator.

The integrator we used to do our initial deployment was excellent. The integrator we used to do our last round of upgrades was less than excellent.

When I hire an integrator to do an upgrade in an environment, I expect them to come back and say "all of your application layer apps are upgradeable, but your OS's need to be upgraded. Do you want me to do that? Or should you do that?" I now have different versions of OS's under Splunk running in my Linux world and it would've been nice to upgrade the system OS and then upgrade Splunk, even if it was more disruptive. I guess I have to read the statement of work more closely in the future.

The TCO and ROI are really great if you're in the private, non-public sector and you're in a more standard business sector. The return on investment in total cost of ownership on Splunk is from somebody who doesn't fit into that neat silo. Do we calculate that stuff? So our return on investment is by being able to solve problems that we never knew we could solve. My answer to it is the flexibility to be able to figure out student engagement when COVID hit. This was the only platform we could do it on.

I can comment on price in this way - in education in Ohio, we're part of the Ohio supercomputer consortium, and they act as a collective bargaining agent. So we get our licensing as a piece of the State of Ohio's Splunk license. So my pricing is very much not list or even reduced list because of the volume that the state buys.

We generally spend about $20,000 a year in third party integrator costs to get us past some of the rough edges that we get with Splunk support.

We briefly looked at the open source product and we obviously looked at a Check Point product. When we looked at Splunk it seemed like they had a smaller cost to procure it, and a much smaller cost to maintain it than all of those other solutions. So it was kind of why we went with Splunk. This is very non-intuitive since everybody says they love Splunk but it costs too much.

My advice to anyone considering Splunk is to understand exactly how much data you want to look at and you want to bring in on a daily basis. Then create a rational strategy to bring the data in, in reasonably sized chunks, that fulfill a use case at a time.

On a scale of one to ten, I would rate Splunk a really good nine.

I'd rate it a really good nine because it's really versatile. You can do a lot of things with it. It allows you to do a lot of analytics in the platform without needing a bunch of other third partyware to help you figure it out.

My customers subscribe to many different tools, like CrowdStrike. They ingest all that into Splunk and use it as an aggregator to launch their investigations into any threats detected.

The solution has improved our organization by providing a centralized place to start investigations. It allows us to consolidate everything into one place that kicks everything off so we can map it back to at least that Splunk instance.

The solution's most valuable feature is its data modeling. Splunk has data from so many different vendors. Moving all that or normalizing that to the data models allows us to look at one place holistically across all the different inputs.

The one problem Splunk has is writing correlation searches. My analysts are intimidated to write queries to create correlation searches. It would be good if the solution had some kind of copilot to automate or help write correlation searches. Splunk Enterprise Security should include more automation, AI, and machine learning capabilities.

I have been using Splunk Enterprise Security for three to four months.

We haven’t faced any issues with the solution’s stability.

We haven’t faced any scalability issues with Splunk Enterprise Security.

The end-to-end visibility the tool provides is not that big of a deal. They have so many tools that can do that kind of part. Splunk doesn't have to be the one place for total visibility, but at least for visibility when it consolidates on threats.

Splunk has helped improve our organization's ability to ingest and normalize data. The tool pretty much consumes everything that we have. Everything from dozens of different vendor products gets ingested into Splunk. Splunk Enterprise Security is just that one central place where everything goes.

Splunk Enterprise Security has helped speed up our security investigations. Something that requires someone to work on it at the beginning of the day would not take more than 15 minutes with Splunk Enterprise Security.

Overall, I rate the solution an eight out of ten.

Enterprise Security has reduced our mean time to detection to results. It used to take 25 to 30 minutes and now it's down to less than ten minutes. 

Our customer has been far more satisfied with our incident response and remediation since we adopted Splunk several years ago.

Our time to value was within a few weeks to a month.

The most valuable feature is the incident dashboard, and the extensive use of correlation searches, which isn't available with a standard Splunk search package. This feature is important to me because it enables SOC analysts to do their job more efficiently and be able to investigate or mediate incidents at a faster pace.

Another benefit is the expansion of the use of ITSI, SOAR, and now Mission Control being able to holistically monitor an environment with one tool. Also with Mission Control, we have the ability to have one interface.

It's very easy to monitor a single cloud with ES solutions. I've worked with several other SIEM tools before and Splunk does it better.

Splunk's ability to predict, identify, and solve problems in real time is good. They do it better than other tools.

I am looking forward to their expansion of the use of AI. Using AI in the user interface will go a long way because one of the challenges in my organization is getting other people to use Splunk. A lot of people are averse to using new tools so if they make it even more user-friendly than it already is, I think that could go a long way.

I have been using Splunk Enterprise Security Enterprise for three and a half years. 

Stability is excellent. It is the most stable SIEM solution I've worked with.

Scalability is excellent. If you need to add more capacity, you can add more indexes, and more search heads as you need. The environment stays stable as you're doing it if you do it the right way. 

My environment is about nine indexes, four search heads, and about 800 GBs a day.

Their support is excellent. Every case I ever had to put in has been handled and resolved in a matter that I would hope for many support tickets.

I would rate them a ten out of ten because they are much more responsive than a lot of other vendors I've worked with.

Positive

There are mostly pros when comparing Splunk to its competitors because it collects data and analyzes it. It analyzes data better and in a more detailed, documented, and organized fashion than any other SIEM that I've worked with.

I have worked with Microsoft Sentinel and ArcSight.

I was involved in the initial setup with the help of their professional services. It was complex at first because my colleagues and I did not know the application that well. There was definitely a learning curve but once we started to understand how to design it the proper way and how to manage it the proper way which made things a lot easier.

It's more expensive than the other tools but it's worth it. Every penny is worth it. They do analytics better. They do security investigations better. They do everything better.

I would rate Splunk Enterprise Security a ten out of ten. I have worked with other SIEM solutions before and Splunk is the best one.

The biggest value I get out of attending a Splunk conference is getting to network with other people within my same account under my same account manager. I appreciate the ability to go to sessions about different support products that my organization doesn't use and try to help myself understand how some of these tools are used and how I could encourage my organization to use them.

Enterprise security is the solution’s most valuable feature.

Its reporting functionality is excellent.

I really like the user interface and how it works.

It’s scalable.

The solution is stable.

You can integrate any other tool or any other solution, including existing solutions, with Splunk. They have a good setup.

The log analysis is something that is good. In general, data analysis is something you can do in Splunk in various ways. You can leverage it as per your requirements or as per your investigations. You can write your own queries and complicated queries, and you can have your own alerts. You can correlate events. It’s very flexible.

It is one of the best tools that I'm using. I don't have any feedback as such right now regarding improvements. I'm not also an expert, so maybe I'm missing something.

Writing queries is a bit complicated sometimes. If they could provide some building queries, that would be great.

It's been a while. For maybe four years, I've used Splunk, however, I'm not an expert on it.

It's a stable solution. We are not going to get rid of it anytime soon. It’s reliable. There are no bugs or glitches and it doesn’t crash or freeze. The performance is good.

The solution scales very well.

I wasn't part of the engineering side, so I never got a chance to contact the support team directly.

We have a SIEM solution, however, now the company is also trying to move to an Excel solution since the automation is better on their side. We aren't going to get rid of it or did not have any other SIEM solution in their mind when they were acquiring it. However, if any XOR solution works perfectly for us, the company might consider moving out of Splunk.

A different organization would have a different setup of Splunk. If you ask me, mostly, it is a simple setup. However, here in my current organization, it is mostly on the cloud, and a lot of things are integrated in a bit of a complex manner. I also understand that this changes from organization to organization in terms of how they will leverage it.

I’ve never looked into ROI and have not been a part of conversations concerning ROI.

I don’t have any idea what the cost of the solution is. I don’t handle the licensing.

A company that wants to leverage Splunk should understand its environment first - including the organization, the network infrastructure, and the overall infrastructure. Then, based on requirements, they should go ahead with any SIEM solution. Splunk is kind of an expensive tool to have. Therefore, the company should be clear about what requirements they have, what they need, and whether they want to use Splunk. It is very crucial to understand your requirements and your network or your environment first before going ahead.

I’d rate the solution eight out of ten.

Overall, it's a good tool. It's a very intelligent tool. It definitely depends on how you are going to use it. However, I love the product. I love Splunk. I want to learn more about it as much as I can.

Splunk just acts as an extra presentation layer, and we tried it because of the plugins they have to try and get more logs into the environment.

Splunk would be my choice for the presentation layer because it comes with inbuilt reports and a dashboard that you can customize.

Aside from the 5GB limit on the community version, I believe it is the same as ELK. It's a useful tool, and nothing comes to mind right now.

I haven't found a way for me to create my own plugins and integrate them into Splunk, but this isn't necessarily a limitation; it could simply be a lack of knowledge on my part.

Splunk is a stable solution. I am very happy with the stability of Splunk.

Splunk can be scaled to any environment. The way it's designed, it's cloud-ready, and it has a lot of performance, in-built indexing, and performance tuning options. Splunk is easily scalable.

I am happy to report that I've never needed to contact technical support. The README tutorials and the existing forums provide me with practically everything I need. So far, I haven't had to do so. This should be a testament to the solution.

We broaden the scope of IT governance and IT security.

We look at everything from SIEM to network management to endpoint protection, server protection, database protection, and anything else that can aid in visibility, policy enforcement, and monitoring.

Our organization is using a combination of Splunk and Elasticsearch. We get most of what we need from the ELK suite. ELK Stack is usually the primary focus.

ELK has the same inbuilt reports and dashboards that you can customize, but ELK is better for central logging and log aggregation. Once they've all been aggregated, you'll be able to run any kind of queries and APIs to query the logs on ELK and then use Splunk as a presentation layer for the consumers to use.

Security tools, in my opinion, are business tools and should be used by businesses rather than security engineers. I'm experimenting with a hybrid of the two, in which ELK serves as the engine for central logging and Splunk handles the presentation layer and aggregation of additional third-party logs from tools that might be difficult to integrate into ELK.

I would rate Elasticsearch a ten out of ten.

It's a cloud-ready package. It has the same characteristics as ELK. From a deployment standpoint, I don't have any issues with it. The material is freely accessible to anyone who wishes to use it. There is a virtual machine option. You can get a virtual machine by downloading it. The deployment options are simply numerous, and it is up to the implementer.

It wasn't that difficult for me. There are no complaints from me. The material is present, and there are numerous options for deployment. It's relatively simple to go from zero to viewing data with Splunk. ELK is the same way. It is now up to the implementers and their environment to provide you with more data about it.

They could improve their discounts. I think it's a good solution, and it's gaining a lot of traction, maybe they are recouping their R&D costs, Further reductions would be fantastic, and I believe that more and more people would flock to it.

We provide IT consulting services. Our customers occasionally ask us to assist them in locating specific solutions.

I would recommend this solution to others who are interested in using this solution.

I would say the forums and READMEs provide more than enough information about Splunk. Most people struggle because they move too quickly through the implementation process. As long as you follow the guidelines, particularly the specifications for environment requirements and implementation methodology, these solutions should work out of the box.

Splunk is a very good solution, I would rate it a ten out of ten.