Splunk Enterprise Security Reviews

I use this solution for data visualization.

The most valuable features of the solution are it is straightforward to use and the documentation is good for finding out how to get the data you are looking for.

The solution could improve by making it more business analysis oriented. The way it is now is designed more for developers.

I have been using Splunk for two weeks.

The solution is stable, I have not experienced any bugs or glitches.

The solution is scalable and it is a requirement of my company to have scalable solutions.

I have used previously Qlik Sense and Kibana.

I did the training with Slunk and once I had the training the installation was easy.

I have evaluated Tableau.

My advice to others is not to be intimidated by the solution and to give it a try. It will become easier over time.

I rate Splunk an eight out of ten.

We are using it for security information and event management (SIEM). We have started to use Splunk recently, and we are in the implementation phase as of now.

The data analysis part is good in Splunk, which is something that I like the most. It is also quite easy to use. Its dashboards, visualizations, and analytics are good.

It currently has limited default rules and customizations. If they can concentrate more on the compliance part and the security information part, it would be helpful. The platform part is good, but it requires many features from the security aspect.

I have been using this solution for a couple of months.

It is absolutely stable.

It is scalable. We have approximately 25 users.

It was easy to install. Its configuration and development are the critical parts, and there are a limited number of people in the market with such a skill set. It takes some time to find people with the right skill set and get it implemented properly. It took approximately three months.

I have a team of a few Splunk consultants who are currently managing it for me. For a mid-sized organization, at least 15 persons are required to manage the entire Splunk instance.

I would recommend this solution to others. I would rate Splunk an eight out of ten.

We are using Splunk for cybersecurity operations.

Its dashboard is valuable. If you have a good knowledge of how to create a dashboard, you can create any dashboard related to cybersecurity. If fine-tuned, the alarms that are triggered for instant review are also very valuable and useful.

Splunk is query-based, which is not the case with most cybersecurity tools. It is based on search queries and can be difficult to use. It would be good if they can make it easier to understand how to create search queries. They can improve the knowledge base for better understanding.

To create your dashboard, you need to have a search query. We have multiple firewalls in our company, and we need a dashboard for them. It would be helpful if a default firewall dashboard is included in Splunk to make monitoring easier. If a dashboard is available for a security device, the operation part will be more efficient. We won't have to follow a manual process for this.

I have been using this solution for eight months.

In terms of operations, it is stable, but if you don't have a proper configuration and sizing, there could be many issues. It could be more efficient on the storage part. We are still in the deployment stage to be able to say that for sure.

It is very scalable. Currently, we have around 50 users. We will increase its usage if more people need access.

We have raised multiple tickets. Some of them are good, and some of them can be better. Overall, their technical support is okay.

We didn't use any other solution.

I didn't do the initial configuration. I take care of the operations part. One of our clients did it, and it is somehow complex, and it takes time. It also depends on your knowledge. If you don't have knowledge of Splunk, it is complex.

We are a partner of Splunk. So, we did not evaluate other solutions.

I would rate Splunk a seven out of ten.

Because I'm security focused, I prefer the security features such as Splunk Phantom and Splunk Enterprise Security.

We need to get a Splunk Cloud instance inside South Africa's borders. At this stage, we are pushing Splunk Cloud, but it is not yet within South Africa's borders. So we've got data sovereignty issues, especially with government organizations.

Technical support could be improved as well.

Splunk can be an expensive solution. I think that they need to change their pricing model. At present, it is based on the number of gigabytes that you ingest into the Splunk system. Their competitors are now starting with a pricing model where you pay per device talking back. If Splunk could have a similar alternative, it would then allow people to choose the data model they want such as set data or a set number of devices.

I have been using Splunk for three years.

The technical support here in South Africa hasn't been great, but I understand why as we make up less than 3% of Splunk's total revenue in the world.

The initial setup isn't overly complex, but it's not easy either.

The pricing model is based on the number of gigabytes that you ingest into the Splunk system. So it can be an expensive solution.

Plan your requirements properly from the beginning so that you can get the most value in a shorter space of time.

On a scale from one to ten, I would rate Splunk at six.

There are quite a lot of things that we find useful. Splunk agents are useful and good. Its UI is quite impressive.

Its pricing model and integration with third-party services can be improved. We had faced an issue with integration. 

The alerting feature is currently not available with Splunk, but it is definitely available with Datadog and PagerDuty. They should include this feature.

A few dashboards in Splunk look quite old and are not that modern. They aren't bad, but improving these dashboards will definitely make Splunk more attractive and usable.

I read in a few blog posts that there were a few security incidents related to Splunk agents. So, it can be made more secure.

I have been using this solution for almost two years. I am using its latest version.

It is a stable product.

Splunk is definitely scalable.

I have not interacted with them. Another team is taking care of raising tickets with their technical support.

It is quite simple.

Its pricing model can be improved.

A few years ago, I would have definitely recommended Splunk, but nowadays, better alternatives are available. We are currently exploring a few other alternatives, so I won't recommend Splunk as of now.

I would rate Splunk a seven out of ten.

Its integration is most valuable. Its UI is also pretty much easy.

Its setup is a little bit complex for a distributed environment. 

Their support can also be better. If we raise a case with Splunk support and by any chance we missed to respond for more than a week, they usually close the case. Sometimes, it can take us more than a week to reply. In that case What they can do is they can send a followup mail before closing.

I have been using this solution for a year now.

It is very stable haven't encounter any glitches or bugs till now.

It is very much scalable. I am acting as an admin, and we have more than a hundred users of this solution in our company. We use it on a regular basis. We currently don't have any plan to increase its usage.

I would rate them an eight out of ten. Their response speed is okay, but if, by any chance, we miss the response for more than a week, they usually close the case. Sometimes, it can take us more than a week to reply.

This is the only solution that we have been using.

Its setup is pretty much easy for standalone, but for a distributed environment, it is a little bit complex.

I would recommend this solution to others, but it should meet their needs and architecture.

I would rate Splunk a nine out of ten.

It provides a lot of analytics with the underlying AI engine, and it is a lot easier than other solutions. There are some products that do automated AI-based detection and drawing up charts, but for network monitoring and all of the monitoring aspects, it is quite a nice tool.

It is very convenient for business users because they get more or less a lot of data readily available. If you're familiar with the Splunk query language, you can pretty much do whatever you want.

If you have to do your own stuff, such as customized charts, it is a little bit more work, but once you're familiar with the Splunk query language, you can pretty much do whatever you want. In terms of features, it should probably have the features that other competitors provide.

I have been using this solution for about three to four months.

I'm not sure. I do not really throw a lot of data in it, but it has been authenticated very nicely. It manages indexes and all of these things very nicely. I have not been privy to any production systems where you have millions of lines of log coming in every second. It works very well for the data that I have. It should be able to handle a lot of data. That's the whole purpose of it, and that's why Splunk has become so popular. It is an enterprise monitoring tool, and a lot of customers have Splunk in their ecosystem.

They have pretty much good documentation and good training. Their documentation is a lot better than Qlik Sense.

Splunk is an enterprise monitoring tool. Qlik Sense can do a little bit of log monitoring, but it is mostly used for dashboard reporting, whereas Splunk is more around monitoring and figuring out threats and all such things. They are different, but both deal with the data and allow you to create operation reports. 

Power BI is another tool that a lot of our customers use, but Splunk is quite often requested. It is also a lot more popular than Qlik Sense. We have a fair number of Qlik Sense customers.  

We usually sell Blue Prism to business users who are more concerned with the reporting aspect, which is why they would like to have easy tools like Qlik Sense in their ecosystem, but on the infrastructure side, it would be Splunk for enterprise monitoring.

Simple environments are easier to install. Because there is a lot of data log monitoring, once you have a production system, there is some amount of work in setting it up, especially making it SSL Secure and exposing it on the internet. There are multiple components behind it, so you need to ensure that all these things are set up correctly. These kinds of things are not required on a cloud platform because you are just uploading data. You really don't have much access to the backend.

Splunk also has a cloud version, which I haven't looked at, but I have used Qlik Sense's cloud platforms. With on-premises, you are in control of pretty much how you set up all the data that you are sending out. A lot of our customers have the issue that if it is a cloud platform, they cannot really send out the data to any of these cloud platforms. So, there are data residence and other issues.

It is economical than other solutions.

I would definitely recommend Splunk. It is quite a decent tool, and it is there in a lot of enterprises.

I would rate Splunk an eight out of ten.

Security. We have built SIEM solutions three times from the ground up (not ES) using Splunk for some of the largest companies in the world.

Out clients went from unhappy using inflexible, poorly-supported products (in some cases barely functionally) to confident and excited when using Splunk. Not only are they able to do their security jobs and investigations, but they are also easily able to modify and evolve their implementations themselves to keep up with the shifting sands, which is the SecOps landscape.

• Core Splunk
• Saved searches
• Dashboards (SimpleXML) 

With good domain knowledge, one can build almost anything. If you throw in Alert Manager or an integration with ServiceNow. Then, you have your own SIEM.

• It needs integration with a configuration management solution. 
• It could use better password management for forwarders. 
• It needs a better way to export dynamic views without requiring a ton of code and user/pw.

Almost 10 years.

Unfortunately, lately every release has a new memory leak.  Be SURE to upgrade late and READ THE RELEASE NOTES, especially the "Known Issues" section.

We only ever have issues when deployed on VMs and the VM admins do not do what we tell them to do which is EXCLUSIVELY RESERVE OUR RESOURCES.

It used to be great (but perhaps that was because my employer at the time was a key prospect in a vertical where Splunk had no customers) but Splunk support is definitely a victim of Splunk's explosive growth.  The first tier support is as bad as it is most places and getting worse all the time.  If you KNOW your problem is not run of the mill, ask for escalation immediately.  Also the clock on the case does not start until somebody adds a note to the case so always call in and ask if they got your diag file (always attach a diag) and the person who answers will have to add a note to the case which will start the clock.

I have dabbled with LogRythm and ArcSight and they are both OK, but Time-To-Value is WAY shorter with Splunk, IMHO.

Use bare metal severs on Linux and you will be fine.  Use Windows and you will have much trouble.  Use VMs and your admins will cheat you and you will have much trouble.  Do not use NAS!!!!

In-house.  We at Splunxter are Splunk experts.  We can do anything with Splunk.  We always hit homeruns.

We usually get multi X-factor within a quarter.

Get free PS if you can (ask) or USE THE DOCS.  The documentation will get you to success.  If you are not getting more value out of Splunk than the license you are paying, then you are doing something wrong and should spend a tiny bit more to get a consultant like Splunxter.com to help you.

No,we went with the free trial and got so much value so quickly we bought in.

You can also get GREAT help at answers.splunk.com.