Splunk ITSI (IT Service Intelligence) Reviews

The main use case for Splunk ITSI (IT Service Intelligence) is monitoring events. I also use it for reporting on the availability of services.

One example of how I use Splunk ITSI (IT Service Intelligence) in my day-to-day work is monitoring the ejection rate of remote sites. I have equipment engineers log the data, and then I index the logs into Splunk ITSI (IT Service Intelligence). I use those indexed events to perform calculations and evaluate performance every 15 minutes. Whenever there is a drop in performance, I quickly take action. This enables me to avoid big incidents and major issues.

The best features that Splunk ITSI (IT Service Intelligence) offers are the real-time indexing. It is very powerful and has helped me tremendously.

Real-time indexing in Splunk ITSI (IT Service Intelligence) has helped me by requiring me to take actions as soon as possible before the customer even notices the issue. Splunk ITSI (IT Service Intelligence) offers excellent calculation options.

Splunk ITSI (IT Service Intelligence) has impacted my organization positively because it helps me take action before an incident happens. I use predictive maintenance-based analysis.

Before switching to Splunk ITSI (IT Service Intelligence), I didn't have any type of IT solution.

Splunk ITSI (IT Service Intelligence) can be improved because there are some events that get missed in indexing, especially on the stats and AC stats. If I could have 100% of events indexed in Splunk ITSI (IT Service Intelligence), that would definitely make my reports more accurate and help me take informed actions.

I have been using Splunk ITSI (IT Service Intelligence) for the past five years since I joined the company.

In my experience, Splunk ITSI (IT Service Intelligence) is very stable.

Contribution-wise, Splunk ITSI (IT Service Intelligence) is great and very much scalable. It can be used in various departments for various specific cases.

So far, the customer support for Splunk ITSI (IT Service Intelligence) is great. I haven't logged many tickets, but for the few ones that I have submitted, I have received good feedback.

Before predictive maintenance in Splunk ITSI (IT Service Intelligence) was implemented, I was working on planned maintenance that was time-based. With predictive maintenance, I now have all the sensor data coming from the printer, and I can predict that the printer is going to fail in about 20 to 30 minutes. Then I send the technicians on the page before an incident, and this helps me reduce the downtime.

I wasn't involved in the choosing process or evaluating other options before choosing Splunk ITSI (IT Service Intelligence).

I have definitely seen a return on investment with Splunk ITSI (IT Service Intelligence).

My advice to others looking into using Splunk ITSI (IT Service Intelligence) is to be creative with it. The power is huge, so be creative.

I use Splunk ITSI (IT Service Intelligence) specifically for monitoring and alert management with a logistics vendor. It provides auto-ticketing functionality with ServiceNow integration that automatically creates tickets when issues occur. Additionally, I monitor e-commerce checkout pages through an integrated dashboard where I check all components. We have a Service Analyzer where we examine this section as well. I monitor bookings in Splunk ITSI (IT Service Intelligence) and check the latency of transactions across booking service, checkout service, and hotels. I use Splunk ITSI (IT Service Intelligence) through the dashboard with auto-ticketing and implementations that include ServiceNow with bidirectional integrations.

Regarding incident management, I have implemented it with other third-party systems integrated with Splunk ITSI (IT Service Intelligence). For instance, I am implementing Splunk ITSI (IT Service Intelligence) with Zabbix. When Zabbix connects, it sends data to Splunk ITSI (IT Service Intelligence), and I use episode-based correlation in incident management. When latency happens in Zabbix, it correlates with a notable event being triggered. I need to check those episodes by examining first event correlation and then episode creation with that particular incident to manage things effectively. If the incident is coming from the same host with CPU higher than eighty percent, it will combine that particular incident within that ticket. If it is from a different host, then the episode breaks. This is how I manage those incidents.

I use the intelligent alerting feature in Splunk ITSI (IT Service Intelligence). Intelligent alerting helps in reducing alert fatigue by using adaptive thresholds and a dynamic alerting system that I use for breaches. I use machine learning within Splunk ITSI (IT Service Intelligence) where event correlation is created. Throughout the day, there is very less traffic in the morning time, and it peaks during US hours. Based on that, I create the adaptive threshold, and the intelligence helps me in creating that event correlation and breaking episodes according to the dynamic threshold. For anomaly detection, I check sudden traffic spikes and analyze deviations first to avoid false positives. For example, during a cyber attack, I send details to Splunk and map it in MITRE, where it checks how many times a login was attempted, matching it against the dynamic threshold and triggering alerts.

For health monitoring, my primary metrics involve CPU latency or errors. I set up a Splunk health analyzer where I check KPIs, focusing on different KPIs based on infrastructure needs, including CPU and latency errors. Key metrics include TP99 and TP95 alongside customized metrics like booking thresholds and transaction monitoring. Depending on the context, when I worked in logistics, I monitored ticket creation issues, I focused on CPU, memory, thread activity, and database errors.

I find predictive analytics to be a favorite topic of mine as it aids the decision-making process significantly. I use agent-based predictive analysis, particularly in case scenarios. Before issues arise that affect real customers, I can predict potential problems. I utilize Real User Monitoring (RUM) and other scripts for this analysis, checking data points gathered by agents installed in various locations. In Splunk ITSI (IT Service Intelligence), I leverage anomaly detections and forecast models based on historical data to identify potential service outages.

The best features of Splunk ITSI (IT Service Intelligence) are specifically for dashboarding, with the best being KPI monitoring. In my previous organizations, such as BMO, I needed to check how the data looked, and I appreciated the dashboard. The Service Analyzer part is where I get all that information on a single site. I also prefer the health score. Specifically, with any issue in Splunk ITSI (IT Service Intelligence), I can create a health score by using correlation searches, and then all those metrics are included. The auto-ticketing part is excellent, and I have used it.

Regarding customizable dashboards, they absolutely help me monitor critical business services. In my previous company, during resells every Friday, I checked whether there were real bookings or if it was a bot attack. I employ various methods, including radical buzz terminology in the dashboard, and I use drill-down, post-process methods, and token-based approaches. I also utilize glass table for dashboards, enabling drag-and-drop functionality, allowing me to highlight errors, latencies, and bookings while changing colors and backgrounds according to my needs.

Regarding areas for improvement, I see potential in enhancing smart alerting features and improving real user monitoring for better observability within Splunk ITSI (IT Service Intelligence). Splunk ITSI (IT Service Intelligence) could benefit from better handling of observed events, and it would be useful to receive notifications about outages and the ability to connect with servers for test execution directly from the Service Analyzer.

I have been using Splunk ITSI (IT Service Intelligence) since 2020.

I rate stability as an eight, recognizing there are still some issues to address.

Scalability is a bit challenging, mainly if high loads are encountered. I faced several issues with high thread usage, so I would rate it around seven to eight, particularly considering that scalability is crucial yet can be premium in cost.

I would rate the technical support as eight point five to nine, reflecting my extensive experience over the past fifteen years with Splunk ITSI (IT Service Intelligence).

Positive

I have explored many tools in the market including Datadog, Elastic, and Grafana. While working on a project for a significant company, I appreciate how Splunk ITSI (IT Service Intelligence) allows for automatic ticket creations and excellent integration with other platforms such as Zabbix, which significantly simplifies data management without manual intervention.

Regarding pricing, since Splunk ITSI (IT Service Intelligence) is a flavor of Splunk, there are no fixed prices as it depends on data volume. It is indeed a premium app within Splunk. The pricing reflects usage levels, and compared to others in the market, Splunk ITSI (IT Service Intelligence) provides a reasonable solution.

For those looking to implement Splunk ITSI (IT Service Intelligence), I recommend it specifically for service-centric monitoring and KPI indicators, although I would not recommend it for security purposes. I gave this product a review rating of ten.

My use case for Splunk ITSI is incident management. We check the episodes and troubleshoot them. With the incident management feature, we can categorize the client who has provided some knowledge bases. According to that, we troubleshoot the problem and escalate the issue to the client or the next teams.

The best features of Splunk ITSI are that it is safe and secure to hide the client details, and we can check all previous incident or episode details. We can categorize them with priorities and add the knowledge base. These features are very frequent and sophisticated and good to use for the user, and it is simple and easy to understand.

Regarding customizable dashboards, we can find that the episodes were auto-triggered. We have all the information whether the count is increasing, if it is severe, critical, or priority-based. We can check and categorize all that, and it is simple and very effective in workflow.

There are areas in Splunk ITSI that have room for improvement, such as the episodes, the speed, or the accuracy. Sometimes they do not clear and sometimes they auto-populate, and without any reason, sometimes the episodes or incidents were triggered by Splunk ITSI, which confuses us sometimes. The only other area for improvement besides the speed and accuracy is nothing else.

I have been using Splunk ITSI for two years from 2024.

I would rate the stability of Splunk ITSI as 7 to 8, as I mentioned earlier with some complaints about accuracy and speed.

For scalability, I will give 10 out of 10.

I would rate the technical support that Splunk provides as an eight.

Positive

I do not have an idea about other vendors since it is my first project and first tool that I used, but I felt very comfortable with this.

The deployment is easy. It takes time according to the task or activity, but not too much time; we are comfortable with the time frame.

We do not do any maintenance, as the other team will handle those things; we just monitor.

It has saved me a lot of money and a lot of time. It is above 60%, not 10% or 20%.

Regarding pricing, I think it is cost-efficient, helpful, and effective for both the clients and the delivery partners.

I do not use the intelligent alerting.

I would advise others looking to implement this product that it feels safer and I will definitely recommend it. 

I use it to investigate research on logs and data.

One of the main downsides is the complexity of configuration and maintenance, especially when dealing with large-scale environments.

I use intelligent alerting, and it is very effective in reducing noise and prioritizing critical incidents based on impact.

The predictive analysis feature is quite useful, as it helps identify potential issues before they impact services and allows for proactive action.

The customizable dashboards are very helpful and provide great visibility. Though, configuring them can take some time to align with specific business needs.

Overall, it is quite stable, though occasionally lag can occur during heavy data processing or large dashboard loads.

It is highly scalable and can handle large volumes of data efficiently, as long as the infrastructure is properly sized and optimized.

One of the main downsides is the complexity of configuration and maintenance, especially when dealing with large-scale environments.

The pricing is on the higher side, especially for large deployments. It is justified by the depth of insights and customization it offers.

I have almost two years of experience with Splunk ITSI (IT Service Intelligence).

Overall, it is quite stable, though occasionally lag can occur during heavy data processing or large dashboard loads.

It is highly scalable and can handle large volumes of data efficiently, as long as the infrastructure is properly sized and optimized.

On a scale from one to ten, I would rate scalability around nine because it adapts well to growing data and user demands.

I have contacted their technical support a few times, and they were quite responsive and helpful in resolving configuration issues.

I rate them around an eight out of ten for their responsiveness and technical expertise.

Alternative tools include Dynatrace and AppDynamics, which offer similar monitoring and performance insights.

The initial deployment can be challenging because it requires proper configuration and data mapping. However, once setup is done, it runs smoothly.

It takes around a few weeks to fully deploy and fine-tune the configuration for optimal performance.

Alternatives include Dynatrace and AppDynamics, which offer similar monitoring and performance insights.

I would choose AppDynamics and Splunk ITSI (IT Service Intelligence) because of its flexibility and strong correlation capabilities across complex IT environments.

My main use is monitoring. We use Splunk ITSI (IT Service Intelligence) to predict workloads for a very big bank in Kenya. The client consumes their compute environment at either 80% or 60%, which helps us in monitoring.

It has saved the organization money by maximizing resource utilization so the company does not have to buy a lot of infrastructure if they do not need it. The infrastructure is there, and you can easily predict the workloads and distribute it evenly.

The best features Splunk ITSI (IT Service Intelligence) offers include prediction because you can get to know the resource utilization, and you can have an idea from a budgeting perspective of how many resources you will need at any given time, which helps the team in planning and budgeting.

It has saved a lot of time, made things more efficient, made budgeting easy, and made it enjoyable to learn and use as a tool. Installing it is easy, and using it is simpler than most other tools in the market. Splunk ITSI (IT Service Intelligence) is an easy tool to use, an easy platform to use, and it is simple to upscale and learn, so the team loves using it.

Splunk ITSI (IT Service Intelligence) can be improved through alerts and additional features. I use it more on the Linux side, and for Windows users, the Windows version is not as good as the Linux version, so more work needs to be done on the Windows version.

I have used Splunk ITSI (IT Service Intelligence) for two years.

In my experience, Splunk ITSI (IT Service Intelligence) is very stable.

Splunk ITSI (IT Service Intelligence)'s scalability is great because it is something you can deploy in the public cloud.

Customer support for Splunk ITSI (IT Service Intelligence) is great, especially when getting it from a partner.

I have used IBM Instana previously, but Splunk ITSI (IT Service Intelligence) has more features and is more enterprise-focused than IBM Instana, which was more SMB-oriented.

Installing it is easy, and using it is simpler than most other tools in the market. Splunk ITSI (IT Service Intelligence) is an easy tool to use, an easy platform to use, and it is simple to upscale and learn, so the team loves using it.

We are a partner and reseller of this vendor, so we have a business relationship with them beyond just being a customer.

From a pricing perspective, it is not that bad because we get it from a distributor and do not purchase it directly from Splunk. We get it from a distributor who gives the pricing to a partner and who then gives it to us. The pricing could be lowered because it is quite expensive.

Before choosing Splunk ITSI (IT Service Intelligence), I evaluated IBM Instana and one more solution from Forcepoint.

Splunk ITSI (IT Service Intelligence) is a great tool. My advice to others looking into using Splunk ITSI (IT Service Intelligence) is that it is a great tool to use, and you should get resources who can handle the product. I would rate this product 9 out of 10.

I have experience utilizing Splunk ITSI in financial institutions and federal government settings. As a Splunk administrator at a bank, I focus on the platform's administration and development aspects. We are migrating from an on-premises environment to the cloud, leveraging Splunk ITSI to provide a unified view of the client's infrastructure. Through ITSI-generated reports, we are developing a strategic roadmap to guide our clients' IT journey.

End-to-end visibility simplifies our configurations by allowing us to index or search at the cluster level. We can utilize multiple indexers or split the workload as needed. For instance, long-running queries exceeding 15 minutes can be removed from the main list, improving efficiency for other users.

Splunk ITSI is a powerful tool for predictive data analysis. When we create and test KPIs within ITSI, it becomes significantly easier to set targets. For instance, if a system's memory capacity is 100 GB and usage consistently approaches or exceeds 80 to 90 percent, ITSI can generate alerts, visualize in a dashboard, and send notifications to the team. This proactive monitoring prevents potential issues. Similarly, ITSI can identify performance bottlenecks in search queries, allowing workload distribution to optimize system efficiency. The entire environment becomes transparent, simplifying tasks for developers and users alike. Regarding user criteria, ITSI offers a tree diagram visualization to easily understand data distribution across indexes, source types, business units, states, and communities with a single click.

Splunk ITSI enables us to allocate resources more precisely to meet demand. Its unified view provides full information in one location, allowing me to monitor index CPU and memory usage, injection rates, and individual user data. While gathering this information might take around ten minutes, the streamlined process significantly simplifies my work.

Splunk has significantly streamlined our incident management process. Its ability to analyze usage, memory consumption, and other environmental factors makes it superior to other tools, allowing us to delve deeper into complex issues. Regardless of length, we can effortlessly examine any log and pinpoint the exact cause of problems, such as UI errors or system failures. We can quickly identify code changes, root causes, and error origins by simply writing a query, providing invaluable insights that accelerate problem resolution and enhance overall system reliability.

It has been instrumental in reducing the overall volume of incidents by automatically triggering alerts when potential issues are detected before they escalate into full-blown incidents. This proactive approach simplifies data analysis and enables us to identify and rectify errors before they impact our systems. Consequently, we can more confidently implement changes or updates without fear of unforeseen complications, as ITSI helps us prevent errors from occurring in the first place.

Splunk ITSI has helped reduce our alert noise by ten percent and improved the mean time to detect down to ten minutes.

Our mean time to remediate is less than one hour when using Splunk ITSI.

We've implemented automation using Splunk, replacing multiple tools previously used for backend testing. We integrated Splunk with ServiceNow to automatically send alerts to the team whenever issues arise. This eliminates the need for manual ticket creation and assignment, streamlines the process, and ensures timely responses, saving us around ten hours weekly.

Splunk has helped us significantly reduce downtime, manpower costs, and the penalties for missing service level agreements. Previously, we relied on two to three people, primarily from the testing team, to manage these issues. By implementing Splunk, we've decreased staffing needs while improving workflow efficiency and reducing overall costs.

Splunk impressed me because it can monitor and modify live data flexibly, generating live data, reports, alerts, or dashboards as needed. Its single-pane-of-glass view provides a full overview of the entire environment, and its easy ingestion of diverse data sources, such as databases, AWS, or any cloud platform, is remarkable. Additionally, Splunk's intuitive interface and scalability make it accessible to non-technical users, and its capacity to monitor every millisecond of data across multiple applications is truly impressive.

Some developers struggle to write accurate queries, often inputting incorrect text or using asterisks in the source or index, which can significantly degrade search performance and overwhelm the queues. To prevent this, I suggest implementing a system that warns users about incorrect syntax or automatically corrects errors, particularly for complex queries like regular expressions. While Splunk has existing add-ons, they are unreliable and do not provide accurate results. Improving query autocorrection and regular expression handling would be beneficial.

I have been using Splunk ITSI for eight years.

I have frequently observed Splunk ITSI experiencing lagging and crashing issues. As a result, several customers have transitioned from Splunk to Elk and other alternatives.

I would rate the scalability of Splunk ITSI eight out of ten.

The response time and quality of technical support vary between P1 and P2 levels. For instance, our dashboard, containing 120 panels, experiences significant lag. When reported, support prioritizes issues differently; dashboard loading, while crucial for customer interaction and satisfaction, is deemed less important to them. This discrepancy in perspective leads to delayed responses, impacting our ability to provide a seamless customer experience.

Neutral

We utilized Kibana, Elk, Cribl, and Tableau for our analysis. Elk, in particular, excelled in certain areas compared to other tools. Our business team previously compared Elk and Splunk, finding Elk to be faster. I observed that Splunk typically had a higher user count, while Elk's user base was smaller. This difference and the reduced search and checking workload in Elk compared to Splunk influenced our decision. Some customers migrated applications to Elk due to its accurate log-checking capabilities despite encountering minor challenges.

Initial Splunk ITSI deployment is straightforward, especially if you are familiar with Linux-based unzip commands. With all prerequisites, a single knowledgeable person can typically complete the process within 40 minutes.

I would rate Splunk ITSI eight out of ten.

I suggest using Splunk because the live data is good. The market is constantly evolving, with new applications and alternatives emerging yearly. Splunk offers a full suite of tools and add-ons that can match or exceed the capabilities of these alternatives at a similar cost. Although Splunk may be more expensive, it provides a robust cloud-based solution and can significantly simplify data management and analysis tasks, ultimately improving efficiency.

End users do not need to perform maintenance; however, as administrators, we are responsible for monitoring the environment for updates and changes.

Users familiar with Splunk's flexibility and features will more easily experiment and envision how the solution can best fit their organization's needs.

We use ITSI in the health industry. In the UK, the NHS currently uses ITSI as one of its monitoring sources of information. In ITSI, service components are based around each area of the NHS. For any solutions that have been digitally transformed and require monitoring related to our vaccination campaigns, the logs are ingested through Splunk and monitored through ITSI.

We realized ITSI's benefits immediately after it was deployed. When the COVID pandemic broke out, it kicked off a lot of crazy stuff within the UK. Having a powerful tool to aggregate data and allow real-time monitoring helped our campaign.

ITSI can help us right-size resources, but it depends on how you do things. We have a culture, and Splunk told us not to do this because they have different methods and stuff. In ITSM, you skim what you need at the source and then push that into Splunk. Having that as the centralized logging analytic is great for that, especially when so many things are tied to ingestion, storage, etc. However, for what we do, it leaves much to be desired. You're talking about an enterprise solution on the scale of the NHS with multiple people, contractors, and all these moving parts. Some services do it well where they only send in what you need. Some services just dump everything. You've got a load of load of logs. We can right size appropriately, but it's just yeah. For us, it's it's not really done now as well, I think.

ITSI has helped us streamline our incident management. We have a 24/7 service team working around the clock, responding to alerts that Splunk produces. It's linked to ServiceNow, our service management tool. When the team inputs all the information from Splunk into these tickets, they're raised in ServiceNow. Previously, we used software called Cherwell that looked horrendous. This helps bring the package together.

We've reduced our alerts, but it requires a conscious effort to configure them. That depends on how you use the platform. It goes back to getting the right metrics out of the logs that you're producing. The tool itself is powerful, but if you don't use it properly, things can be a bit noisy, and this is quite noisy, whereas that's down to our configuration sometimes.

Reducing alert noise also takes some tweaking. You've got KPIs and correlation searches that are great for real-time monitoring, but if you set them up immediately, you will get a lot of noise anyway. It depends on how you configure it. They have a couple of tools in the forwarders to say you're only ingesting alert logs or error logs, so you pick up on whatever those error logs would trigger.

It would help to give you accuracy in your ITSI alert noise. However, it might get a bit noisy if you've got more than that and they're not configured into the perfect use case you need. Overall, it's been a conscious effort to ensure we've got our stuff configured right.

It has reduced our mean detection time. For Microsoft/CloudStrike stuff, we can have an SLA as short as three minutes. The feeds are coming in quickly, so our detection time is between three and 10 minutes. For major outages, an SLA of a few minutes is good, especially when it's not a cyber-level threat. 

The resolution time is determined by how quickly we can pass the detection along to the IT team and triage the logs to determine the issue. We've had quite quick resolutions because everything's partitioned in a way where it is specifically service-bound. You can look through the data and specific areas. You can optimize these things.  The search system in Splunk is powerful and helps speed up resolutions. 

ITSI helps to automate routine tasks. That's what the safe searches are for. It's a complete package with Splunk Cloud and ITSI for deeper drill-downs, but not everyone can access the ITSI dashboard all day. Automation helps us get these alert structures, especially at night. When you've got a file that's meant to come in at 3 a.m., you don't need someone waiting around to look at that. 

This is what those alerts and automation are for. You can put custom wrappers around stuff. It's a custom output. However, Splunk is trying to make something more standardized at the moment. It saves our IT services multiple hours a week because you don't have to do tasks or sit and look through dashboards to ensure everything is all right. These constant checks every five minutes add up over the week, so that equals tens of hours a week for a lot of different services.

ITSI's KPI and correlation search aspects are powerful, and the service creation suits the project well. It allows for good segregation of the monitoring solution and up-to-date quick-time monitoring. We're notified quickly when something goes wrong.

The end-to-end visibility is excellent. A lot of the information we get is from the cloud, and the data pipelines we introduce have a clear log trail, so it's easy to pinpoint where it goes wrong. 

The UI could be updated. Some elements of the KPI section aren't where you'd expect. It looks like a website from 2010 or maybe older. You can't change some things, like if it doesn't word-wrap well. For example, if you have a long list of KPIs that exceed a character limit, you need to hover over them and wait for the HTML text to pop up to see which KPI it is.

Packaging synthetic monitoring in ITSI would be good. I'd also like a complete package for doing health checks. It would also be nice if Splunk standardized the add-ons. Splunk relies on these add-ons that users build. It's like the App Store. People put time and effort into these custom things, and if they get big enough, Splunk will purchase them and take them over. 

For example, we have a custom Slack output. It'd be good if they put some effort into stuff like that because it's useful. Instead, we're putting custom wrappers around stuff, but why isn't this a thing produced by this massive platform that costs so much? They recently partnered with Cisco and don't have any plans to improve ITSI in that area. It feels like they could do more.

I have used Splunk ITSI for two and a half years.

Splunk ITSI is generally stable. It's the system that has problems. When we have problems, we escalate them to a higher authority, who sorts everything out. We've only experienced two big glitches with the product and indexes not performing as they need to be. 

ITSI is quite scalable. When we have problems, we can discuss them with our Splunk case manager at biweekly meetings. We might need to add some more indexing capability. With the team's support, it's easy to add new indexes and scale up.

I rate Splunk support five out of 10. The support quality leaves much to be desired because ITSI support can be outsourced. If you're dealing with regulations that limit data access to people and entities within the country, outsourced support can cause problems. We've had a couple of calls outsourced to India, and they couldn't access the data because they weren't in the UK.  

When we've received local support from professional services, they've been helpful. Also, sometimes, we've asked a few questions and it didn't feel like we got a real answer or the answer was that we essentially had to solve the issue ourselves. 

Neutral

I've used New Relic and Dynatrace. They have good visualizations and use similar processing languages. However, you can get locked into Splunk because other competitors aren't as powerful. Though Splunk is expensive, it's a powerful platform. 

Splunk ITSI is an expensive solution. Splunk probably doesn't save us money because it's one of the most expensive monitoring solutions on the market. This isn't a tool to save money. You purchase this to improve the efficacy of your service department. This is especially true now that Cisco has acquired them. Cisco is notorious for its high prices.

There's another called LogicMonitor that has better metrics and observability, but we found that it lacks as much power as Splunk. We're heavily in favor of Splunk.

I rate Splunk ITSI nine out of 10 and would recommend it, depending on the use case. If someone wants to switch, it comes down to a financial decision. You need to compare your current platform's capabilities to what Splunk can offer you. If it's a perfect match, then I would say go for it. 

Sometimes, there's a steep learning curve, but you get out of it what you put into it. The visualizations are great, and the ITSI search function enables you to narrow down log analytics well. 

We get our customers' requirements and onboard their logs into the SIEM tool using agent-based integration or some DB Connect method. After the integration, we write the use cases. There are two types of data: fault monitoring and performance monitoring. In fault monitoring, the customer typically wants every event as an alert, so we'll do a correlation search for that alert. 

We'll add fields to the alerts, such as summaries and descriptions, and write the regular expression from the raw event to extract and display it on a table. After writing the correlation search, we will enable the policy that we'll use to trigger an incident in the ITSI tool. In our Splunk tool, there is a technical add-on called Remedy that we use to create a ticket for a correlation search and alert. 

After writing the NEAP policy, we'll display the number of tickets and all that information in a single dashboard. In the first panel, we'll display a summary of all the applications and the number of tickets divided according to the severity. The second panel displays the alert information, such as the ID, reported date, and the host. 

We have a team of four people. Two integrate the log sources into Splunk, while two write correlation searches, enable the new policies, and generate tickets in incident service with the ITSI tool. They also work on the dashboards, tables, and service analyzer.

With Splunk ITSI, we don't need to manually raise tickets for analysis. For example, it will not trigger a ticket if we receive an alert about a suspicious event when a set of conditions are met, but it's an invalid alert. Based on a NEAP policy, an incident will be created for each valid alert with the help of our ITSM tool. Each NEAP policy has two components: filtering criteria and action rules. The filtering criteria include sections. If the alert source equals the application log monitoring, it will group that particular event. 

For each event, it groups by incidents based on the job ID, and we write conditions for the second-action rules. The incident ticket remains in progress if the event exceeds one and the status is not closed. It shouldn't create a second incident for the same job name.

Splunk ITSI helps customers to reduce their resources. For example, they don't need extra resources to raise manual incidents for each alert. This solution enables us to raise incidents for only valid alerts, and it displays them all in a single dashboard.

It doesn't affect the effectiveness of the application monitoring, but it decreases the resources and associated costs. It will improve the performance compared to raising incidents manually and reduce human error. 

ITSI reduced the time needed to create a ticket. Instead of raising a manual ticket, we can automatically create one after an alert is triggered based on our policy. We can see all the incidents and alerts on the dashboard. 

It has also reduced the volume of incident alerts. We sometimes raise a manual ticket for the same alert triggered yesterday or a few days before. If it is not closed, and we raise another incident by human error. We can write a new condition so that an alert name by the same name will produce no new tickets. It will update the ticket as "in progress" or change the severity from minor to major.

We can also reduce our alert noise using ITSI by writing a complex set of specific correlations. We'll write the exact conditions based on customer requirements. For example, we'll use Windows event ID 4625 for a failed login attempt. If a user wants, we can add the search criteria so only this event ID will be triggered. 

When integrating our customer logs sources, we directly integrate the real-time events into Splunk. There is no time difference from the customer side. It goes directly into Splunk ITSI. Previously, we used some integration method so that when an alert triggers in EMS, it will reach out to Splunk to create an incident within a minute.

We send the artifacts, logs, and analysis to an incident response team to resolve an incident. The response time depends on the team. They receive all the evidence about an alert. 

ITSI helps automate some reports and dashboard features. When we want to run some individual searches, it takes some time to run each search to generate a report and share it with the customer. We can add all these reports into a single dashboard, and we have a query for each report. We add all these queries into a dashboard and schedule the reports, so it generates a report daily showing all the graphs. We can download that report and share it with the customers.

When we automatically generate a ticket based on the alert, it reduces the detection time and makes the ticket-raising time nearly instantaneous. The time difference between the alert trigger and ticket creation time will be minimal as the machine is generating the ticket. The customer response time is five to 10 minutes. 

The search function is the most valuable. It includes regular expressions and wild card searches. We'll write searches using field and case-sensitive services and use all of these search types to write an alert condition. Splunk ITSI has another feature called Glass Table that offers a visual representation. 

We can manually change the dashboard by reducing its size or changing the background color. When we click on any cell, it will navigate to the next dashboard. You also have a KPI feature. Each KPI case has a separate formula, and we'll write a formula so that when a threshold is reached, it triggers a condition. All of this KPI information is displayed in one service analyzer.

ITSI's end-to-end visibility is excellent. With its help, we can monitor all the network-related log sources and infrastructure. Each log source is integrated into the tool and stored in a separate index to improve search performance. We are using this cluster environment with multiple indexes. It's better to have three to four indexes for a faster search.

The solution's preventive analytics help to prevent incidents before they occur. We write a correlation search that is reported. When an alert is triggered, we write a condition. Each incident will have a priority and a response time based on the SLA. For a priority 1 incident, we must respond within 30 minutes. It's an hour for priority 2 and two hours for priority 3. We have three to four hours for priority 4. 

A ticket will be created within this time, and the incident response team will be alerted. While raising the ticket, we analyze all the alert information and everything the incident response team needs to resolve it. The incident response team will act accordingly and close the incident within this time.

When configuring a dashboard, we can write search criteria. Based on the search criteria, the dashboard shows all the alerts, including the alert time, creation time, and a summary description of the alert. When you add an extra column, such as the user that triggered the alert, the next time he refreshes the dashboard, he wants to know that the alert is acknowledged. We want to improve that comment feature. 

In the Service Analyzer, we monitor the network infrastructure services and have a KPI for each service. When the value exceeds the threshold value, we can add the colors. For example, we can set it to green when the threshold value is within the limit. If it is red, then the value has passed the threshold. We want more colors in the service analyzer to display all these features.

I have worked with ITSI for two years.

Splunk ITSI is stable. When Splunk releases its latest update package, we scan it for vulnerabilities and update it to the next version if there are none. 

Splunk ITSI is highly scalable. 

I rate Splunk support nine out of 10. We can get support from the Splunk community or raise a ticket to Splunk and get a reply faster.

Positive

Before implementing Splunk, we manually noted all the alert information in a notepad. I downloaded the log file and traced the incident in tools like ServiceNow and BMC Remedy. Now we have a Remedy add-on feature integrated with Splunk ITSI, so it requires no manual intervention to raise a ticket in ITSI. 

Deploying Splunk ITSI was straightforward. We downloaded the initial version and upgraded to the latest package from the back end. It's a simple process that involves integration, log onboarding, deploying agents, and setting up DB Connect. In the agent-based method, we'll have a separate configuration. We collect the log path for all the sources and hosts that need monitoring, which will be integrated into our Splunk tool. 

It requires minimal IT resources to deploy. Two IT resources are sufficient at the time of onboarding for 10 log sources weekly. It's easy to maintain. We are maintaining the license. If your data exceeds the license limit, you need to reduce it or pay for more. 

We have a 100 GB license. This licensing option is a bit expensive, but it can manage any type of bulk data, including database logs, network device logs, and social media devices. 

I rate Splunk ITSI nine out of 10. No manual intervention is needed. It generates the tickets automatically when an alert is reported. If we do this manually, it will take more time to review all the alerts.