Splunk ITSI (IT Service Intelligence) Reviews

We have been using Splunk ITSI to detect anomalies in the services and monitor the health and overall performance of IT services.

We have implemented it for a few of our clients where we do monitor the entire IT infrastructure. It could be any server that they are running. It could be a mail server. It could be a web server. It could be any network device that is communicating. We monitor the health of these services and how they are performing. We check for any anomalies or threats associated with them. We create some kind of KPIs or key performance indicators that give insights into the health and services.

We are a Splunk partner. Our company provides solutions not just related to Splunk ITSI but for all the things covered by Splunk. We also provide our consultancy for all of their premium products such as SOAR and Enterprise Security. 

Splunk ITSI has a service-oriented approach to monitor the entire IT infrastructure. From a business perspective, people definitely do not want any downtime. Any downtime leads to a bad reputation for a company. Splunk ITSI is a solution that we can use to monitor every single service running within an organization. With the help of KPIs, we define the service needs. A person implementing ITSI needs to be aware of all of the services running so that they do not miss out on anything. With the predictive analysis of Splunk ITSI, we can monitor everything. If there is any anomaly, an alert gets triggered. The other thing is the integration part. We can integrate it with any of the ticketing platforms such as ServiceNow. As soon as the alerts get triggered, a ticket gets created so that a response can be made to a particular incident.

It is very integrable. It can be integrated with any network component, such as a router, or any of the logs. With the help of Glass Table, it becomes very easy to inspect if any of the services are down. If a person is trying DDoS on any of the IT servers, such as a web server, we will see a lot of packets getting injected. There will definitely be an increase in the number of packets that a server is receiving. With the help of Splunk ITSI, we can block that particular IP, so the actions can be taken at the same time.

With the help of machine learning and predictive analysis, it checks for any anomaly. It monitors the normal behavior of a service, and if there is an anomaly, it can definitely create an alert for the user. This is how Splunk ITSI works.

Splunk ITSI can integrate with various management tools for predictive analysis. It takes the data and tries to predict and see if anything is suspicious. It makes its own decision at that time, and based on the actions that are listed, it takes action on a particular incident.

Using Splunk ITSI in an IT environment is very helpful. It reduces the downtime and the time taken for a resolution. It can take certain actions on its own. We can monitor every service there. Splunk ITSI can be helpful to prevent something from going down and the users having to face any downtime, failures, or issues with the servers. There is a proactive approach where things can be fixed before they turn into a breach.

Nowadays, it has become very easy for attackers to perform any kind of attack on the servers. Every organization wants its servers to be up and running. So, there is definitely a lot of demand to monitor the entire IT infrastructure. Splunk ITSI is good for that. It plays a key role in the current era where organizations face a lot of attacks. It is a ten out of ten when it comes to being useful to fix all such issues.

Splunk ITSI completely integrates with the incident management platforms. For specific alerts or notable events, Splunk ITSI can also take action with the help of playbooks and defined workflows. With integrated incident management, we can take more advanced actions and make decisions for the environment.

Splunk ITSI helps reduce incident volume. It is business-centric and service-oriented. It provides visibility and is great for predictive analytics and incident management. It also reduces downtime and gives a clear picture of services from a business perspective. I do not have the metrics, but it reduced the incidents to a large volume.

Splunk ITSI reduces the mean time to detect through machine learning and predictive analytics. It observes the normal behavior of a service. If there is any anomaly, it triggers an alert based on the KPIs that are defined. If there is any suspicious behavior, Splunk ITSI can identify that.

We can define certain actions through playbooks for an alert. It can be integrated with SOAR. It can take certain actions as soon as an alert gets triggered. In the case of a DDoS attack, if an IP is sending a lot of packets, we want to block that particular IP to our firewalls. We can define this action within our playbooks, and Splunk ITSI will be able to sort that out in a quick manner.

We can integrate it with a SOAR to automate the workflows and take certain actions. Playbooks are useful for that. I do not have the data about time savings, but it saves a lot of time. Without it, a human will have to open the ticket and go through the incident before taking action, whereas Splunk ITSI can take certain actions on its own, saving a lot of time.

Splunk ITSI has saved money from the overall business perspective. No business wants to see downtime or failure of their services. For example, if you can proactively fix an issue and prevent a payment gateway service from going down, it will save you money. Splunk ITSI is very helpful in monitoring services, and certain actions can be taken to prevent them from going down. Any service going down costs a lot of money to a business.

Splunk ITSI can be easily integrated with the incident management platform. You can automate workflows and certain actions can be taken.

I like the KPIs aspect. If we have a number of services running, we can monitor each individual service. This is one thing that I find very useful. There is a feature in Splunk ITSI called Glass Table where we can visualize each service. We can check all the services there, and we can take a look from the high level to the low level. We can look at individual service. Glass Table is one of the features I like the most.

If they can somehow integrate it with AI in the near future, it will definitely be a game changer. Other than that, I do not see any issues with it. Overall, it suits our environment. Its scalability is good. The visualization is also good. The only thing we need to take care of is how we define the services. If the KPIs for a service are wrong, it is going to generate false positives and more alert noise.

It has been approximately three and a half years since I have been using Splunk along with this premium feature or the ITSI app. 

We have not faced any issues so far. It is a very stable tool. It is very helpful in monitoring overall IT infrastructure.

Scalability is definitely one of the key features. Splunk ITSI is very scalable. 

We have not faced any issues so far.

I have not used any solution other than Splunk ITSI. We have partnered with Splunk, and we provide consultancy with Splunk.

Splunk ITSI can be implemented on-premises or on a cloud such as Azure, AWS, or GCP. It is easy to deploy.

I was a part of the team that implemented it completely. I was involved in the initial setup and monitoring of the services. We defined all the KPIs. We completely set it up. 

The process is straightforward, but it depends on if you have a multi-site or single-site setup. For a single site, it is easy, but in the case of a multi-site, when we are doing a cluster setup, it can be challenging. However, it can be done, and it is possible to implement it with the help of the right KPIs.

The duration depends on the size and the number of resources a company holds. It depends on the size of the network they have. Ideally, you would want to integrate all of the services so that you have complete visibility and you can visualize it from an attacker's perspective.

In terms of implementation strategy, we need to be sure about the services that need to be monitored so that we do not miss anything. KPIs are important to reduce the noise. 

It is not difficult to maintain, but it does require maintenance. If there is any increase in services, Splunk ITSI needs to be scaled up, and there will be some costs for the licensing part.

We need the help of the security team. If it is going to be integrated with the service desk, we need to involve a system administrator. It depends on the privileges a company has. It varies from company to company.

It depends on how big an organization is. If we have a lot of resources, the licensing needs to be upgraded. If we have a small environment, the licensing cost is definitely going to be less.

To someone who already has an IT alerting and incident management solution but is considering switching to Splunk ITSI, I would say that it is a great move. Splunk gives you in-depth information about the health and performance of a particular service running within an organization. It will be a great move if they can implement Splunk ITSI in the organization.

Alert noise depends on how well you have defined the KPIs for your services. If KPIs are wrongly defined, you are definitely going to get more alert noise or false positives. To reduce that, you need to be very sure what a particular service is about and what could be a perfect KPI for that.

You need to assess the services you need to monitor. You should not miss any of the services. A small service can also be vulnerable. Based on the services, you need to define particular KPIs.

I would rate Splunk ITSI a ten out of ten.

We use Splunk ITSI to empower users to visualize their data and transform it into actionable insights. For instance, if they desire to monitor CPU memory usage, they can leverage this tool to achieve that. Additionally, users can effectively search for alerts and trigger email notifications based on specific criteria. Moreover, Splunk ITSI supports the creation of entities that can represent physical or abstract concepts. This flexibility allows users to conduct any desired search on their data and subsequently create informative dashboards for visualization purposes.

We implement Splunk ITSI for our customers because it is the best in the market.

The most significant organizational benefit is leveraging data for various purposes. Based on the data collected, organizations can create visualizations, monitor product performance, and track metrics like CPU and RAM usage to identify potential issues and optimize operations.

Splunk ITSI helps to right-size the resources required to match demands. Splunk also offers on-prem and cloud options. 

The incident management team of Splunk is helpful when we have to escalate an issue.

Splunk ITSI assists our customers in decreasing the number of incidents. They can escalate cases and seek help for any issue, as Splunk can potentially identify the problem as related to an add-on, a different application, or something else entirely. This allows them to contact the appropriate team and work towards a resolution promptly.

It helps customers reduce the mean time to detection by using a real-time search rules engine feature. This enables users to process events in real time, leading to faster detection and response times.

Splunk ITSI assists customers in decreasing the mean time to resolution. A dedicated episode review page allows customers to create and manage groups of related events. Customers have complete control over their episodes and can acknowledge, resolve, build, or take other actions. A specialized dashboard with visualizations facilitates the resolution process, enabling customers to resolve episodes or actively automate this task. Both manual and automated options are available for episode resolution.

The analytics module includes a policy feature that allows users to automate actions, trigger events, add comments, and modify episode status. 

The most valuable features of Splunk ITSI are event analytics and service insight. Event analytics allows me to set up any query on raw data logs and ingest them into Splunk. This data can then be used to trigger events based on specific conditions. For example, I can create a ServiceNow incident, send an email, add comments, or perform custom actions when the system's CPU usage exceeds 90 percent. The Glass Table feature enables users to create dashboards, add services, and visualize data through various queries and tables. 

Splunk ITSI's UI needs to be more interactive and user-friendly.

The real-time search functionality is reliant on Splunk. Occasionally, ITSI customers encounter problems due to real-time search issues. As of the most recent release, a resolution for this issue has not been implemented. Additionally, search clusters are not currently supported in the cloud environment.

I have been using Splunk ITSI for two years.

If the data volume is excessive, we may encounter stability issues. Splunk can handle datasets as large as one or two million, but performance might be affected due to the time required for REST calls. Overall, however, Splunk is a reliable solution.

Splunk ITSI is scalable.

The technical support team is highly responsive and helpful. Customers can contact them directly for assistance with any issues they encounter. The team will diligently work to identify the root cause of the problem and, if necessary, consult with developers for further investigation. Developers will then promptly analyze the issue and provide a workaround or solution as soon as possible.

Positive

Customers are responsible for the infrastructure and deployment of Splunk ITSI on-premises. However, the Splunk TechOps team can assist customers throughout the cloud-based deployment process.

The deployment is straightforward. First, we must install Splunk and extract ITSI in the apps folder. One person can handle the deployment.

I rate Splunk ITSI nine out of ten.

Splunk ITSI is loaded with features and keeps adding more with each release.

The cloud version of Splunk ITSI requires no maintenance, unlike the on-premises version. While maintaining the on-premises version isn't complex, any issues arising from setup or parameter changes become my responsibility. In contrast, TechOps handles cloud maintenance, ensuring complete care.

I would recommend Splunk ITSI to others.

The cloud version of Splunk ITSI is more accessible to work with and to scale.

We utilize Splunk ITSI to enhance our IT operations within our infrastructure. Our goal is to monitor only the most critical KPIs. Additionally, we have access to a detailed overview of the KPI services and entities, allowing us to identify issues in real time. 

We deploy Splunk ITSI both on-premises and in the Splunk cloud. 

We implemented infrastructure monitoring using ITSI to track various aspects such as latencies and specific components like CPU and memory. I can now provide detailed information about the specific cause of CPU-related issues. The problem lies in determining the process through which we can obtain a high-level overview of our services. When we delve deeper, we have access to numerous details to identify the KPI responsible for disrupting the service application. I can now explore ways to monitor its performance and locate the service in question. With ITSI, we can receive alerts and easily navigate to the precise location to resolve the problem.

The end-to-end visibility of Splunk ITSI in our network environment depends on the individual utilizing it. While it may be present, it is crucial to possess a solid understanding of ITSI. In order to illustrate this aspect, we require a well-defined use case that demonstrates our intention to employ ITSI. Overall, I would describe the end-to-end view as highly effective. It facilitates seamless data acquisition and enables us to easily analyze the data afterward.

Splunk ITSI can be utilized for predictive analytics to prevent incidents before they happen. It is regarded as the superior option for observability. While observability is commendable, we also make efforts to view data from SignalFX and leverage ITSI's capabilities to analyze and access large volumes of data. ITSI serves as a tool for analytics, but we can also employ it for observability, albeit SignalFX remains our primary choice for that purpose.

Splunk ITSI has helped us streamline our incident management, particularly through its correlation searches and event policies. With these features, we can efficiently handle multiple tasks by grouping them together under correlations. We can easily search for and identify these tasks and then review them in-network, allowing us to determine the specific episode and identify any high alerts. This enables us to drill down and investigate further, depending on our proficiency with ITSI. Additionally, we have the ability to create a dashboard for editing reviews. This way, we can access our episodes, drill down into our dashboard, and examine the detailed information about the issues we are facing.

ITSI has helped reduce our alert noise by thirty percent. We don't need to extract a large amount of information from our correlation strategies. We can simply refine them and obtain the essential details, thus avoiding unnecessary noise in our environment. We just need to grasp the main idea.

Splunk ITSI has helped us reduce our mean time to detect by approximately fifteen percent. I have been collaborating with individuals who also utilize ITSI for the past five years, and we have observed its continuous improvement each year. The mean time to detect is contingent upon our level of dedication to ITSI in that aspect.

Splunk ITSI has helped us reduce our mean time to resolve by approximately fifteen percent. If we also have a good dashboard alongside it, we can drill down and go straight to the issue.

One of the excellent features is the service analyzer, which is truly impressive. Additionally, we have the infrastructure review, which allows us to assess our infrastructure comprehensively. That is fantastic! Furthermore, the latest ITSI connects the new tenant we have for tenant management. This feature enables us to retire an entity instead of merely deleting it, and if needed, we can easily reactivate it. There are numerous exciting new additions. Splunk ITSI itself is highly interactive, making the overall service experience truly remarkable.

Splunk ITSI could function even better, particularly when it comes to refreshing the service infrastructure. If we could have the option to go back not just sixty minutes, but also one or five minutes, it would enhance our capabilities.

The service analyzer component is excellent, particularly the default analyzer. However, I believe the refresh time should be faster. If it also takes five minutes to complete, as suggested by the KPI requirements, then the refresh time should be significantly reduced. If the data doesn't load within five minutes, our service and KPI will not function properly. Therefore, it is crucial to make it faster.

I would appreciate having more customizable dashboards to assist with in-depth analyses.

I have been using Splunk ITSI for two years.

Since I started using Splunk ITSI, it has remained stable.

Splunk ITSI is scalable.

The documentation for Splunk Doctors is excellent, particularly when it comes to addressing installation issues. However, when it comes to Splunk Processing Language, Splunk itself is unable to assist us. I would recommend relying on the documentation as a valuable resource.

Positive

The initial setup is complex. Even if we have installed ITSI, we still need to install the other apps that accompany ITSI. Perhaps we want to work on this matter, so it depends on whether I am deploying it in a large environment or just a single environment with minimal activity. Therefore, we need to include all of these in the architecture. The ITSI app is one component, but the other apps that derive from it must also be taken into consideration.

We have a tool that we use in our team to expedite the deployment process. However, we are unable to disclose the details as it is a proprietary system. On an average day, if we have access to ITSI, I can personally complete the task within a few hours due to my prior experience. However, for someone without technical expertise, it may take up to a day. Although one knowledgeable person can complete the deployment, it is easier with two people.

I have witnessed a significant return on investment in that aspect. However, it ultimately depends on the customer's use case. Everyone desires to acquire Splunk, but not everyone understands its functionality in that aspect. So, if we have a customer and a strong use case, and we know what they want, we will definitely be able to achieve it. But if we don't have a customer and lack knowledge about it, it will just remain as is.

Splunk ITSI is expensive; however, with the appropriate use case, it justifies the cost.

I rate Splunk ITSI an eight out of ten.

Anyone who is considering a point monitoring system instead of Splunk ITSI should know that with ITSI, we gain access to several other features. Even just with the service analyzer, we can observe our KPIs and identify their affected components. We can determine which settings are causing the issues and make informed decisions, such as trying alternative options. We can also evaluate if a particular KPI has significant importance, as it has a substantial impact on the overall order of operations. This provides us with a detailed perspective in terms of data and other relevant aspects. While it may not offer a purely granular view, having everything consolidated into a single interface is extremely convenient. Working with ITSI requires a considerable level of willingness and experience. However, as we are transitioning towards various new tools, including the ability to easily integrate plug-and-play devices, the only issue with ITSI might be the initial setup. Once we have it implemented, we will have the capability to accomplish all our desired tasks.

The way Splunk sells ITSI is not the way we use it. We can make much better use of ITSI. The most important aspect, in my opinion, of ITSI is the episode review. For instance, when we encounter an issue that is not immediately visible, how can we evaluate that aspect? Therefore, ITSI is beneficial. From my perspective, we need individuals to sit down and explain how it works, as it can be confusing initially. However, once we have a clear understanding, it works well.

In my organization, my team is the only one working with ITSI. We handle all deployments, and typically, we deploy on public cloud infrastructure such as Azure, AWS, and GCP. Nowadays, most deployments are cloud-based. Additionally, with the rapid growth of Splunk Cloud, installation is not a concern as it is taken care of. Our focus is on the implementation if we choose to go the Splunk Cloud route. However, we still handle the installation process ourselves, so we need to ensure our preparedness in that regard.

We have roughly 20 people in our organization that use Splunk ITSI.

In the beginning, we need to ensure that the data we receive is valid. Once we have confirmed its validity, we can rest assured that the system will generate alerts, eliminating the need to worry about maintenance.

I recommend Splunk ITSI for organizations that are interested in IT operations, monitoring, or analytics. By ensuring optimal utilization of Splunk ITSI, organizations can achieve a good return on investment that justifies the purchase.

We have some business-oriented monitoring. The technical components are aggregated to business services up to a certain level. We could do a lot more, but this is what we are doing currently.

Splunk ITSI has improved our mean time to resolution. We can essentially notice things before somebody calls. We have better customer satisfaction. It is hard to say how much time it has saved, but if we do not use it, it will take quite a while until we notice something is down or until we find out what exactly is the issue.

We monitor multiple cloud environments with it. It is no more difficult than anything else.

Splunk ITSI has end-to-end visibility into our cloud-native environment. We also have SignalFx. We are an early adopter of SignalFx in Switzerland. It is integrated, and we have been beta-testing the integration. It is quite easy and workable. It is quite nice.

It provides business resilience by empowering staff. That is the core feature. You can tailor the solution and give the exact information in a certain context. This correlation and this presentation help the business, the users, or the person responsible for the application or the stack. That is the interesting part.

Splunk Episodes are valuable because it correlates and aggregates all the information, and you do not have one million events to look at and triage, so it is quite convenient.

The solution is okay. I am not sure whether the current release has already moved to the new framework where instead of the glass tables, we can directly use the Dashboard Studio. It would be nice to have that integrated into the same framework.

We have been using Splunk ITSI for more than four years.

Its stability is excellent.

Its scalability is excellent.

They used different tools for different parts. For the service aggregation part, they used Netuitive. They still use Dynatrace for some of the things, but they have mostly moved to SignalFx. Dashboarding was one area for which they never had anything.

The guys with the container-based workload absolutely demanded SignalFx. That had the repercussions of finally moving to Splunk ITSI.

I was not involved in its deployment.

I am not sure about the ROI of Splunk ITSI, but we have definitely got an ROI from Splunk. We have been using Splunk since version 3 and doing lots of things. We have hundreds of use cases. If you ask anybody in the business, they would say that it is essential and critical.

Splunk has improved our business resilience in combination with Splunk Enterprise. It is widely adopted by our developers, and we also have a fairly large number of dashboards where core services, such as managed file transfer, are transparent for the users that own a system that is connected as a sending or receiving device so that they can self-service and check if everything is working. There is also alerting on that. So, there are multitudes of use cases. It is more of a framework; it is more of a platform. There is wide adoption of it. 100% of the users in the company have access to it. Not everybody uses it, but everybody has access to it.

It is interesting. I am not involved that much lately, but if I recall correctly, you license primarily on the volume of data that you are using in Splunk ITSI, but there is no way Splunk can ever check if that is true, so that is interesting. We are not doing it, but someone can pretend to just use 10%, and it would be super cheap. It is tricky, but it is more tricky for Splunk than for us.

There were quite a few solutions that we looked at. We were beta testing Splunk ITSI, but unfortunately, the adoption was not possible back then. They had a few market-leading products in the procurement. Due to SignalFx, we finally chose Splunk ITSI.

I would rate Splunk ITSI an eight out of ten.

We use ITSI for performance monitoring and incident management. How do you utilize it? I got it. And what problems were you trying to solve by implementing Splunk ITSI? That's good. 10 to 15 people use Splunk at my company.

ITSI helps us to monitor applications and identify performance problems or service degradation. It provides us with intelligence and enables us to act on it. We can reduce our incidents by about 10 percent. It has also reduced our time to resolve by 10 percent. 

I like ITSI's glass tables. They're easy to navigate by clicking through them. The interface isn't that much different from other products I've used. It provides all the information we need in one place. 

I have used Splunk ITSI for seven months.

I rate Splunk ITSI eight out of 10 for stability. There are some minor issues. 

I rate Splunk ITSI seven out of 10. Splunk is quite scalable, but we had some challenges in our environment.  

I rate Splunk support seven out of 10. We had issues with support that took a long time to resolve.

Neutral

We previously used a different solution. I don't recall which one. The license expired, so we switched to Splunk ITSI. 

We have deployed Splunk ITSI on the cloud. The multisite deployment was complex.

I rate Splunk ITSI eight out of 10. 

We have a couple of different use cases including incident management, correlation, and mapping out incidents.

Having a structure on how to resolve incidents is the most valuable aspect.

It is pretty important to us that it offers end-to-end visibility. That's how we do the ITSI incident setup. It needs to have an overview.

It has helped improve the business' resilience. Splunk's ability to predict, identify and solve problems in real-time is pretty good. I've been a Splunk customer for almost six years.

The time it takes to pinpoint an issue, from when it's triggered to resolution is where I've seen the most value out of Splunk.

We have seen time to value using ITSI. It took a few months to see this value. 

They should make it easier to use. Many people are new to it. It is hard and has a steep learning curve.

I have been using Splunk ITSI for one year.

The product is pretty stable.

We had a support person who was instrumental in getting it set up.

I would rate support an eight out of ten. It's nice to have the help but we'd also like to be independent and that's taking a bit of time to get onboarded. 

The initial setup is easy. We had someone come in. It took around a month or so and he's still with us helping to implement.

Overall, I rate the solution a seven out of ten. I'm getting up to speed with it. 

I work for the Royal Bank of Canada. I work in a group called Investor and Treasury Services IT. We take care of all the IT systems within the Investor and Treasury Services arm, which is a global unit. My role is to ensure that we have the visibility and capabilities to ensure our systems are resilient so we can resolve any problems that may arise very quickly, and move on. My role generally deals with everything from application performance management to maintenance automation. Overall, my single goal is to increase the resiliency of our applications and gain better insight into how our operations are working from an IT operations and application maintenance perspective. 

We liked the built-in calculation of health scores. We were able to adjust the different parameters, and really build out that health score — the RAG status (Red, Amber, Green), which is very powerful from an executive perspective. At the time, we were having a lot of issues from a stability perspective. It condensed everything, allowing our executives to easily ensure that everything was running smoothly: were there any incidents overnight? Those kinds of things. That way, when our CIO woke up and got the call from the head of IMTS, he knew whether or not there was going to be trouble.

Something that we did find with the product (they may have resolved since then), had to do with the ability to contextualize the data sources. For example, we might bring in data for 50 applications from one source, but for each one of those applications, we would have to set up a different data source connection. Because of this, I had to set up one connection each for application A and then B and then C, rather than being able to set up one connection and then segregate the data coming in for those dashboards. That was probably the biggest challenge that we faced. We also faced challenges relating to UI development — being able to get the UI the way we wanted it to look performance-wise. Some of the customization levels of the UI just weren't there.

We used this solution for roughly one year. We were in a POC state for about a year, but we decided not to move forward with the prospect as a whole. The organization didn't want to invest in the product.

The stability issues we experienced were not with the Splunk ITSI product itself. The biggest challenge that we ran into was getting good, consistent data. We're a very large organization; getting at some of the data can be very difficult, especially since a lot of the data isn't centralized in one area.

Overall, it's a very stable product. It ran really well during the time that it was up and running. We didn't have any production issues at all with it.

We were running just a single instance, but we were pulling in data for about 250 applications.

The technical support with Splunk is really good. We didn't have any issues. Now, part of that is, we are Royal Bank of Canada and because of that, we have a certain cache with the vendors and they tend to bend over backward to make sure that they take care of us.

I wouldn't say it's special for the Royal Bank of Canada, but I would say that like any other support, having the right relationship with the vendor makes all the difference in the world. With Royal Bank of Canada being the largest financial institution in Canada, the top 15 in the world, we're afforded certain privileges. A smaller IT operations shop is probably not going to get the same kind of visibility into the products as a company like RBC, mainly because when Splunk wants to advertise that they're doing something, they want to be able to say that they're doing it with RBC, not an unknown corporation down the street.

No. We weren't using a different solution at all before; Splunk IT Service Intelligence was an opportunity area that we were looking into.

We had already had Splunk in our environment more than anything else. We've been running Splunk from a log aggregation and search perspective for about six or seven years now. When we were looking at what that next step looked like, it was just a natural evolution to move into ITSI.

The initial setup was straightforward.

Deployment was relatively quick mainly because it was a POC. We didn't go through all the regular rigor that we would with a production application. So we were able to have it up and running in production in a matter of three to four weeks. That included provision of the service, which takes time within a large organization like ours. 

My biggest piece of advice would be to make sure you have access to the data that you need and know what that data is. The product itself is going to do what it's going to do; there are no issues with that. However, it's gaining access to all those things in the background, that's the problem. If you're a smaller organization or you're highly centralized, getting access to that data may be really simple. For an organization the size of RBC, with the amount of segregation across the organization and the amount of division within the organization, it's more challenging. For this reason, our infrastructure partners use a different tool. They don't use Splunk, they use ELK. They're very much down that road, so getting access to data when the team that you're trying to partner with has a different solution, can sometimes be more difficult.

On a scale from one to ten, I would give this solution a rating of eight.

We use ITSI mainly for IT Infrastructure Operations Monitoring. The service model health scores allow us to identify when KPIs are starting to impact our services and to proactively manage our environments. To date, we have leveraged this data within Splunk to enable alerting so that we can solve incidents in real-time, but we are growing into our usage of the ITSI model for predictive modeling of our environment. Our infrastructure includes commodity hardware, mid-range, mainframe, on-premise data center, and cloud offerings. (Please note that these views are my personal opinions and not those of my employer)

The modeling required to setup ITSI has been very helpful in providing us a better understanding and a logical view of our services. The modeling is flexible and can be as granular or high level as our needs dictate. This flexibility also means that you need to gather a detailed understanding of your services, processes, and applications in order to build a useful model. ITSI is allowing us to more quickly identify what services are impacted by underlying infrastructure concerns.  

The health scores and glass tables are extremely valuable and useful. These provide flexible visibility options to convey the meaning of the big data analysis being performed by Splunk behind the scenes. Glass tables allow you to create graphical displays that convey critical meaning with a simple clean look and feel. The deep dive also provides the ability to dig into metrics and KPIs, which are useful to isolate the time frame involved and that should be focused on. Once in the deep dive, you can quickly identify the first KPI or metric to impact the health score and focus your efforts on it. 

ITSI could benefit from a security model that would allow operations team members to get involved in model building, KPI implementation, and model maintenance while maintaining appropriate segregation of duties. To date, all of our ITSI development is being done by our Splunk Admins, while our KPIs and much of the modeling work are managed by our Splunk developers. Future development of templates and ready to use add-ons could facilitate faster time to value, as many IT infra and even Packaged Application data models are consistent across organizations and could be plugged in easily. 

I have been using Splunk ITSI for two years. 

This is a stable solution.

It is extremely scalable, and can have high data storage costs. 

Customer service has been very responsive to our needs. 

No, we did not replace another solution with ITSI. We used it to enhance existing solutions. 

The initial setup was fairly straightforward, but we had help from Splunk professional services. 

We had help from Splunk professional services. They were extremely knowledgeable. 

I was not involved in the evaluation for ITSI. 

This is a powerful solution requiring configuration to meet your needs.