We just raised a $30M Series A: Read our story

Splunk OverviewUNIXBusinessApplication

Splunk is #1 ranked solution in Log Management Software, top Security Information and Event Management (SIEM) tools, and top IT Operations Analytics tools. IT Central Station users give Splunk an average rating of 8 out of 10. Splunk is most commonly compared to Dynatrace:Splunk vs Dynatrace. Splunk is popular among the large enterprise segment, accounting for 56% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 27% of all views.
What is Splunk?

Splunk software has been around since 2006 and the company has since grown to become an industry leader. Splunk's vision is to make machine data accessible, usable and valuable to everybody. The company offers a wide range of products to turn machine data into valuable information by monitoring and analyzing all activities. This is known as Operational Intelligence and is the unique value proposition of Splunk.

Splunk is well-known for its Log Management capabilities and also for its Security Information and Event Management (SIEM) solutions.

Splunk was previously known as Splunk Enterprise Security.

Splunk Buyer's Guide

Download the Splunk Buyer's Guide including reviews and more. Updated: November 2021

Splunk Customers

Splunk has more than 7,000 customers spread across over 90 countries. These customers include Telenor, UniCredit, ideeli, McKenney's, Tesco, and SurveyMonkey.

Splunk Video

Archived Splunk Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
DA
Engineer at a integrator with 11-50 employees
Real User
Has the ability to add the functionality you want but it is expensive

Pros and Cons

  • "The initial setup is really straightforward. It's one of the easiest installations."
  • "They should make data onboarding easier."

What is our primary use case?

Our primary use case is for monitoring and cybersecurity.

What needs improvement?

The clusters are hard. It has too many moving parts. 

They should make data onboarding easier.

For how long have I used the solution?

One to three years.

What do I think about the scalability of the solution?

Its ability to scale nicely is one of Splunk's strengths. You just horizontally add another machine and you get your scalability.

How are customer service and technical support?


Which solution did I use previously and why did I switch?

Our clients switch from Nagios or other monitoring solutions because the other solutions were not as flexible as Splunk. With Splunk, you can do things very programmatically. With a help of a developer and included SDK you can add needed functionality.

How was the initial setup?

The initial setup is really straightforward. It's one of the easiest installations. 

This product doesn't have any kind of dependencies, it just worked from one package. Install it and boom, you have a working solution.

What about the implementation team?


What's my experience with pricing, setup cost, and licensing?

Splunk is on expensive side.

There are some premium add-ons like Splunk Enterprise Security or ITSI which makes it more expensive.

What other advice do I have?

I would advise to get Splunk professional services from Splunk.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Rudi Wicaksono
Architecture and Security Team Leader at Offshore North West Java (ONWJ)
Real User
It helps us uncover bottlenecks in the network, but needs better local technical support

Pros and Cons

  • "It helps us uncover bottlenecks in the network."
  • "it can explain to management about what kind of traffic is visiting the network. It can also explain other traffic coming in and out, along with protecting against malware."
  • "The product was difficult to back up the first time."
  • "Splunk needs local technical support."

What is our primary use case?

We were using Splunk for our networking to know exactly what kind of the traffic was going from one network to another network because we had a lot of the connections on other sites.

How has it helped my organization?

it can explain to management about what kind of traffic is visiting the network. It can also explain other traffic coming in and out, along with protecting against malware.

What is most valuable?

All the features are valuable. It helps us uncover bottlenecks in the network.

What needs improvement?

Splunk should be able to integrate with other product using the free version.

The product was difficult to back up the first time.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The stability is fine.

We have two people maintaining it.

How are customer service and technical support?

Splunk needs local technical support.

Which solution did I use previously and why did I switch?

We did not use another solution previously.

How was the initial setup?

The deployment was great and took three to four days.

What's my experience with pricing, setup cost, and licensing?

The pricing and licensing of the product are quite high.

What other advice do I have?

Splunk is great product, especially for my organization.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Splunk. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
554,529 professionals have used our research since 2012.
Mui Tran
Project Manager at Idemitsu Oil & Gas
Real User
Centralized log monitoring is pivotal for us

Pros and Cons

  • "The most valuable feature of Splunk is the log monitoring."
  • "If possible, we would like to have not only a log monitoring system but a network monitoring feature in this solution as well."

What is our primary use case?

We need something to collect all our logs in a centralized solution. We have several servers but we don't have any log collection system.

How has it helped my organization?

Without Splunk or a similar product, if I want to check the log files every day, I have to log in to the individual hardware components in our system. I have to log in to the firewall, I have to log in to Windows. There are so many devices I would have to manually log into, one-by-one. It would take a very long time for me. 

Also, we don't have a dashboard so we don't know which issues are critical. When we use a centralized log monitoring system we can see things on the dashboard and it is easier for the IT manager or an IT engineer to take corrective action in the system.

What is most valuable?

The most valuable feature of Splunk is the log monitoring.

What needs improvement?

If possible, we would like to have not only a log monitoring system but a network monitoring feature in this solution as well.

What do I think about the stability of the solution?

It's very stable.

Which solution did I use previously and why did I switch?

Up until we trialed Splunk we did not have any solution. We used Splunk because we don't have anything to monitor our system. I contacted our local vendor in Vietnam, and they suggest using the trial version of Splunk to see how it works in our environment. This is the main reason I trialed Splunk. We just used the trial version in our office and, since it expired, we haven't used it.

How was the initial setup?

For me, the initial setup was not too complex. For an IT person like me, it was okay.

Our local vendor knows Splunk very well. He had already implemented Splunk for another customer. I called him to our office to have him install the Splunk. It took a couple of hours for him to finish.

What about the implementation team?

We used a consultant for the deployment, from KDDI Vietnam. Our experience with him was good.

What other advice do I have?

Because it was a trial version, I was the only one who used it in our company.

I kept some snapshots from our trial with the Splunk system and we are preparing a proposal to submit to our manager in Vietnam. If in the near future we have enough money to purchase the system, we will invest in this system for our company.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MS
Sr. Manager Information Security at Tapal Tea (Private) Limited
Real User
The search and query feature is very fast but due to the log size limit, we did not get the full benefit

What is our primary use case?

Log collection and search.

How has it helped my organization?

The search and query feature is very fast but due to the log size limit (in trial version), we did not get the full benefit.

What is most valuable?

Selecting the relevant events and records.

What needs improvement?

Due to the size limit, we could not see the full product.

For how long have I used the solution?

Trial/evaluations only.

What is our primary use case?

Log collection and search.

How has it helped my organization?

The search and query feature is very fast but due to the log size limit (in trial version), we did not get the full benefit.

What is most valuable?

Selecting the relevant events and records.

What needs improvement?

Due to the size limit, we could not see the full product.

For how long have I used the solution?

Trial/evaluations only.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MH
Cyber Analyst with 501-1,000 employees
Real User
It has the ability to correlate results

What is our primary use case?

Testing for insider threat behavior.

How has it helped my organization?

It gave management confidence in current operations.

What is most valuable?

The ability to correlate results.

What needs improvement?

A few more analysis aids might help. The next release could have more intuitive help examples.

For how long have I used the solution?

One to three years.

What is our primary use case?

Testing for insider threat behavior.

How has it helped my organization?

It gave management confidence in current operations.

What is most valuable?

The ability to correlate results.

What needs improvement?

A few more analysis aids might help. The next release could have more intuitive help examples.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
LF
Técnico Judiciário at a government with 1,001-5,000 employees
Real User
Has the ability to log more logs than similar solutions and is more efficient than its competitors

What is our primary use case?

We use it to do SIEM. 

How has it helped my organization?

It can log more logs than other solutions. It's a good way to troubleshoot problems.

What is most valuable?

Splunk is a good solution to collect more events than other solutions. It's a good solution, for me, for this reason.

What needs improvement?

Cybersecurity and infrastructure monitoring have room for improvement. 

For how long have I used the solution?

Less than one year.

How was the initial setup?

On a scale from one to ten I would rate the initial setup a seven for its complexity. 

Which other solutions did I evaluate?

We also looked at AlienVault.

What other advice do I have?

I would rate it an eight out of ten.  Splunk is more efficient than other solutions but…

What is our primary use case?

We use it to do SIEM. 

How has it helped my organization?

It can log more logs than other solutions. It's a good way to troubleshoot problems.

What is most valuable?

Splunk is a good solution to collect more events than other solutions. It's a good solution, for me, for this reason.

What needs improvement?

Cybersecurity and infrastructure monitoring have room for improvement. 

For how long have I used the solution?

Less than one year.

How was the initial setup?

On a scale from one to ten I would rate the initial setup a seven for its complexity. 

Which other solutions did I evaluate?

We also looked at AlienVault.

What other advice do I have?

I would rate it an eight out of ten. 

Splunk is more efficient than other solutions but it's also more expensive. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Emad Ul Haq
Network & Telco Lead at Mercury
Real User
Provides log collection and analysis

What is our primary use case?

Log collection and analysis Reporting for the whole enterprise environment.

How has it helped my organization?

Improved visibility.

What is most valuable?

Log search and alerting/reporting.

What needs improvement?

Code understanding requirement is complicated for most users.

For how long have I used the solution?

One to three years.

What is our primary use case?

  • Log collection and analysis
  • Reporting for the whole enterprise environment.

How has it helped my organization?

Improved visibility.

What is most valuable?

Log search and alerting/reporting.

What needs improvement?

Code understanding requirement is complicated for most users.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Seyfallah Tagrerout
IT & Cloud Architect at AiM Services
Reseller
We use it for reporting and monitoring of all solutions in the company

Pros and Cons

  • "We can present to our management in real time the security of the batch management for the PCs, security regarding the network equipment. We're currently working in the Azure Cloud project, so we can send any logs from the cloud to Splunk. We can monitor them and we can present to the managers and customers. It's a very good solution for reporting. We use Splunk for reporting and monitoring of any solution in the company."
  • "The security can be improved."

What is our primary use case?

Our primary use case is reporting from the Windows administration. We have SCCM that configures the manager to update every PC workstation and server in the company. We have a lot of PCs and servers in our environment and we use Splunk for the gathering of the PCs and Windows service. We also use it to collect information from the security tools, for example, to provide the management information about how the everyday connection is. 

How has it helped my organization?

We can present to our management in real time the security of the batch management for the PCs, security regarding the network equipment. We're currently working in the Azure Cloud project, so we can send any logs from the cloud to Splunk. We can monitor them and we can present to the managers and customers. It's a very good solution for reporting. We use Splunk for reporting and monitoring of any solution in the company.

What needs improvement?

The security can be improved. 

What do I think about the scalability of the solution?

It is scalable. We have five admins so far that we have in the solution. We have two as techs to develop the design on the world map of the solution, and we have the end users, so 80,000 users altogether. 

How was the initial setup?

The initial setup was complex. We have two data centers in France, two in Germany, and we have 18 countries in the world. It's a big company and we have a lot of services, servers, etc. So the setup is more complex.

What other advice do I have?

I would rate this solution a perfect ten out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
AP
Presales Manager at a tech services company with 11-50 employees
Reseller
Clients benefit from the live security monitoring of their parent IP infrastructure base but Splunk should adjust the pricing

Pros and Cons

  • "The initial setup is simple, not very complex. Initial deployment takes around 10 to 15 minutes to set up the entire base for Splunk including all three tiers."
  • "Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud."

What is our primary use case?

We use it for security incident event management and for IT service intermediates.

How has it helped my organization?

We sell it to clients so clients benefit from Splunk in terms of live security monitoring of their parent IP infrastructure base. Their IP security and network application base is where we have a 24/7 monitoring interface.

What is most valuable?

Splunk has many good apps and has a contribution from all security vendors. That's where Splunk wins.

What needs improvement?

Splunk's cost is very high. They need to review the pricing. They have to go back and totally readdress the market.

Splunk does not build apps. They only go back and validate the apps that somebody has already built. They should have remote consulting support. They have a wonderful solution. They have 24/7 security. Nobody needs to depend on any third party and will therefore just buy Splunk on the cloud. 

Its costs are too high and it should be more cost effective because it's going to be a cloud offering. 

What do I think about the stability of the solution?

Stability is perfect. It's a good product. The market right now is moving towards cloud. We will use cloud in our option strategy. One thing that Splunk does not have is a partner consulting base so Splunk depends heavily on its own consulting, which I think should not be there. They should promote more partners for consulting. In fact, their education program is also very costly for all partners. For example, if you want to get your guys certified it's really costly. Because they have a good solution, they're completely inflexible with pricing. I don't see a lot of enablement from Splunk. 

How was the initial setup?

The initial setup is simple, not very complex. Initial deployment takes around 10 to 15 minutes to set up the entire base for Splunk including all three tiers.

The client has to bear that cost plus the initial infrastructure, Splunk does not come in and install it. The client, retailer or the partner has to do it. Secondly, then comes the software installation part of Splunk wherein you go and install the Splunk components. Then you have the configuration part which includes the revenue use cases on the Splunk apps on the Splunk platform which is another big phase. You can build your project the way you want to. It's a life phase. Use cases are not something which cannot be quantified. Initial set up can be done through the Splunk apps and then, later on, you can modify the use cases as per what the client needs.

What's my experience with pricing, setup cost, and licensing?

Pricing is one factor that hurts everybody on the market; the client, the reseller, everybody that touches it. Only Splunk makes money. It is hard to have it for the long term if it's a stretch for your budget. Pricing becomes a problem and people are just focused on numbers rather than creating a vision for the entire product. That is the biggest factor I found with Splunk, that they just want to make money and they don't care about anything else. They lost national, country-level projects because of this attitude.

What other advice do I have?

I will rate it as a security product an eight out of 10. There's no product which is perfect unless you go back and you create a psychic of the solutions.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
MC
Net Sec at a tech services company with 11-50 employees
Real User
The search function for splunk is like a google search, you just enter and it will quickly show you the results

Pros and Cons

  • "The search function for spam is like a google search. You just enter and it will quickly show you the results."
  • "Spam has different plugins but by default, the logs are not organized, it shows that there are roll-ups that are out of the box. I saw many plugins that can help improve or extend Splunk's functionality but I haven't tried any of them."

What is our primary use case?

Our primary use case of this solution is as a centralized lab collection.

What is most valuable?

The search function for splunk is like a google search. You just enter and it will quickly show you the results. 

What needs improvement?

Splunk has different plugins but by default, the logs are not organized, it shows that there are roll-ups that are out of the box. I saw many plugins that can help improve or extend Splunk's functionality but I haven't tried many of them.

It would be best if they can incorporate all security locks with minimal incidents. 

For how long have I used the solution?

One to three years.

What do I think about the scalability of the solution?

It's a little hard to scale on-prem. 

How was the initial setup?

The initial setup was easy. It took us one to two days. 

What's my experience with pricing, setup cost, and licensing?

It's a little bit expensive for a small to medium enterprise.

Which other solutions did I evaluate?

We also looked at AlienVault.

What other advice do I have?

I would rate this solution an eight out of ten. To make it a ten they should have more integration with outside vendors. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SD
Technical Project Manager at Altran
Real User
Enables us to pull up reports very easily, take action, and notify stakeholders

Pros and Cons

  • "It's very flexible. If you look from the cloud implementation it is there. Reports are made quickly. Unlike other tools, it caters to all kinds of technical information on the front very easily. There's no need to put in any technical information. You can pull on the reports very easily, take action, and notify stakeholders."
  • "It does not give us permission to implement on-premise so we implement them on the cloud."

What is our primary use case?

Our primary use case was really as a client organization, like the government and the IT industries, we are in the telecoms sector. We analyze security reports. We use Splunk to order them and put them in a system and we use the various kinds of integration with Oracle Cloud which is helpful.

How has it helped my organization?

Every tool has a drawback. Some aspects of this solution are secure but getting clean data from the cloud takes time. Looking towards the future, I'm looking for a tool that is the most secure in the cloud environment. 

What is most valuable?

It's very flexible. If you look from the cloud implementation it is there. Reports are made quickly. Unlike other tools, it caters to all kinds of technical information on the front very easily. There's no need to put in any technical information. You can pull up the reports very easily, take action, and notify stakeholders.

What needs improvement?

I would like to see them develop integration with the help of a rack rest API. Which is an API that helps to secure communication with oracle cloud and pull down records from there.

This integration is currently missing in current version of splunk. I'm looking forward to see this feature getting implemented  in next version of Splunk and so that organizations can get benefit of this  feature in future.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Stability is very good. 

What do I think about the scalability of the solution?

Scalability is good. It's scalable enough. You can play around with this tool. Scalability is one of the main criteria we look for when considering solutions. 

How was the initial setup?

The setup depends on the organization. It is very simple here. You can easily install all of the businesses in the company network. Previously, it was suggested that this solution is not flexible enough. It does not give us permission to implement on-premise so we implement them on the cloud. 

Which other solutions did I evaluate?

We also looked at HP ArcSight and two other solutions. 

What other advice do I have?

I would rate this solution a nine out of ten. I rated it a nine because every tool will have its drawbacks but ultimately it's a very good tool in comparison to HP ArcSight. If we can add on a scalability feature it would significantly improve the solution. 

I would advise someone considering this solution to use it at least for a year to get a hands-on and technical understanding because it's a good product. Then decide whether or not to move forward with Splunk - but I would advise to stick with Splunk. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GS
Director of Information Security with 201-500 employees
Real User
Extremely scalable but they need to make purpose-built modules more robust

Pros and Cons

  • "It's extremely scalable. It's a very robust solution and certainly has the capability of handling far bigger data requirements than a lot of the other tools. Generally what ends up happening with me is that my clients tend, for the most part, to be mid-tier organizations where the cost of that solutions would be accompanying requirements for people just becomes way too prohibitive. Especially considering the model that they use for costing, which is based on the volume of data. Of course, they're going to put everything including the Coke machine as the ability to collect data off of it, because of course the more they can put through the tool the more money they make."
  • "The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication."

What is our primary use case?

  • SIEM
  • Security information 
  • Event management

What needs improvement?

The tool itself is very difficult to configure. It's great for its number of inputs, for the different types of systems devices, and things that it could collect information from. To actually make good use of it, you need a fairly dedicated team of people that have some reasonably good programming or modeling skills to be able to do the things that you need to do with it. Whereas a lot of the other tools are better packaged for that, and so require a lot less training and a lot less dedication.

What they need to do more than anything else is, they need to take a serious look at purpose-built modules like the SIEM and put a lot more effort into making them more robust. If they did that I think they would have a better chance on the market. The base tool was great, and if the organization that they're looking to sell into requires a good, solid logging solution then they would have a very good sales statement to make because you could get the logging solution you need that could give you the SIEM at the same time.

What do I think about the scalability of the solution?

It's extremely scalable. It's a very robust solution and certainly has the capability of handling far bigger data requirements than a lot of the other tools. Generally what ends up happening with me is that my clients tend, for the most part, to be mid-tier organizations where the cost of that solution would be accompanying requirements for people just becomes way too prohibitive. Especially considering the model that they use for costing, which is based on the volume of data. Of course, they're going to put everything including the Coke machine as the ability to collect data off of it, because of course the more they can put through the tool the more money they make.

Which solution did I use previously and why did I switch?

  • AlienVault
  • LogRhthym
  • ArcSight
  • QRadar

I've used a whole bunch of different solutions. For a SIEM based solution, they are more purpose-built for that function. Where Splunk is purpose-built for a general logging and data capture solution so you'd be able to capture a lot of different information.

How was the initial setup?

Anything that's not out of the box requires codding. Even up until recently when they finally released their SIEM or their security add-on. Before then there was not security stuff at all. I would actually have to go in and code that within the system to able to do the necessary searches to pull that information. Where a lot of the other tools, they already have those preconfigured which means I don't have to go and recreate the wheel. Now, we finally figured that out to a certain degree, and started putting the new tool in a place that gives you some SIEM functionality.

What other advice do I have?

As a logging solution, I would say it's probably an eight or nine. If you're talking about the SIEM I'd say it's probably about a five. For logging, I think they would have to change the costing model. The costing model is way out of line. It's built for very large organizations.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
VMware Engineer at First Data Corporation
Real User
In-depth logs but downloading and uploading logs have become an issue

How has it helped my organization?

100%. VMware needs log information to troubleshoot; it's not easy finding problems. Downloading and uploading logs have become an issue.

What is most valuable?

In-depth logs Add-ons  The ability to ingest data from other tools The detailed log view It's easy to read

What needs improvement?

The amount of time it takes to troubleshoot not-easily-available data Also, hours on the phone with VMware techs.

For how long have I used the solution?

Less than one year.

How has it helped my organization?

100%. VMware needs log information to troubleshoot; it's not easy finding problems.

Downloading and uploading logs have become an issue.

What is most valuable?

  • In-depth logs
  • Add-ons 
  • The ability to ingest data from other tools
  • The detailed log view
  • It's easy to read

What needs improvement?

  • The amount of time it takes to troubleshoot not-easily-available data
  • Also, hours on the phone with VMware techs.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
BW
Senior Network & Security Architect at a insurance company with 501-1,000 employees
Real User
Central locale for our cybersecurity

What is our primary use case?

Splunk is our central locale for cybersecurity and protection.

How has it helped my organization?

Once we onboarded all of the required needs, it created a lot of visibility for us.

What is most valuable?

It is quite extensible. It is a platform that we can build our use of each case instead of each case being limited or restricted to each capability. This is probably the best feature.

What needs improvement?

I would like to see future development in terms of ML (Machine Learning). 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is a stable product.

What do I think about the scalability of the solution?

It can be scaled quite easily in comparison to other products on…

What is our primary use case?

Splunk is our central locale for cybersecurity and protection.

How has it helped my organization?

Once we onboarded all of the required needs, it created a lot of visibility for us.

What is most valuable?

It is quite extensible. It is a platform that we can build our use of each case instead of each case being limited or restricted to each capability. This is probably the best feature.

What needs improvement?

I would like to see future development in terms of ML (Machine Learning). 

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is a stable product.

What do I think about the scalability of the solution?

It can be scaled quite easily in comparison to other products on the market.

How is customer service and technical support?

The tech support response time could be a bit better. Sometimes I need to wait more than 24 hours for a response to my tickets.

How was the initial setup?

I was not involved with the initial setup.

What's my experience with pricing, setup cost, and licensing?

The price could be improved.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
KK
IT Analyst at a energy/utilities company with 1,001-5,000 employees
Real User
Reduced our time to log

Pros and Cons

  • "In the past we used the different application to collect logs. We used SurfWatch and VMware to do so. But, we found that the Splunk has more capacity to do more in less time. They provide a aster speed to index all the events , and this is a huge asset."
  • "Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market."

What is our primary use case?

In the beginning, we just wanted to collect the logs from the different devices, like the nano storage, Linux, Windows, and VMware. We tried to get the uniform solution to collect and analyze all of the system logs.

How has it helped my organization?

Our current companies need this solution. We need it to highlight the old logging events. Based on the different device and systems, we have Splunk and we can clearly explain the everyday field logging of events in the different IT environments.

In the past, we used a different application to collect logs. We used SurfWatch and VMware to do so but we found that the Splunk has more capacity to do more in less time. They provide a faster speed to index all the events which is a huge asset.

What is most valuable?

The user can apply for all kinds of device systems, no matter whether he/she is using Windows or Linux. It can easily collect the logs. In addition, the user can have an index which can help us to collect and analyze all kinds of logs and find the outstanding issues.

What needs improvement?

Splunk is not very user-friendly. It has a complex architecture in comparison to other solutions on the market.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

Scalability could be improved.

Which solution did I use previously and why did I switch?

We used SurfWatch and VMware in the past.

How was the initial setup?

I was not involved with the initial setup. 

What's my experience with pricing, setup cost, and licensing?

I am not personally involved with the pricing of the solution.

Which other solutions did I evaluate?

We also looked at Selopene SIEM. It is a premier logging site.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Tony Fabrikant
CTO at IHS Markit
Real User
We were able to create a catalog of dashboards and have a holistic view at all levels, understanding our business better

Pros and Cons

  • "The dashboards are the most valuable feature. We like the ability to drill in and see what queries are under the dashboard, build new visualizations, edit the querying, and see the reports."
  • "We were able to create a catalog of dashboards and have a holistic view at all levels. We could understand our business much better. Real-time errors, which were buried in emails before now, surfaced up on dashboards."
  • "We do have to educate developers on how to not blow it up. It is a little to easy to write an expensive query and overly stress the system. This could be improved."
  • "I would like additional features in different programming models with the support for writing queries in SQL or other languages, such as C#, Java, or some other type of query definitions."

What is our primary use case?

We use it for logging and troubleshooting.

How has it helped my organization?

Every team immediately created their own Splunk dashboard, and all the product owners were ecstatic about this. We were able to create a catalog of dashboards and have a holistic view at all levels. We could understand our business much better. Real-time errors, which were buried in emails before now, surfaced up on dashboards. Even our executives could understand this, and it changed the way teams thought about alerting and reporting. It allowed us to send out real-time notifications to integrate with Opsgenie, and it changed the way IT works.

What is most valuable?

The dashboards are the most valuable feature. We like the ability to drill in and see what queries are under the dashboard, build new visualizations, edit the querying, and see the reports. The dashboards are very intuitive and similar to SQL. They are easy to set up and get running.

What needs improvement?

The query language is pretty slick and easy, but it is not consistent in parts. Some of it feels a little esoteric. Personally, some of my engineers are coming from SQL or other languages. Some things are a little bit surprising in Splunk and a little bit inconsistent in their querying, but once you get use to it and once you get use to the field names and function names, you can get the hang of it. However, if it was a bit more standardized, it might be quicker to get it up and running.

I would like additional features in different programming models with the support for writing queries in SQL or other languages, such as C#, Java, or some other type of query definitions. I would also like a better UI tool for enhancements of advanced visual query editors.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is pretty stable, though it has gone down from our usage. We do need to keep an eye on our query volumes. Right now, it is too easy for a user to write a query, run it, make it available in polling mode (real-time mode), and bring down the server. Some more safety alerting would help and be beneficial.

We do have to educate developers on how to not blow it up. It is a little to easy to write an expensive query and overly stress the system. This could be improved. Overall, once you have people who know what they are doing, it is very stable.

What do I think about the scalability of the solution?

Our environment is on-premise, and it is big. We have a couple hundred users. However, it was slow and unavailable at times before we trained all the engineers on how not write a long, constantly polling query.

How is customer service and technical support?

Our internal tools team did work with the Splunk support team extensively. I was not directly involved, but from my point of view, they were able to fix and resolve issues within a day or less, so they have been okay

How was the initial setup?

It is early days right now to evaluate the integration and configuration of Splunk in our AWS environment. We are just starting to integrate it with regular stuff. While I think it is okay so far, I really do not have enough information.

What was our ROI?

Most of our return on investments have been through faster error resolutions. Our meantime to recovery has dropped for issues. We can often fix things before the customer notices them. Whereas, when logging was done custom by each team in non-standard ways, it would take days to resolve issues that are now resolved in sometimes minutes.

Which other solutions did I evaluate?

We knew we were going to go with Splunk. It was the leader and the one we liked. We didn't consider any others since Splunk met our needs.

We chose Splunk because of the ease of the UI, querying, and creating dashboards. It has a standardized query language, which a lot of the IT staff were already familiar with it. It was the market leader from our prospective for our needs.

What other advice do I have?

Go with Splunk. A lot of people know how to use it because they have experience with it. It works well. While it has some pain points, it provides reports and data visibility.

It integrates great with Opsgenie, PagerDuty and Slack. We love the Slack integration, as works great with the Slack alerts.

We use the on-premise version in our data centers and we use the AWS version. We are just starting to migrate to the AWS hosted version, and I have not seen a difference.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JD
Enterprise Architect at a tech services company with 10,001+ employees
Real User
You can run reports against multiple devices at the same time

Pros and Cons

  • "The technical support has been very good. They are very responsive and have been helpful."
  • "You can run reports against multiple devices at the same time. You are able to troubleshoot a single application on a thousand servers. You can do this with a single query, since it is very easy to do."
  • "When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved."
  • "I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier."

What is our primary use case?

We use it for log aggregation. 

If you have a large number of devices, you need to aggregate log data to make more sense of it for parsing, troubleshooting, and metrics. This is all we use it for.

If I need to track logs for certain application, I will push all of those logs to Splunk so I can run reports on those logs. It is more about what you are trying to do with it and what you need from it.

How has it helped my organization?

We use it primarily for troubleshooting. We had an issue with SaltStack recently and were able to look for the same log entry on a thousand servers simultaneously, making the process easy.

What is most valuable?

The ability to create dashboards.

You can run reports against multiple devices at the same time. You are able to troubleshoot a single application on a thousand servers. You can do this with a single query, since it is very easy to do.

What needs improvement?

When you get into large amounts of data, Splunk can get pretty slow. This is the same on-premise or AWS, it doesn't matter. The way that they handle large data sets could be improved.

I would like to see an updated dashboard. The dashboard is a little out-of-date. It could be made prettier.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It's been very stable for us. Most of our stress in not from Splunk, but from disk I/O, like input and output for the disk that you are writing logs to. We have had more issue with our own hardware than Splunk. 

You have to make sure if you're writing an enormous amount of data that you have your I/O sorted out beforehand. 

What do I think about the scalability of the solution?

It scales fine. We haven't had any issues scaling it. Our current environment is about 30,000 devices. 

How was the initial setup?

The integration of this product in our AWS environment was very simple. We just forwarded our logs to it, and that was about it. 

It has agent-base log forwarding, so it is very simple, not complicated at all. This process is the same from on-premise and AWS.

What was our ROI?

If you have a large number of servers, even a few hundred servers, then you need to track specific data and log information from a lot of servers. You can either go to each server individually or set up jobs to ship those logs somewhere with rsync or Syslog. The other option is use Splunk and push them all to Splunk, then from Splunk you can just create alerts and run reports against all that data in one place with a single query rather than having to do all that work repeatedly. It saves us a lot of time, just in man-hours, and being able to look at hundreds or thousands of servers simultaneously.

Which other solutions did I evaluate?

Splunk has no real competition. It is just Splunk, and that is it.

What other advice do I have?

Build your environment a lot bigger than you think you will need it, because you fill it up quickly. We log somewhere in the neighborhood of two to four terabytes a day per data center.

We use both AWS and SaaS versions. With the SaaS version, you don't have as much control, but it functions the same, so there is no real difference. Though, the AWS version is probably easier to scale, because it is AWS. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sam Osborn
Software Engineer at Tableau Software
Real User
It has reduced the time to resolution and time to investigate, but the search query is slow

Pros and Cons

  • "It has reduced the time to resolution, time to investigate, and time to troubleshoot for debugging issues."
  • "Out-of-the-box, it seems very powerful."
  • "My company could benefit from doing more Splunk training with Splunk consultants teaching us how to use it."

What is our primary use case?

We use it for searching logs in a production environment.

How has it helped my organization?

It has reduced the time to resolution, time to investigate, and time to troubleshoot for debugging issues. 

What is most valuable?

Being able to search across all the different production environments at the same time, then being able to do search queries to scope out specific environments, specific components, or specific logs from different languages, such as Java or C++. Thus, being able to have really fine grain control on log searching is really good.

Out-of-the-box, it seems very powerful.

What needs improvement?

The search query seems slow, but I am not sure if that is just because it is searching millions upon millions of lines of text. Also, I just started using it, so I might have no idea what I am doing. I could probably speed up the queries by improving my search skills.

My company could benefit from doing more Splunk training with Splunk consultants teaching us how to use it. It is possible that we have already done this and I haven't participate, but this type of training would be helpful.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

It is always up when I need to search. I am probably not using it that much. I will maybe search a couple times a day for something specific, so I am not using it too much. I know plenty of the people who are doing a lot more for debugging, and who use it a lot all day.

What do I think about the scalability of the solution?

It seems like it scales well. We have hundreds of production and development environments, and we are searching on all of them. Therefore, it seems like the scale is good. 

We have hundreds of production environments, and each production environment has ten to 20 host machines. Each production environment can manage tens of thousands of customers.

Maybe going to AWS and scaling it better would be more cost-effective for our company. However, I am not involved in those decisions.

How is customer service and technical support?

I have not used technical support.

Which other solutions did I evaluate?

We have other log searching tools, but we have standardized on Splunk. 

What other advice do I have?

It is a great product. We have a lot of different tools to do this type of debugging. Yet, it is one of the first ones that I will reach for, and I think that is a good sign.

It works well and is the industry standard for log searching. It probably has other features too. Therefore, if you use it, I would recommend the training, so you know what you are doing. 

I am using the on-premise version.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
SM
Engineering Manager at a manufacturing company with 10,001+ employees
Real User
Its AMIs make it easy to spin up a Splunk cluster or add a new node to it

Pros and Cons

  • "It is very simple to tweak or write a small piece of glue code to go ahead and create a new dashboard for a business unit to make near real-time decisions to focus more on other geographies when launching the product."
  • "On the cloud, we are pushing through less than half a petabyte of data. So far, it has been fairly stable because it runs on all the underlying AWS infrastructures."
  • "For on-premise, it's more about optimization. With such a heavy byte scale of data that we are operating on, the search for disparate data sometimes takes about a minute. This is understandable considering the amount of data that we are pumping into it. The only optimization that I recommend is better sharding, when it comes to Splunk, so that data retrieval can be faster."

What is our primary use case?

It is mostly centralized logging, a whole bunch of BI metrics, and an aggregation point, which we have adulterated for some PCI data.

It does meet our use case for the most part.

What is most valuable?

We like the dashboard creation and the ease with which we can harness the APIs to create custom BI dashboards on the fly. This adds most value for us. The nature of some of our microservices that I have run on the cloud are mixed workloads, wherein with the flow of data, it can change over time. In order to adjust for this, and cater to the needs of some of our internal customers, BI dashboards need to be created, tweaked, and modified. Also, doing this by hand is next to impossible. Therefore, we have strung all of this through a programmatic pipeline, which s something which we like because it is easier for us to harness it utilizing the API.

What needs improvement?

For on-premise, it's more about optimization. With such a heavy byte scale of data that we are operating on, the search for disparate data sometimes takes about a minute. This is understandable considering the amount of data that we are pumping into it. The only optimization that I recommend is better sharding, when it comes to Splunk, so that data retrieval can be faster.

With the AWS hosted version, we have not hit this bottleneck yet, simply because we are not yet at the multiple terabyte scale. We have hit with the on-premise enterprise version. This is a problem that we run into every so often. We don't run into this problem day in and day out. Only during the month of August through October do we contend with this issue. Also, there is a fair bit of lag. We have our ways to work around it. Between those few months, we are pumping in a lot of data. It is between 8 to 10 terabytes of data easily, so it is at a massive scale. There are also limitations from the hardware perspective, which is why it is an optimizing problem.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

On the cloud, we are pushing through less than half a petabyte of data. So far, it has been fairly stable because it runs on all the underlying AWS infrastructures. Therefore, we have had no issues at all. In terms of availability or outages that we've experienced, there haven't been any. We've been fairly happy with the overall landscape of how it works on AWS.

What do I think about the scalability of the solution?

On cloud, we absolutely like it. Splunk AMIs make it easy for us to spin up a Splunk cluster or add a new node to it. For our rapid development and scale of deployments in terms of microservices and the number of microservices that we run, we have had no problems here.

On-premise requires a lot of planning, which happens on a yearly basis. We have Splunk dedicated staff onsite for on-premise to help us through this. 

We have 450 people making use of Splunk in our organization, and there was a bit of knowledge transfer needed on how to write a Splunk query. So, there is a bit of a learning curve. Once you get over it, it is fairly simple to use. We also have ready-made Splunk queries to help people get started.

How is customer service and technical support?

We do deal with technical support on an ongoing basis. They can definitely do better from a technical point of view. Their only purpose working onsite is to make sure that our massive set of Splunk clusters are online, and the clusters are tuned well enough to work well.

We would expect the technical support people onsite to be subject-matter experts of Splunk. We have seen in a few areas where we have been left wanting more, wherein some of our engineers happen to know more than them in terms of some of the query optimizations, etc. This is where we think there is a fair amount of improvement that can be done. 

What about the implementation team?

We wrote the automation to bootstrap everything onto AWS, which was fairly easy. As long as we had all the hooks going into AWS, and we had the SDK. So, we did not have too much trouble getting the bootstrap up and running.

What was our ROI?

Some of the insights that we have obtained as a part of using Splunk have greatly helped us in increasing our revenue in terms of selling our products.

We have seen a decent ROI. For the month of October 2018, when we had a product launch, we were able to query and generate BI dashboards on the fly. This was huge, and not possible two and a half to three years back because it was more of a manual process. Now, with APIs being available, it is very simple to tweak or write a small piece of glue code to go ahead and create a new dashboard for a business unit to make near real-time decisions to focus more on other geographies when launching the product.

Which other solutions did I evaluate?

I wasn't there when the evaluation was done. When I came on board, this product was handed down to me, and we have not evaluated any other solutions or products since then.

What other advice do I have?

Make sure it fits your use case. Be clear about what you want to achieve, get out of the product, and how you want to integrate it. Once you tie the solution into your systems, it is not trivial or easy to walk away from. Therefore, due diligence needs to be made to understand what your requirements are before choosing a product. Some companies may not even want to host, and prefer to go the managed services route.

We have it integrated with every product that I can think of.

We use both the AWS and on-premise versions. The AWS hosted version typically caters to all the microservices that we run on AWS, so there is a clear segregation between on-premise and cloud. In terms of usability and experience, both of them have been similar. We have seen a few bottlenecks on the cloud, but that can probably be attributed more on the user side of the house in terms of the way we write our applications and the type of payloads that we sent this month. This is an optimization which is ongoing from our end. Other that, we have been fairly happy with Splunk and what we get out of it.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Kenn Brodhagen
DevOps Engineer at Amplify
Real User
It is easy for our developers to use if they want to search their logs. Something should be built into the product that if you're close to your license, then it shuts things down.

Pros and Cons

  • "Its usability is the best part. It is easy for our developers to use if they want to search their logs, etc."
  • "A problem that we had recently had was we licensed it based on how much data you upload to them every day. Something changed in one our applications, and it started generating three to four times as many logs and. So now, we are trying to assemble something with parts of the Splunk API to warn ourselves, then turn it off and throttle it back more. However it would be better if they had something systematically built into the product that if you're getting close to your license, then to shut things down."

What is our primary use case?

We use it for application log monitoring.

It is a logging product. Our application generates log files, then we upload them to Splunk. We run their agent on our EC2 instances in AWS, then we view the logs through their product, and it is all stored on their infrastructure.

How has it helped my organization?

We have used the alerts for a lot of things. They gave us the ability to kind of make an alert simply. So, we did one for SQL injection. We also had some services which were problematic that would fail, but we figured out what log line that we could look for, so it was easy to make an alert for that.

What is most valuable?

Its usability is the best part. It is easy for our developers to use if they want to search their logs, etc.

What needs improvement?

A problem that we had recently had was we licensed it based on how much data you upload to them every day. Something changed in one our applications, and it started generating three to four times as many logs and. So now, we are trying to assemble something with parts of the Splunk API to warn ourselves, then turn it off and throttle it back more. However it would be better if they had something systematically built into the product that if you're getting close to your license, then to shut things down. This sort of thing would help out a lot. It would help them out too, because then they wouldn't be hollering at us for going over our license.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Stability has been great. I don't think we have ever had an outage from it.

We don't do a lot of searching. If there is somewhere with problems, it will probably have to be with a lot of searches, and we don't have that. We don't have many developers searching every day. It is mostly when there is a problem, then we use it for diagnostics. So, we don't put a large search load on it. However, the reliability of it has been great. It hasn't been down for us at any point.

What do I think about the scalability of the solution?

It seems to have worked out great. We haven't had any problems yet.

How are customer service and technical support?

I haven't used the technical support.

Which solution did I use previously and why did I switch?

Before Splunk, we used Kibana and Elasticsearch. Sometimes, with them, logs wouldn't even be there. We have received an infinite time reduction there. We couldn't use what we had before, so Splunk being there and working does a lot.

How was the initial setup?

The integration and configuration with the AWS environment was easy. They had the documentation. All we had to do was get their agent running on our EC2 instance, and their documentation was good for that. It worked, which was great.

The product is also integrated with PagerDuty, Slack, and AWS. Those integrations are good and seamless.

What was our ROI?

It has made life easier for us through use, then by troubleshooting problems. It reduces the cost of the intangibles.

What's my experience with pricing, setup cost, and licensing?

The pricing seems good relative to the other vendors that we have had here. However, they need to find ways to be more flexible with the licensing and be able to deal with situations where we start generating more logs. Maybe having some controls in the Splunk interface to turn it off, so we don't have to change anything in our application.

We have an existing contract with Splunk, so it makes sense to stay with them for now. Our license is for a 100 GB/logs a day.

Which other solutions did I evaluate?

There are a lot of vendors in the space at the conference this year. Therefore, we probably talked to six or seven different ones, and the market seems to be consolidating. The market's metrics and log monitoring all seem to be rolling up into a single provider. It looks like that is what will be happening in the next few years.

Right now, there are a ton of different smaller providers doing little pieces of this and that. All the big players, like Splunk, New Relic, and Datadog, seem to be rolling them all up into one offering. 

What other advice do I have?

Implement something and watch how much data you are sending to it, then have some way to shut it off without redeploying your app in case things get hairy.

We use the cloud version of the product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GM
Application Engineer at Expedia
Real User
The most valuable feature is its centralized log analytics

Pros and Cons

  • "We have a one stop dashboard for health of some of our services where you can click in and it takes you to other dashboards that have custom near real-time metrics that show the application's health."
  • "The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer."

What is our primary use case?

The primary use case is for log analytics. Although, we have been using it as a hammer which hits all the nails. We have sort of overused it in some areas where it doesn't need to be used.

How has it helped my organization?

We have a one stop dashboard for health of some of our services where you can click in and it takes you to other dashboards that have custom near real-time metrics that show the application's health. From there, you can drill in to see the real deep dive example of what is happening in your environment. It has reduced our time to resolve incidents. 

What is most valuable?

The most valuable feature is its centralized log analytics.

What needs improvement?

The historical data extraction needs improvement. I would like the capability of taking data and having it trend longer. Splunk is good about viewing data within the last seven or 14 days, but if you want to see a year-over-year trend, you have to do a lot of work to get to that point. If there was a better way to extract the data point and put it into a long-term viewing ability for a year-over-year analysis, then compare that to your other business metrics. That is what I am looking for, as an example, for a call center you want to see the time it takes for your customer to be handled on their need comparatively to the system performance that is happening, then overlay that data. 

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

We put a lot of trust in it. It has been pretty rock-solid outside of a couple of changes that we made. Upgrades sometimes don't always go smoothly, but otherwise the system performs, and operates. 

What do I think about the scalability of the solution?

When we were trying to implement an enterprise solution on-premise, we had scaling issues. It was very difficult to search the data retention beyond a few days. A lot of talent was given to the ability to go into AWS and scale with our need. We still had to do some administrative things to prevent consumers from trying to search all records for all time in very inefficient searches. This could sometimes bring our core system functionality to a halt, so we had to do some user administration in it.

How is customer service and technical support?

I don't engage with the support directly. Another member of my team does. Any time that we have needed support, he hasn't had an issue opening a ticket and receiving the help that he needs.

How was the initial setup?

The integration and configuration in the AWS environment was pretty good. They have a consumption method for pretty much every service. They might be able to do a little better at advertising different patterns for best practices for different service, but overall there's a method to get everything.

What was our ROI?

We have had a reduction in the time it takes to resolve issues and correlate what has failed. This has significantly helped.

Which other solutions did I evaluate?

We looked at the Elk Stack, Kibana, and Sumo Logic.

We chose Splunk because their cost is better, the maintenance factor is a little higher, and the core functionality is higher than what other products provide. The core functionality is out-of-the-box. E.g., with a Toyota Scion, you can customize the parts to make it whatever you want, but it's a lot of work to get there. Where if you buy a Cadillac, you pay the Cadillac's price, but it's a Cadillac. It will work right out-of-the-box.

What other advice do I have?

It works well when searching logs. If you looked to try to do things beyond this, the problem that we ran into is that we treated it as the hammer which hits all nails. That is not really feasible, and there are other tools out there that can do more specialized things.

User administration is key. Trying to prevent users from being able search records all the time is a huge problem. You need a tight approval process on dashboards, making sure the dashboards are queried in the most efficient way possible. 

The on-premise version that we had was not scalable at all. It was very difficult to use. We have EC2 instances in the cloud with Splunk installed, which is more scalable and easier to use. It now works much better.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
TJ
QA Lead at a financial services firm with 11-50 employees
Real User
It has helped with troubleshooting, making it easier

Pros and Cons

  • "It provides logs in one place, so they are easy to find. It collects the logs from multiple places, then you have just one place where you see the whole flow from the front-end to the back-end."
  • "The search could be improved. Now, it is a bit difficult to write search queries because they become quite long, then maintaining those long search queries is a quite challenging."

What is our primary use case?

We use it mostly for log monitoring, and also for trying to raise alarms.

How has it helped my organization?

It has helped with troubleshooting, making it easier. Now, we have one place where we can find logs and errors. There is no need to go to the actual server to search for the log file. 

What is most valuable?

It provides logs in one place, so they are easy to find. It collects the logs from multiple places, then you have just one place where you see the whole flow from the front-end to the back-end. This is the best thing.

What needs improvement?

The search could be improved. Now, it is a bit difficult to write search queries because they become quite long, then maintaining those long search queries is a quite challenging.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

I have not had any issues with it, and we have the whole banking infrastructure running on it.

What do I think about the scalability of the solution?

The scalability is okay as far as I have seen and used it. We have dozens of different environment environments using the same Splunk instruments, and it has been able to scale.

How is customer service and technical support?

I have not used technical support.

What other advice do I have?

Splunk's website is quite useful. You can find a lot of information on it. I would recommend to use it and try to figure out the product's features and what you can actually do with Splunk. You can do a lot of things with Splunk, but you need to know what to do first.

I have used both the AWS and on-premise versions, but in two different environment, so I am unable to compare the versions.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jerry Castille
Chief Architect at Pathmaker Group
Real User
It has a big user base, so the community is useful

Pros and Cons

  • "It has a big user base, so the community is useful."
  • "The integration with all our tool sets felt like we were reinventing the wheel, which was a pain point for us."

What is our primary use case?

We primarily use it for SIEM.

What is most valuable?

It has a big user base, so the community is useful.

What needs improvement?

The community surrounding the product is okay, but I would like more material supplied by Splunk around some more common integration stuff. I wish there was a bigger library, because we are building stuff. Where I often feel like other people have done things before, we are reinventing the wheel. While it is not a core piece of our organization and it is not a priority, it does inform our SIEM platform. It would be nice if there was a little more cookie cutter solutioning inside of it, and that they would take a little more time to shake it out.

The first year and a half was a little wacky with its usefulness, but now it is a solid piece of our infrastructure.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

We don't have any issues with it now. We had some issues in the past, but we chalked those up to user error. We didn't know what we were doing at first.

What do I think about the scalability of the solution?

We haven't had any issues with it.

How is customer service and technical support?

I haven't heard any complaints about the technical support.

How was the initial setup?

The integration with all our tool sets felt like we were reinventing the wheel, which was a pain point for us.

What's my experience with pricing, setup cost, and licensing?

It would be nice if the pricing were cheaper. However, we did purchase it.

Which other solutions did I evaluate?

We evaluated Alert Logic and Splunk. We still use both products heavily. 

We have different use cases for the products. At first, Splunk was free, so we started to take more advantage of it.

What other advice do I have?

Do your homework and make sure it fits your needs.

The product is pretty good. We are pretty satisfied with it. It does what it does.

We host the product on AWS, but we did not purchase it on the AWS Marketplace.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GA
Security Architect at a comms service provider with 10,001+ employees
Real User
It is a place for all our logs and everything goes in one place.

Pros and Cons

  • "The stock analysts and security people use one single dashboard (one single location) to check our logs."
  • "It scales better in the cloud than on-premise."
  • "We would like more integrations with other cloud products, not just AWS, e.g., Azure."
  • "There are new services which are coming up. If Splunk can catch up with the speed of Amazon, and with the integration, instead of us waiting for another year or so, that would be good."

What is our primary use case?

We use it for log analysis and alerting, and our stock analysts use it.

I have used the product for more than five years. Then, in the cloud, I have used it for probably a year. It scales better in the cloud than on-premise.

How has it helped my organization?

It is a place for all our logs, and everything goes in one place. The stock analysts and security people use one single dashboard (one single location) to check our logs.

What is most valuable?

  • Easy indexing.
  • The solution is faster.

What needs improvement?

Every product needs improvement. If we can get a faster product, we will take it. There are new services which are coming up. If Splunk can catch up with the speed of Amazon, and with the integration, instead of us waiting for another year or so, that would be good.

We would like more integrations with other cloud products, not just AWS, e.g., Azure.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

The stability is good. We stress it at 98 percent.

What do I think about the scalability of the solution?

The AWS scalability is pretty good. We currently have it running on three servers.

How is customer service and technical support?

Other teams have told me that the technical support is pretty good.

How was the initial setup?

For the few integrations that we have already made, these have been easy to do.

What was our ROI?

We have seen ROI.

What's my experience with pricing, setup cost, and licensing?

Splunk is not free.

What other advice do I have?

I would recommend trying different stuff based on your company's needs and log types.

We like the product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PN
Director at a tech services company with 10,001+ employees
Real User
It has the flexibility to do multiple analyses

Pros and Cons

  • "It has helped us look at modern technology, as well as penetrate our legacy systems, to see where the bottlenecks are."
  • "The product is adept at log mining."
  • "If it could be made available as a service, this would be much better than as a product."

What is our primary use case?

  • Log mining
  • Log analysis

How has it helped my organization?

It has helped us look at modern technology, as well as penetrate our legacy systems, to see where the bottlenecks are.

What is most valuable?

  • The product is adept at log mining.
  • It has the flexibility to do multiple analyses.
  • It works across heterogeneous environments in different ways. 

What needs improvement?

I have not tested the hybrid model yet. I don't know whether all its integrations and interfaces will work between the cloud and on-premise model. I also don't know if across multiple clouds all the products will perform properly.

If it could be made available as a service, this would be much better than as a product.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is stable under production environments.

What do I think about the scalability of the solution?

The scalability is decent. We have implemented it in our production environment, and it scales.

What was our ROI?

We have seen ROI and improvements as we have continued to use the product, but they are more reactive. We want to be proactive on an enterprise-wide scale.

Which other solutions did I evaluate?

We considered Oracle Enterprise Manager, but Splunk is way more powerful. Splunk is product-agnostic, as it can move across different platforms and products. 

What other advice do I have?

Explore Splunk. The product has a lot of depth.

It works with multiple products which are scheduling systems to ERPs to legacy, and it works perfectly fine.

I use the on-premise version. I have not had the opportunity to explore the AWS on Splunk version yet.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Roman Burdakov
Engineering Manager at Cengage Learning
Real User
It is stable and scalable. It is also easy to configure.

Pros and Cons

  • "The client site login is pretty extensible and probably cost-effective."
  • "It is very stable. We have not had any problems."
  • "I would like some additional AI capabilities to provide additional information about things going wrong and things going well."

What is our primary use case?

We use it for logging, essentially for auditing and troubleshooting errors in production and finding out what happened.

I have used the product personally for five years and at my current company for a year and a half.

How has it helped my organization?

I haven't had any problems with it so far.

What is most valuable?

There are a lot of plugins to integrate this. The client site login is pretty extensible and probably cost-effective. Plus, it is easy to configure.

What needs improvement?

I would like some additional AI capabilities to provide additional information about things going wrong and things going well.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

It is very stable. We have not had any problems. 

We had to upgrade when it was on-premise, but then we went to cloud version, which is very good.

What do I think about the scalability of the solution?

It is pretty scalability, even though we have a lot of logs. It runs well.

What's my experience with pricing, setup cost, and licensing?

I assume that the pricing is reasonable, because if it was too costly, there are other alternatives. However, with some of the other solutions, you have to spend time on them and manage them yourself. It might also take you three times to get it right. So, Splunk may be more costly upfront, but in the long run, it saves on time and man-hours.

Which other solutions did I evaluate?

I would consider ELK Kibana a competitor for this solution. If you have time, and you want to do it yourself, you can save a little money going with Kibana. However, Splunk is pretty good and I would recommend an enterprise to switch to Splunk.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
IS
Enterprise Architect and Business with 5,001-10,000 employees
Real User
It is easy to use, and easy to implement.

What is our primary use case?

It helps increase our productivity.

How has it helped my organization?

We are saving a lot of time by being in one place instead of several servers.

What is most valuable?

The most valuable features are understanding the visualization compass on the dashboard, as well as the reports on the dashboards.

What needs improvement?

I would like to have the ability to master the management of clustering.

For how long have I used the solution?

One to three years.

How was the initial setup?

It is easy to implement.

What other advice do I have?

It is easy to use, and easy to implement.

What is our primary use case?

It helps increase our productivity.

How has it helped my organization?

We are saving a lot of time by being in one place instead of several servers.

What is most valuable?

The most valuable features are understanding the visualization compass on the dashboard, as well as the reports on the dashboards.

What needs improvement?

I would like to have the ability to master the management of clustering.

For how long have I used the solution?

One to three years.

How was the initial setup?

It is easy to implement.

What other advice do I have?

It is easy to use, and easy to implement.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
TS
Project Manager at a comms service provider with 10,001+ employees
Real User
This solution has an ability to do a quick search and immediately stop an incident from happening.

Pros and Cons

  • "It has virtual visualization, and other products do not."
  • "We had an instance when Splunk failed and it took us a couple of days to recover."

What is our primary use case?

My primary use case for Splunk is for log file visualization and monitoring alert management.

How has it helped my organization?

The way this solution has improved our organization is by its ability to do a quick search and immediately stop an incident from happening.

What is most valuable?

The auto-notification abilities are a huge benefit for us.

What needs improvement?

After a crash, the product takes a while to recover.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Sometimes we have had instances when it will not run for a couple of days. There is room for improvement here.

What was our ROI?

There are lots of use cases and features that make Splunk a good choice for us.

What's my experience with pricing, setup cost, and licensing?

I have no opinion on the pricing of the product. 

Which other solutions did I evaluate?

We considered Datadog and Zabbix. In comparison to those options, Splunk has virtual visualization. Furthermore, it can be a host on our environment. Typically, we cannot deploy SaaS on our environment, but with Splunk, we can. 

What other advice do I have?

When Splunk failed, it took time to recover. We had to recover it from a snapshot. It took a couple of days, and it was as if it had crashed.  But, the instance was resolved.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Omar Sánchez (Mr.Tech)
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
Leaderboard
It gives us the liberty to do more in terms of use cases.

Pros and Cons

  • "It gives us the liberty to do more in terms of use cases."
  • "The Web Application Firewall will send you too much information because it's more dedicated to security than a normal firewall."

What is our primary use case?

I work in the HIPAA industry. I work at a healthcare company in Puerto Rico. HIPAA requires us to go over security risks. Our use case right now is to be compliant.

In our hierarchy, we have 1000 servers and 16,000 endpoints. We also have 100 entry points and 3000 VPN connections. It's huge.

How has it helped my organization?

Manually, it used to take us a whole day to do strong monitoring. Now, it takes a maximum of two hours because of this product.

It creates a single pane of glass. Plus, it gives us the liberty to do more in terms of use cases, especially since HIPAA wants use cases. We must monitor them. Therefore, we can also add our own correlations for all our use cases.

What is most valuable?

The dashboard centralizes the daily routine. We used to do this by hand. Now, we go through daily checklists, using the dashboard and setting up the alarms. It helps us to cut down the time on this routine. 

I am a cybersecurity director. I manage five different business lines. Every morning, we used to have to go to different tools to get our daily routines done. With Splunk, centralized as it is, we can see everything in one place. We use it not only for monitoring events, but in case we need to do a group call. We can see what's going on, viewing all of the offenses and security events which are happening in our infrastructure.

What needs improvement?

The Web Application Firewall will send you too much information because it's more dedicated to security than a normal firewall.

For how long have I used the solution?

One to three years.

How was the initial setup?

It was pretty straightforward. I even did a couple of logs myself. 

What about the implementation team?

We implement through a vendor.

Which other solutions did I evaluate?

We were using QRadar as a POC. We were using for real at our cloud but also it was a POC for us because we were watching the product. But, QRadar needs a lot of fine tuning.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
AZ
Principal Consultant with 51-200 employees
User
Positive features include replication capabilities, software development kits, and its architecture

What is our primary use case?

Cybersecurity defense Web app monitoring VMware monitoring

How has it helped my organization?

Troubleshooting Cyber defense

What is most valuable?

Drill down Apps REST API Software development kits Architecture Replication capabilities

What needs improvement?

Multi-tenancy support Improved user interface Non-proprietary search language Different licensing model

For how long have I used the solution?

One to three years.

What is our primary use case?

  • Cybersecurity defense
  • Web app monitoring
  • VMware monitoring

How has it helped my organization?

  • Troubleshooting
  • Cyber defense

What is most valuable?

  • Drill down
  • Apps
  • REST API
  • Software development kits
  • Architecture
  • Replication capabilities

What needs improvement?

  • Multi-tenancy support
  • Improved user interface
  • Non-proprietary search language
  • Different licensing model

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Yosef Tavin
Devops Lead at Equalum
Vendor
A full monitoring and alerting solution for operations and application analysis

Pros and Cons

  • "It is a one stop shop as a full monitoring and alerting solution for operations and application analysis for most of our back-end systems."
  • "We used it to create a custom anomaly detection data model to monitor the activity of our back-end services on an hourly basis relative to the past three months of activity."
  • "It needs to improve the way to install third-party apps and enable installation without logging into splunk.com."

What is our primary use case?

We use Splunk for a few different use cases:

  1. We package it as part of one of our on-premise software offerings which includes our in-house customized dashboards.
  2. We use it for Application Monitoring of many of our back-end systems. Monitoring is done completely through Splunk by forwarding application and other logs to Splunk and many configured customized alerts and dashboards for the Ops, Dev, product, and management teams.
  3. We created a custom anomaly detection data model to monitor the activity of our back-end services on an hourly basis relative to the past three months of activity.

How has it helped my organization?

It has improved our organization in many ways:

  1. Having Splunk as part of one of our software products was our choice for giving our customers a great user experience.
  2. It is a one stop shop as a full monitoring and alerting solution for operations and application analysis for most of our back-end systems.

What is most valuable?

  • The easy automatic field parsing of logs. 
  • Data model acceleration
  • The ability to easily have access and install Splunk add-on plugins and custom apps. This greatly assists with using it to connect to various systems easily and use it as a centralized data sink.

What needs improvement?

It needs to improve the way to install third-party apps and enable installation without logging into splunk.com.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Not at all.

What do I think about the scalability of the solution?

Not really.

How is customer service and technical support?

Their support is pretty good, but not amazing. Although we have our own in-house Splunk expert who worked for Splunk themselves for a few years, we do not really need external support that much. We basically use them for licensing stuff. 

The forums are pretty thorough, so technically we have not had much need for support.

How was the initial setup?

The initial setup is easy. Although, we currently use just a single server and not multi-server clustered instances. 

For our Linux instance setup, an upgrade is very easy. It is all managed by about three simple Bash scripts.

What's my experience with pricing, setup cost, and licensing?

It is possible to use a developer's license, which is up to 10GB per day of volume traffic, which is usually enough for most use cases.

Which other solutions did I evaluate?

We evaluated ELK Stack and QlikView.

What other advice do I have?

We are a Splunk Partner, since after much deliberation, we decided to choose Splunk as a component of one of our on-premise software offerings.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Splunk Partner.
it_user782697
Security Operation Center Analyst at Sadad
Real User
User Behavior Analytics is key in detecting fraud and advanced persistent threats

Pros and Cons

  • "Splunk UBA is useful for fraud detection and for detection of APTs, advanced persistent threats."
  • "UBA, User Behavior Analytics, is a key feature."
  • "I think the machine learning should be emphasized. Now, it's really important to analyze Big Data, data mining. A SIEM solution, like Splunk, needs an improved data mining solution, artificial intelligence."

What is our primary use case?

Splunk is a SIEM, a Security Information and Event Management solution. It is used, for example, for monitoring security logs and security information in companies and organizations. It is also used for correlation, meaning making policies, for detecting/monitoring attacks, and the like; for monitoring security logs, security events, preventing hackers from attacking. It's really for business continuity.

How has it helped my organization?

For a long period of time we analyzed logs, traffic, something like tcpdump. Splunk UBA is useful for fraud detection and for detection of APTs, advanced persistent threats. It's really important for our business because I work a PSP, a payment service provider, e-payments.

What is most valuable?

UBA, User Behavior Analytics.

What needs improvement?

In the next release of Splunk, I think the machine learning should be emphasized. Now, it's really important to analyze Big Data, data mining. A SIEM solution, like Splunk, needs an improved data mining solution, artificial intelligence. Splunk would be the best if it improved these features.

What do I think about the stability of the solution?

It's stable and very safe. 

What do I think about the scalability of the solution?

Splunk's scalability is good for an enterprise situation. It's scalable in all situations.

How are customer service and technical support?

For us, technical support has been good. Splunk has good documentation and it is really easy to work with Splunk and the Splunk community.

Which solution did I use previously and why did I switch?

I used ELK. It was good. It is an open-source solution, but there is some complexity in configuring it, working with it.

In choosing a vendor I use industry reviews to find feedback from the community that works with the solution.

How was the initial setup?

The initial setup was straightforward.

Which other solutions did I evaluate?

There are a lot of solutions: IBM QRadar, Splunk, LogRhythm. Splunk was good for us because of the support, the documentation, the scalability, the stability. It gives us everything that we need in our business, everything necessary for helping us do our job.

What other advice do I have?

There are three top SIEM solutions in the world: Splunk, LogRhythm, IBM QRadar. I think Splunk is the best.

I would rate Splunk at eight out of 10. The vendor needs to work on this solution to make it better and better. I would recommend this solution but it depends on the situation, the country, the support from the vendor.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Technical Lead at Wipro Technologies
Consultant
Capability to expand functionality through custom code for data inputs, commands, visualization, alerts, and machine learning

Pros and Cons

  • "We can ingest and correlate data from virtually any type of system."
  • "Capability to expand the functionality through custom code for data inputs, commands, visualization, alerts, and machine learning."
  • "Missing capability for audio/video and image processing."
  • "While scheduled reports can be embedded, Splunk dashboard can not be embedded directly without enabling cross origin."

What is our primary use case?

We use Splunk for infrastructure monitoring, application monitoring and in the security space for our organization as well as for our customers.

How has it helped my organization?

Since Splunk is a platform for data, we can ingest and correlate data from virtually any type of system.

It has a fast turnaround time for setting up monitoring/alerting and forecasting of trends as per our customers' requirements.

What is most valuable?

The following are top three features that I find quite valuable:

  1. Capability to expand the functionality through custom code for data inputs, commands, visualization, alerts, and machine learning.
  2. Quick turnaround time for setting up monitoring and alerting with built-in capabilities, plenty of enterprise grade apps available on Splunkbase, and custom coding based on Splunk development skill level.
  3. Free Splunk license for PoCs on personal machines and the ability to scale the PoC to an enterprise level app.

What needs improvement?

  • Scheduled PDF generation does not work well for all visualizations, and it does not work for custom visualizations.
  • While scheduled reports can be embedded, Splunk dashboard can not be embedded directly without enabling cross origin.
  • Missing capability for audio/video and image processing.

For how long have I used the solution?

More than five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user870792
Senior Security Engineer
User
Significantly helped with aggregation and correlation of critical logs

What is our primary use case?

IT Ops Security Compliance Many IT groups and non-IT groups use the product to gain insights into their environments.

How has it helped my organization?

Splunk has significantly helped with aggregation and correlation of critical logs. Not having to grep on each individual server has made everyone more efficient.

What is most valuable?

Search and Dashboarding: Allows us to quickly search for an error and plot the results on a chart.

What needs improvement?

DMC should be a little more intuitive with better dashboarding. Seeing the cause of data flow can be tough to track down. 

For how long have I used the solution?

Three to five years.

What is our primary use case?

  • IT Ops
  • Security
  • Compliance

Many IT groups and non-IT groups use the product to gain insights into their environments.

How has it helped my organization?

Splunk has significantly helped with aggregation and correlation of critical logs. Not having to grep on each individual server has made everyone more efficient.

What is most valuable?

Search and Dashboarding: Allows us to quickly search for an error and plot the results on a chart.

What needs improvement?

DMC should be a little more intuitive with better dashboarding. Seeing the cause of data flow can be tough to track down. 

For how long have I used the solution?

Three to five years.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner with Splunk.
it_user867936
User at a financial services firm with 10,001+ employees
Vendor
Looks for incidents which could cause damage to a company's infrastructure

What is our primary use case?

With the use of Splunk, we were able to identify a brute force attack against a "switch" network device. An external attacker attempted to connect multiple times using multiple usernames. Splunk was able to detect these attempts and immediately blocked these attempts.

How has it helped my organization?

Splunk has facilitated the correlation of information security logs to look for incidents which could cause damage to the company's infrastructure, as well as financial losses from leaks.

What is most valuable?

Splunk's ability to receive all types of data and identify it correctly. It obtains a correlation of the logs and identifies incidents.

What needs improvement?

Splunk can improve regex/asset analysis as we do not want to crawl until it is…

What is our primary use case?

With the use of Splunk, we were able to identify a brute force attack against a "switch" network device. An external attacker attempted to connect multiple times using multiple usernames. Splunk was able to detect these attempts and immediately blocked these attempts.

How has it helped my organization?

Splunk has facilitated the correlation of information security logs to look for incidents which could cause damage to the company's infrastructure, as well as financial losses from leaks.

What is most valuable?

Splunk's ability to receive all types of data and identify it correctly. It obtains a correlation of the logs and identifies incidents.

What needs improvement?

Splunk can improve regex/asset analysis as we do not want to crawl until it is done. I could not find a timestamp for when the log was processed and generated.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Security Engineer at Information Innovators Inc. (Triple-i)
Real User
Correlates logs throughout the enterprise for searching and use in investigations

Pros and Cons

  • "We primarily use it to correlate logs throughout the enterprise for both searching and use in investigations."
  • "It can be tough to get a hold of somebody in technical support depending on the complexity of the issue."
  • "The Enterprise Security app could be improved. We have had trouble with it working from the first day."

What is our primary use case?

We primarily use it to correlate logs throughout the enterprise for both searching and use in investigations.

How has it helped my organization?

We previously did not have a good centralized solution which could ingest just about any log type, which has been a plus.

What is most valuable?

The search application has been the most useful. We have also liked the reporting features and dashboard capabilities.

What needs improvement?

The Enterprise Security app could be improved. We have had trouble with it working from the first day.  

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

Yes, there have been issues with the Enterprise Security application instance.  

What do I think about the scalability of the solution?

No issues.

How are customer service and technical support?

It has been a weak point, but has improved over the years. It can be tough to get a hold of somebody depending on the complexity of the issue.  

Which solution did I use previously and why did I switch?

Years ago, we did use another solution, but I am not sure it exists any longer. We have been using Splunk for many years.  

How was the initial setup?

We had professional services set it up, as it was quite complex.  

What about the implementation team?

Vendor implementation, and I would rate them as a seven out of 10.  

What was our ROI?

Excellent overall. 

What's my experience with pricing, setup cost, and licensing?

It can be expensive, especially the licensing costs. However, there is added value in what it can do, not just log aggregation.  

Which other solutions did I evaluate?

We evaluated Trustwave and QRadar.

What other advice do I have?

It is a great product overall. I would like to see improvements on the Enterprise Security app/SIEM functionality.  

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Data Scientist Intern at Splunxter, Inc.
Real User
Can ingest any data and display it in a way that anyone can understand

What is our primary use case?

I work with Splunk, as a contractor, so I use it in many different areas. Most often it is used to get performance insights on applications or servers. Recently, I have used it in more of an endpoint security mindset. 

How has it helped my organization?

My whole organization is built around Splunk. We provide Splunk PS to many different companies. If Splunk did not have such a good presence, we could not exist.

What is most valuable?

The best features would have to be the ability to ingest any data and display it in a way that anyone can understand.

What needs improvement?

It needs more thoroughly tested releases. Every new big version (6, 7, etc.) has had so many bugs that it makes me wary of customers upgrading right away.

For how long have I

What is our primary use case?

I work with Splunk, as a contractor, so I use it in many different areas. Most often it is used to get performance insights on applications or servers. Recently, I have used it in more of an endpoint security mindset. 

How has it helped my organization?

My whole organization is built around Splunk. We provide Splunk PS to many different companies. If Splunk did not have such a good presence, we could not exist.

What is most valuable?

The best features would have to be the ability to ingest any data and display it in a way that anyone can understand.

What needs improvement?

It needs more thoroughly tested releases. Every new big version (6, 7, etc.) has had so many bugs that it makes me wary of customers upgrading right away.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Lead Systems Architect at a energy/utilities company with 10,001+ employees
Real User
Visualizations helped the organisation have a better understanding of its KPIs

Pros and Cons

  • "Visualizations helped the organisation with a better understanding of its KPIs."
  • "Splunk setup is easy and straightforward. ​"
  • "Its huge, versatile AppBase helped me to configure and bring data from different sources to a unified platform."
  • "Custom visualizations are real hard. While the default visualizations are good, creating enhanced visualizations are complex."
  • "Configuring a few apps is complex, not straightforward."

What is our primary use case?

Splunk provided me a platform to analyze both infrastructure loads and application performance for quick troubleshooting saving a load of time. Versatile apps at Splunkbase helped me to better configure and enhance visualization of the KPIs in my application.

How has it helped my organization?

  • Splunk has reduced application downtime by helping identify the point of failure.
  • It has helped in identifying information streaming bottlenecks. 
  • Its machine learning capabilities along with custom script implementation has helped the organization a lot.
  • Visualizations helped the organisation have a better understanding of its KPIs. 

What is most valuable?

Its huge, versatile AppBase helped me to configure and bring data from different sources to a unified platform. 

What needs improvement?

  • Custom visualizations are real hard. While the default visualizations are good, creating enhanced visualizations are complex.
  • Configuring a few apps is complex, not straightforward.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

How was the initial setup?

Splunk setup is easy and straightforward. 

What's my experience with pricing, setup cost, and licensing?

Splunk is a bit pricier, but the benefits and ROI are huge.

Which other solutions did I evaluate?

We also evaluated ELK, Dynatrace, and New Relic, but Splunk provided a comprehensive solution to fit our all around needs.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Java Technical Lead at a insurance company
Real User
The visibility is amazing with easy dashboard creation

What is our primary use case?

Log monitoring and alerts Looking up information  Dashboards for nice, fast information about various application servers.

How has it helped my organization?

It is easier to find problems and exceptions. It is used by any factor in the firm. Easy dashboards creation. The visibility is amazing.  

What is most valuable?

Regex for fields creation is great. High availability Easy to use in any environment.

What needs improvement?

Make it easier to include roles and user controls, as it is horrible now.

For how long have I used the solution?

More than five years.

How is customer service and technical support?

Not even Splunk's support guy, who came to our firm, could help with defining proper role management.

What's my experience with

What is our primary use case?

  • Log monitoring and alerts
  • Looking up information 
  • Dashboards for nice, fast information about various application servers.

How has it helped my organization?

  • It is easier to find problems and exceptions.
  • It is used by any factor in the firm.
  • Easy dashboards creation.
  • The visibility is amazing.  

What is most valuable?

  • Regex for fields creation is great.
  • High availability
  • Easy to use in any environment.

What needs improvement?

Make it easier to include roles and user controls, as it is horrible now.

For how long have I used the solution?

More than five years.

How is customer service and technical support?

Not even Splunk's support guy, who came to our firm, could help with defining proper role management.

What's my experience with pricing, setup cost, and licensing?

It is a pretty high cost solution, but if your organization has the funds, it can bring many benefits.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Rajesh Mandale
Splunker at freelancer
Real User
Quickly search for almost anything across many log sources in seconds

Pros and Cons

  • "We can do things in minutes instead of days."
  • "We solve issues that we previously could not since we now have the data."
  • "We can quickly search for almost anything across many log sources in seconds."
  • "The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code."
  • "AngularJS/ReactJS inclusion could be made easier in GUI."

What is our primary use case?

The primary use case is to analyse and monitor big data, creating various dashboards, alerts, etc.

How has it helped my organization?

  • We can do things in minutes instead of days.
  • We solve issues that we previously could not since we now have the data.
  • We can quickly search for almost anything across many log sources in seconds.
  • Teams have the dashboards or alerts that they need.

What is most valuable?

There are too many features to list, but here are a few:

  • Schema on the fly
  • Ease of onboarding data
  • Machine learning
  • Apps or Splunkbase.
  • Great list of apps to use and build upon once you learn more about how Splunk works.
  • Ease of correlation, creating correlation searches (easy), and you can combine multiple sources with little effort.
  • Data Models Acceleration for super fast searches across tens of millions of events.
  • Common Information Model
  • Security Essentials App
  • Enterprise Security
  • Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities.
  • Log storage or compression is great and retention is not an issue.
  • Dashboards are simple to create and has input options, like time range and text.
  • Drop-downs are simple to create.
  • The integration with cloud solutions is great and keeps getting better.

What needs improvement?

The GUI could be improved to include some of the capabilities that other BI solutions have. The layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this will become a non-issue.

Also, AngularJS/ReactJS inclusion could be made easier in GUI.

For how long have I used the solution?

One to three years.

What was our ROI?

Personnel costs are saved by not having to involve domain developers from multiple teams when tracing a problem that spans multiple platforms.

What other advice do I have?

We build many of our own apps by leveraging the logic in others.

Disclosure: My company has a business relationship with this vendor other than being a customer:
ITCS user
Senior Network Security Engineer at Starz Entertainment
Real User
In the event of an incident, it has a rapid response search environment

Pros and Cons

  • "It has a rapid response search environment in the event of an incident."
  • "The correlation searches (properly configured) populate the Incident Management dashboard and provide me a quick birds-eye view of my most important concerns."
  • "The use cases provided by Splunk are a good starting point, but could cover many additional topics to ensure that a smaller or less experienced shop might maximize the value of an ES deployment."

What is our primary use case?

Although my company uses Splunk extensively, my use case is primarily the Enterprise Security add-on.

How has it helped my organization?

Splunk has enabled us to utilize many different data sources and is easy-to-use. It has a rapid response search environment in the event of an incident.

What is most valuable?

The correlation searches (properly configured) populate the Incident Management dashboard and provide me a quick birds-eye view of my most important concerns.

What needs improvement?

ES is very powerful, but it requires a mature security posture at the company to take advantage of it currently. The use cases provided by Splunk are a good starting point, but could cover many additional topics to ensure that a smaller or less experienced shop might maximize the value of an ES deployment.

For how long have I used the solution?

Less than one year.

Which solution did I use previously and why did I switch?

We were using a different SIEM, which was old-fashioned and very structured.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Splunk Administrator at Arizona State University
Real User
Provides important insights to more efficiently make decisions and take action

Pros and Cons

  • "My favorite example of improving of organization is saving a $60k/mo in payroll fraud and $10k/mo in wasted API credits by using simple searches and clear reports."
  • "Splunk's schema on demand is incredibly useful. I do not have to worry about what my users will need when we onboard their data."
  • "While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged."
  • "Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run."

What is our primary use case?

We use Splunk primarily to provide our security and ops groups with important insights to more efficiently make decisions and take action.

How has it helped my organization?

My favorite example of improving of organization is saving a $60k/mo in payroll fraud and $10k/mo in wasted API credits by using simple searches and clear reports.

What is most valuable?

Splunk's schema on demand is incredibly useful. I do not have to worry about what my users will need when we onboard their data. They can make connections that we could not have foreseen. They dig deeper when they are searching.

What needs improvement?

Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run.

While Splunkbase (the app repository) has a lot of great content, some apps are terribly old and could stand to be updated or purged.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Senior Consultant at Securian Financial Group
Real User
Low barrier to start searching with the ability to normalize data on the fly

Pros and Cons

  • "Low barrier to start searching with the ability to normalize data on the fly."
  • "I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs."
  • "The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files."
  • "Most of my interaction is with the user community, which is how Splunk wants it. When I need help, that community is very hit or miss."

What is our primary use case?

Security analysis to identify issues and for use in incident handling. Correlating logs across over 1000 servers with different operating systems and applications logs to provide security insights. 

How has it helped my organization?

Before we analyzed required manual correlation of individual log files, and this was almost impossible to do. With Splunk, what was once almost impossible, is now unbelievably fast.

What is most valuable?

Low barrier to start searching with the ability to normalize data on the fly.  

I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs.

What needs improvement?

I would like to see Splunk improve its posture as a production operations tool.  This means that searches, alerts, dashboards, and additional configurations that I use should have a production migration process. Therefore, I can know if my important detects have been tampered with and I can restore them if they have.

I would also like it to be easier to understand what I can influence from the UI versus the command line. Splunk is making great strides to all configuration being possible from the UI, but it can still be confusing for a non-system administrator to track down an issue only to find that it requires command line access to fully interpret.

Efficiency of Security Team

It has absolutely improved the efficiency of my security team.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No stability concerns.

What do I think about the scalability of the solution?

We did encounter scalability issues. As we scaled out in search heads, we found that some of our activity could only be found on the search heads that it was originally done on. For example, the history of search runs are stored locally, so I needed to logon to each search head to try and find it.

How are customer service and technical support?

Most of my interaction is with the user community, which is how Splunk wants it.  When I need help, that community is very hit or miss.

Which solution did I use previously and why did I switch?

I previously used LogRhythm. I found this tool particularly difficult to use. It was more rigid in its normalization of data.

How was the initial setup?

The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files.

Which other solutions did I evaluate?

We evaluated our existing tool, LogRhythm.

What other advice do I have?

Growth in data ingested will be much larger that you anticipated. If you need to prove this first, consider using an ELK Stack Logstash type of solution before using Splunk.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Christopher Mooney
Incident Manager at CyberCore Technologies
Real User
Powerful, flexible query language can morph difficult to understand log formats into usable data

Pros and Cons

  • "The ability to manipulate data in Splunk is unparalleled. Splunk’s powerful, flexible query language can morph difficult to understand log formats into usable data."
  • "Correlating data across different systems via one interface will allow you to know your environment or identify incident data in ways you never imagined."
  • "There is a definite learning curve to starting out."

What is our primary use case?

We started using Splunk to serve as a SIEM. In addition to correlating security information, we have begun to use it as a developer and customer advocate by analyzing user behaviors and system response times. 

How has it helped my organization?

Log files which were previously either not reviewed or reviewed incompletely are now being used in operations daily. Security and operational events are discovered and resolved with greater efficiency than we have ever before. The way Splunk allows for data to be correlated together has given our organization a more complete picture of our system security status and how users organically move through our applications. This information has allowed us to focus development efforts which will directly benefit our customers the most. 

What is most valuable?

The ability to manipulate data in Splunk is unparalleled. Splunk’s powerful, flexible query language can morph difficult to understand log formats into usable data. 

Correlating data across different systems via one interface will allow you to know your environment or identify incident data in ways you never imagined.

What needs improvement?

There is a definite learning curve to starting out. However, there is quite a bit of documentation out there to help you get started. 

For how long have I used the solution?

Less than one year.

How are customer service and technical support?

The community (Splunk Answers/Slack Channel/User Groups) can help get you started. 

Which solution did I use previously and why did I switch?

We previously used ArcSight, but found Splunk to be more cloud capable.  

What's my experience with pricing, setup cost, and licensing?

Truly evaluate the data you want to ingest and go slow. Pulling in data that can provide no use to your mission only wastes data against your license.  

Which other solutions did I evaluate?

Other options were evaluated, such as ELK, but Splunk was identified to be more feature rich out-of-the-box.

What other advice do I have?

Pick it up and jump into the community!  It can help get you started a lot faster.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Gangikunta Somanath
Principal Engineer at Publix Super Markets
Real User
A more secure, robust environment, which keeps out harmful software

Pros and Cons

  • "Visualizations are the best way to understand deviation techniques from the norm."
  • "We have a more secure, robust environment, which keeps the harmful software out of the zone required."
  • "More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results."

What is our primary use case?

Security and incident management, which is helpful when organizing the data from different systems and running analysis on all the data together.

How has it helped my organization?

We have a more secure, robust environment, which keeps the harmful software out of the zone required.

What is most valuable?

The most valuable features are:

  • Risk analysis
  • Machine Learning Toolkit
  • dbConnect
  • Cisco products
  • eStreamer
  • SIEM

Visualizations are the best way to understand deviation techniques from the norm.

What needs improvement?

More training on PetaData using artificial intelligence techniques to identify the events which are not normal and exceptions that would help the organization identify threats and malware on the go with results.

For how long have I used the solution?

Three to five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Business Intelligence Developer at Arizona State University
Real User
Search language is easy to understand and teach to new users

Pros and Cons

  • "Support is quick and competent."
  • "Search language is easy to understand and teach to new users."
  • "Certain sections of the developer documentation could use some updating and clarification."
  • "Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling."

What is our primary use case?

  • Monitoring IT and other processes for a large university.
  • Leveraging alerts and dashboards to detect and predict security breaches and other events.

How has it helped my organization?

Splunk has enabled us to detect, even predict potential security issues, before they become severe. It has enabled our operations and development teams to more efficiently monitor and troubleshoot their systems.

What is most valuable?

The search language is easy to understand and teach to new users. The SDK is comprehensive and has incredible levels of integration with the platform and data. 

What needs improvement?

  • Certain sections of the developer documentation could use some updating and clarification.
  • Search head clustering is often temperamental in its current state and should be improved, replaced by something better, or be reverted to search head pooling. 
  • Some terminology is vague and confusing (examples: deployer versus deployment server or search head versus search peer).

For how long have I used the solution?

Three to five years.

How is customer service and technical support?

Support is quick and competent.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Senior Cloud Operations Analyst at a tech vendor with 1,001-5,000 employees
Vendor
Makes us much faster finding and addressing issues

Pros and Cons

  • "We are much faster finding and addressing issues with Splunk."
  • "I would like to get visibility into the data pipelines on heavy forwarders and indexers to see exactly their source and the cause of saturation when it occurs. This would help us learn even more about our high use applications."

What is our primary use case?

Splunk is our monitoring and investigating Swiss Army knife for key applications and systems. If we run it, we Splunk it.

How has it helped my organization?

We are much faster finding and addressing issues with Splunk. We reduce the MTR and get more done.

What is most valuable?

So many of Splunk's features are invaluable to us:  

  • Machine and business data retention
  • Solid HA and distribution
  • Adaptability to custom data
  • Search, Search, Search.

What needs improvement?

I would like to get visibility into the data pipelines on heavy forwarders and indexers to see exactly their source and the cause of saturation when it occurs. This would help us learn even more about our high use applications.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

How is customer service and technical support?

The support team is very competent.

How was the initial setup?

The initial setup is very straightforward.

What about the implementation team?

We implemented in-house

What was our ROI?

Our ROI is high.

Which other solutions did I evaluate?

We evaluated LogRhythm.

What other advice do I have?

I love this product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Systems Analyst Staff - SW Eng Compute Analytics Lead at Qualcomm
Real User
Allows for transparency into IT metrics for insightful business analytics

Pros and Cons

  • "It allows for transparency into IT metrics for insightful business analytics."
  • "It has the ability to correlate data, analyze and review it."
  • "Free-floating panels in the dashboards are like a glass table."
  • "It needs more formatting control without having to be an admin."

What is our primary use case?

IT service analytics: 

  • Server machine data
  • Monitoring data
  • Alerting data
  • ITSI KPIs
  • Real-time reporting
  • Month-over-month reporting.

How has it helped my organization?

It allows for transparency into IT metrics for insightful business analytics.

What is most valuable?

It brings together all sorts of data. It has the ability to correlate data, analyze and review it. This makes weekly ops reviews and monthly executive management reporting much easier by saving hours of collecting data. Report automation has been a life saver.

What needs improvement?

  • Free-floating panels in the dashboards are like a glass table. 
  • It needs more formatting control without having to be an admin.

For how long have I used the solution?

Three to five years.

Which solution did I use previously and why did I switch?

Previously, only the service owner could see the data and he might have gone to several places to obtain it. Now, it is all in one place and easy to access. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Mick
Sr. Production Support Analyst at Electric Reliability Council of Texas
User
Quickly searches logs, performance data, and other inputs to assist with troubleshooting

What is our primary use case?

Operational intelligence monitoring for several different systems. We collect logs from applications and performance data from hardware, as well as information pulled from databases.

How has it helped my organization?

The ability to quickly search logs, performance data, and other inputs has helped tremendously with troubleshooting. The visualizations are easy and well received by business and management users. 

What is most valuable?

It is ease to integrate with other solutions, like Slack, JIRA, Remedy, etc. 

For how long have I used the solution?

Three to five years.

How is customer service and technical support?

The user community is extremely beneficial, particularly with Splunk Answers and the Slack User Groups.

What's my experience

What is our primary use case?

Operational intelligence monitoring for several different systems. We collect logs from applications and performance data from hardware, as well as information pulled from databases.

How has it helped my organization?

The ability to quickly search logs, performance data, and other inputs has helped tremendously with troubleshooting. The visualizations are easy and well received by business and management users. 

What is most valuable?

It is ease to integrate with other solutions, like Slack, JIRA, Remedy, etc. 

For how long have I used the solution?

Three to five years.

How is customer service and technical support?

The user community is extremely beneficial, particularly with Splunk Answers and the Slack User Groups.

What's my experience with pricing, setup cost, and licensing?

The licensing model can be expensive, but the value it provides is significant.

What other advice do I have?

The recent acquisition of Phantom makes the future seem bright with more automated responses.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Clara Merriman
Business Intelligence Engineer at SONIFI Solutions, Inc.
Real User
Allows us to dig into raw events

Pros and Cons

  • "Splunk allows us to find insights that we were not able to with traditional BI tools using ETL​. It allows us to dig into raw events."
  • "Splunk is extremely flexible, which allows us to create custom visualizations along with other customizations."
  • "The product was designed for security and IT with business intelligence needs, such as PDF exporting, but this has not been the highest priority. While the functionality is there, it could be developed more."

What is our primary use case?

Primary use is business intelligence. 

How has it helped my organization?

Splunk allows us to find insights that we were not able to with traditional BI tools using ETL. It allows us to dig into raw events. 

What is most valuable?

Splunk is extremely flexible, which allows us to create custom visualizations along with other customizations. The flexibility of Splunk as well as the resources available for learning and support are the best in the business. 

What needs improvement?

The product was designed for security and IT with business intelligence needs, such as PDF exporting, but this has not been the highest priority. While the functionality is there, it could be developed more. 

For how long have I used the solution?

More than five years.

What do I think about the scalability of the solution?

We ingest roughly 30GB/day. We have a small environment, but it provides big insights. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Director of IT at Blue Lake Rancheria
Real User
Aggregation searches have reduced time and difficulty of identifying trends and conditions which need to reviewed

Pros and Cons

  • "Splunk has significantly reduced the time in performing the task of aggregating logs, reviewing as well as time spent during investigations."
  • "Aggregation searches have reduced time and difficulty of identifying trends and conditions which need to reviewed."
  • "The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement."

What is our primary use case?

We primary use Splunk for log aggregation and search across multiple systems with Splunk Enterprise Security layered on top. 

How has it helped my organization?

Splunk has significantly reduced the time in performing the task of aggregating logs, reviewing as well as time spent during investigations. This has not only
increased our speed of response, but our efficiency dealing with the issue(s)
raised.

What is most valuable?

Aggregation searches, allowing for conditions to be automatically found in the data, have reduced time and difficulty of identifying trends and conditions which need to reviewed.

What needs improvement?

The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Colin Jackson, CISSP, MMIS, GMON
Information Security Engineer/Architect at The Church of Jesus Christ of Latter-day Saints
Real User
Helped us consolidate all our solutions into an easy tool to use for various employees

Pros and Cons

  • "It helped us consolidate all our solutions into an easy tool to use for various employees."
  • "More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it."

What is our primary use case?

We use Splunk for operations, application monitoring, and security. We are both cloud and on-premise based, so it has been very versatile for us. 

How has it helped my organization?

It helped us consolidate all our solutions into an easy tool to use for various employees.

What is most valuable?

  • Unstructured data
  • Linking things together
  • Building out stuff which is actionable.

Once you learn SPL and what data you need to obtain and merge together, it is really useful. 

What needs improvement?

More control with Splunk Cloud as it seems a bit limited. I used to manage an on-premise instance of Splunk Enterprise and really liked having more control over it. 

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

Which solution did I use previously and why did I switch?

While we did not have a previous solution, we took what little of Splunk that we have been using and have increased it greatly.

What was our ROI?

We are a nonprofit, so it is hard to quantify. 

What's my experience with pricing, setup cost, and licensing?

Be upfront about your needs and expectations. Splunk is one of the top SIEM solutions to work with. 

Which other solutions did I evaluate?

No.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user859770
consultant at a non-profit with 1,001-5,000 employees
User
Easily tracks problems and their status

Pros and Cons

  • "I like the ease with which dashboards can be created."
  • "Splunk has give us the capability to easily track problems and their status."
  • "The only thing which can be improved is that they are too subjective on whom their Splunk4Good initiative can be applied. They market it as you only need to be a nonprofit, but there is more to it."

What is our primary use case?

We use Splunk for both monitoring and SIEM. Our security operations group uses Splunk to track user accounts which may have been compromised as well as follow those accounts through the organization.

How has it helped my organization?

Splunk has give us the capability to easily track problems and their status. Our security operations team has been able to use it to track where people login and what they do on those machines.

What is most valuable?

Personally, I like the capability of removing sensitive data before it goes into Splunk. I also like the ease with which dashboards can be created.

What needs improvement?

I like Splunk. The only thing which can be improved is that they are too subjective on whom their Splunk4Good initiative can be applied. They market it as you only need to be a nonprofit, but there is more to it.

For how long have I used the solution?

More than five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Splunk Architect at The Johns Hopkins University Applied Physics Laboratory
Real User
Speeds up root cause analysis and can help identify issues

Pros and Cons

  • "Speeds up root cause analysis and can help identify issues that your organization never realized were occurring."
  • "It helps streamline troubleshooting and log analysis."
  • "​On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security.​"
  • "It can be tough to determine if you are getting all of the value out of your investment at times."

What is our primary use case?

Central repository for log collection and analysis in a complex environment. We have used it for a variety of use cases involving SIEM and operational support.

How has it helped my organization?

Speeds up root cause analysis and can help identify issues that your organization never realized were occurring. It helps streamline troubleshooting and log analysis.

What is most valuable?

It has a low barrier to entry, but it is extremely extensible, allowing it to be tailored to highly specific use cases. It makes searching through a wider variety of logs much quicker and enables you to correlate events from one log to another.

What needs improvement?

It can be tough to determine if you are getting all of the value out of your investment at times. However, our sales seems to be flexible and will work on an organization to organization basis to negotiate license terms. 

For how long have I used the solution?

One to three years.

How is customer service and technical support?

On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security.

What's my experience with pricing, setup cost, and licensing?

Pricing can be a limiting factor. You have to continuously tune what you are bringing in and make sure what you bring in is of value. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
BS Systems Engineer at a tech services company with 501-1,000 employees
Real User
Makes use of all logs and takes proactive actions

What is our primary use case?

We used it to create a full security operations center (SOC) for our IT department by adding all network and security devices, the AD, and mail servers to it. Then Splunk started to receive their logs, it analyzed them, and provided useful reports.  

How has it helped my organization?

It helps the IT staff to monitor the full structure. It also makes use of all logs and takes proactive actions.

What is most valuable?

Integrity with many vendors: This simplifies the implementation and integration with different devices. 

What needs improvement?

Enterprise security: Splunk must work on clarifying the solution to customers and explain how to gain more from it.

For how long have I used the solution?

One to three years.

What is our primary use case?

We used it to create a full security operations center (SOC) for our IT department by adding all network and security devices, the AD, and mail servers to it. Then Splunk started to receive their logs, it analyzed them, and provided useful reports.  

How has it helped my organization?

It helps the IT staff to monitor the full structure. It also makes use of all logs and takes proactive actions.

What is most valuable?

Integrity with many vendors: This simplifies the implementation and integration with different devices. 

What needs improvement?

Enterprise security: Splunk must work on clarifying the solution to customers and explain how to gain more from it.

For how long have I used the solution?

One to three years.
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a partner with Splunk.
MS Alam
System Administrator at Abdullah Al-Othaim Markets
Real User
Searches logs from all devices and gives valuable information to the organisation

Pros and Cons

  • "Alerts when a server is malfunctioning, monitors external attacks, and takes action to stop spreading viruses."
  • "Make it easy to use and the cost cheaper. This will help all organisations to implement Splunk."

What is our primary use case?

  • Searches the logs for all network devices and server. 
  • Monitors clients' hardware, networking, and security operations. 
  • It is good for the administrator to use it when maintaining the whole IT Infrastructure.

How has it helped my organization?

Alerts when a server is malfunctioning, monitors external attacks, and takes action to stop spreading viruses.

What is most valuable?

Searches logs from all devices and gives valuable information to the organisation, so it can drill down on all reports and security threats. 

What needs improvement?

Make it easy to use and the cost cheaper. This will help all organisations to implement Splunk

Network Breach

No, we have not suffered a network breach.

Efficiency of Security Team

Yes, the solution has improved the efficiency of our security team.

For how long have I used the solution?

Trial/evaluations only.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

How are customer service and technical support?

I have received a very good response from support that I have not seen in more than 10 years of my experience. 

Which solution did I use previously and why did I switch?

We are using OpManager to monitor server logs. 

What about the implementation team?

I implemented it myself.

What was our ROI?

It made our organization better through integration.

What's my experience with pricing, setup cost, and licensing?

Make it cheaper to help small organisations implement it easier. 

Which other solutions did I evaluate?

We evaluated QRadar.

What other advice do I have?

I have been using Splunk to increase my security experience. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Infrastructure Engineer at Zirous, Inc.
Real User
Monitors all machine logins and actions taken on those machines under each user

Pros and Cons

  • "The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time."
  • "We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster."
  • "I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor."

What is our primary use case?

Our primary use case of Splunk has been on the implementation side for clients. Splunk has proven, on multiple occasions, to be extremely useful in the proactive monitoring of clients' hardware, networking, and security operations. Some use cases that we have implemented include, but are not limited to, proactive account lockouts based on machine learning of a typical person's average number of failed login attempts, aggregation of a servers logs in order to predict downtime/maintenance/hardware failures quite accurately, as well as helping administrators of all sorts to gain a full picture of their environments under a single screen.

How has it helped my organization?

Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some predictive and proactive models, which are programmed to take action on anything outside of the normal usage. These actions range from alerts being sent to the Splunk page, administrators being notified, and if escalated enough, automatic account locks.

What is most valuable?

The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.

What needs improvement?

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

Network Breach

We did about a year and a half ago. The implementation was able to notify me 34 seconds after the initial breach had happened, but our implementation was already configured to auto-logout any "suspicious" users (our internal networking team had set this detection code up) which alleviated the problem, before it really became a problem for us.

Efficiency of Security Team

Immensely, I cannot stress enough the positive impact this has had on our security team.

Events per Day

Our personal implementation brings in only around 48GB to 48.5GB of events per day. Depending on the amount of remote workers in the office, it averages around 50 million events daily.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We did not encounter any issues with stability.

What do I think about the scalability of the solution?

We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster.

How are customer service and technical support?

I have not personally dealt with customer service/technical support.

Which solution did I use previously and why did I switch?

We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.

How was the initial setup?

The initial setup is very straightforward, unzipping a tar, creating a service, starting the service.

What about the implementation team?

My team was the team who had set up this implementation. I would be remiss if I didn't say that our level of expertise is quite high with an average of 4 Splunk certifications per person on my team.

What was our ROI?

ROI is estimated at saving my team roughly 10 to 12 man hours per week in troubleshooting for our company as well as what our profits had been from our services of installing, configuring, and supporting other clients with the product.

What's my experience with pricing, setup cost, and licensing?

Setup cost is cheap: It is free, it is user-friendly, and it is fast. 

I would highly recommend anyone evaluating this option to download the free trial which allows for the ingestion of 500MB of data per day in order to get a feel for what Splunk does at its core. It will get pricey once your ingestion rates start to sky rocket, but I would consider it expensive given the amount of information that it allows you to analyze and react on straight out-of-the-box.

Which other solutions did I evaluate?

We evaluated the ELK Stack, of which recently we have implemented with a customer who was looking for a more lightweight, cheaper alternative that would work "Good Enough". They felt they did not need all of the bells and whistles that came with Splunk.

What other advice do I have?

If you have an R&D department within your company that is looking for something new to increase the efficiencies and effectiveness of your company's operations, I would highly recommend having them get the free trial to test out.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user717477
Account Manager at a tech services company with 10,001+ employees
Real User
Proactively monitor threats and reduces threat footprint, though professional support is too expensive

Pros and Cons

  • "Deployment server for deploying changes in one go."
  • "Professional support is great, but too expensive."

How has it helped my organization?

It was used for security event management on landscape hosted over AWS.

It helped the organisation to proactively monitor threats and reduce its threat footprint.

What is most valuable?

Deployment server for deploying changes in one go.

What do I think about the stability of the solution?

It is quite stable.

What do I think about the scalability of the solution?

No.

How are customer service and technical support?

Professional support is great, but too expensive. Otherwise content published over website is good.

Which solution did I use previously and why did I switch?

Not applicable.

What's my experience with pricing, setup cost, and licensing?

Do proper estimation on log ingestion per day as that will impact pricing and licensing.

Which other solutions did I evaluate?

It was the customer's choice.

What other advice do I have?

It provides a great range of plugins and one can really take great advantage of utilising inbuilt dashboards to derive the desired monitoring.

Our company consults for different customers and are in a good position to recommend the best solution to our clients.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Security Architect at a energy/utilities company with 1,001-5,000 employees
Vendor
Some of the valuable features Machine learning, Common Information Model, and Log storage.

Pros and Cons

  • "Ease of correlation, creating correlation searches are easy and you can combine multiple sources with little effort"
  • "The GUI can be improved to include some of the capabilities that other BI solutions have."

How has it helped my organization?

  • We can do things in minutes instead of days.
  • We solve issues which we could not before since we have the data.
  • We can quickly search for almost anything across many log sources in seconds
  • Teams have the dashboards or alerts that they need

What is most valuable?

There are too many features to list, but here are a few:

  • Schema on the fly
  • Ease of on-boarding data
  • Machine learning
  • Apps or Splunk base.
  • Great list of apps to use and also build upon once you learn more about how Splunk works.
  • We build many of our own apps by leveraging the logic in the others.
  • Ease of correlation, creating correlation searches are easy and you can combine multiple sources with little effort
  • Data Models Acceleration for super fast searches across tens of millions of events
  • Common Information Model
  • Security Essentials App
  • Enterprise Security
  • Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities
  • Log storage or compression is great and retention is not an issue
  • Dashboards are simple to create and the input options like Time Range, Text
  • Drop-downs are simple to create.
  • Integration with cloud solutions is great and keeps getting better.
  • Can get info from rest API’s easily and there are apps for services like ServiceNow, Azure, Office365, etc.

What needs improvement?

The GUI can be improved to include some of the capabilities that other BI solutions have. Basically, the layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this could become a non-issue.

What do I think about the stability of the solution?

There were no issues with stability.

What do I think about the scalability of the solution?

There were no issues with scalability.

How are customer service and technical support?

Technical support is excellent. They also have Splunk Answers, which is community driven and it great.

Which solution did I use previously and why did I switch?

We were not able to get the value we needed from the previous solution. It was too difficult or complex. With Splunk, we can do things we want and things we have not even dreamed of yet.

How was the initial setup?

The initial setup was straightforward. We had the POC up in minutes. Within days, we got more value out of this solution than our existing solution.

What's my experience with pricing, setup cost, and licensing?

While licensing can be a concern, there are ways to reduce the licensing costs including filtering some events. We have replaced many solutions with Splunk, which have more than paid for the Splunk licensing.

Which other solutions did I evaluate?

We evaluated ArcSight, QRadar, and LogRhythm.

What other advice do I have?

Do a PoC and you will be amazed. Also, check out the Splunk .conf sessions to see what is possible. If you are into security, watch Mark Russinovich’s RSA 2017 presentation about Sysmon. Check out free EDR type capabilities.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
SVP, Technical Operations at a tech vendor with 201-500 employees
Vendor
Splunk has great interoperability with other applications through their SplunkBase app store.

What is most valuable?

Splunk has great interoperability with other applications through their SplunkBase app store. The apps can quickly provide visibility and streamline complex data mining tasks.

What needs improvement?

Unlike other cloud based analytics platforms, at the time of this writing Splunk Cloud is a dedicated instance per customer rather than a shared tenancy platform. While this is beneficial from an overall performance standpoint, the product lacks the seamless integrations one has come to expect from a cloud solution. This translates to a much stronger reliance on Splunk's support organization out of necessity, as the customer cannot make most changes in a self-service manner.

For how long have I used the solution?

We have been a Splunk customer for five years.

What was my experience with deployment of the solution?

Our Splunk Cloud deployment was a migration from an on-premise implementation of Splunk. The migration took much longer than expected due to constraints within Splunk's cloud team, but there were no technical issues with the launch.

How is customer service and technical support?

Customer Service:

The customer support team at Splunk is very good.

Technical Support:

The technical support team at Splunk is highly responsive and knowledgeable.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Specialist Master, Cyber Risk at a tech vendor with 10,001+ employees
Vendor
My clients have visibility into systems and activities that they never had before.

Pros and Cons

  • "Splunk gives my clients the ability to bring multiple, disparate types of data together, then correlate and report on them."
  • "The GUI can be improved. Splunk has always suffered from having a kind of goofy UI, it needs some updating."

How has it helped my organization?

Some of my clients had rudimentary home-grown security solutions that Splunk ES has completely replaced.

In these cases, the improvement was dramatic; they had visibility into systems and activities that they never had before.

In the case of clients who already had a SIEM solution, the change was more incremental. However, in my opinion, the Splunk ES solution is superior because it is so flexible. It can consolidate data from almost anything.

What is most valuable?

Splunk Enterprise Security is most valuable, my clients use it as a SIEM solution. Splunk gives them the ability to bring multiple, disparate types of data together, then correlate and report on them.

What needs improvement?

The GUI can be improved. Splunk has always suffered from having a kind of goofy UI, it needs some updating.

What do I think about the stability of the solution?

There were no stability issues. It is one of the most stable systems that I have worked with.

What do I think about the scalability of the solution?

As of now, no scalability issues were experienced. Splunk is highly scalable, so don’t anticipate that. However, scaling can get very expensive with their pricing model.

How are customer service and technical support?

Technical support is excellent! It is of top notch level. The customer support folks really know their stuff, the turnaround is fast.

Which solution did I use previously and why did I switch?

Previously, we were using HPE ArcSight.

How was the initial setup?

That’s a hard one. The initial setup is easy but making it actually work is complex. However, the complexity is something that just comes with all top SIEM tools. Very few companies have exactly the same data and issues, so a great deal of data onboarding and normalization are always required.

Which other solutions did I evaluate?

We evaluated HPE ArcSight.

What other advice do I have?

Plan your implementation carefully. Be sure you have someone to implement it, someone who knows what he is doing. Splunk’s inherent flexibility is a great thing, but it also provides an opportunity to really mess things up.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are an alliance partner.
ITCS user
Owner with 1-10 employees
Real User
The ability to see logs and correlate them using Splunk has greatly improved our organization's functionality with auditing and troubleshooting.

Pros and Cons

  • "To get visibility from your network devices, servers, and security devices is a great feature."
  • "Better directions on search head clusters."

How has it helped my organization?

The ability to see logs and correlate them using Splunk has greatly improved our organization's functionality with auditing and troubleshooting.

What is most valuable?

Splunk's capability to receive any types of logs and index them is a very good feature. To get visibility from your network devices, servers, and security devices is a great feature.

What needs improvement?

Better directions on search head clusters. A lot of the documentation that I saw was either old or out of date. I believe I ended up doing a lot of searching and ended up not completing the feature. I opted out of creating a search head cluster.

What do I think about the stability of the solution?

Not at all.

What do I think about the scalability of the solution?

None.

How are customer service and technical support?

Customer Service:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

Technical Support:

Excellent. I didn't call often however, when I did they pretty much solved my problem.

Which solution did I use previously and why did I switch?

No solution was available at the time.

How was the initial setup?

No the initial setup was fairly basic.

What about the implementation team?

In-house. We had professional services however, we did the install prior to the consultant arriving. So, his workload was light considering we had already installed and configured the Splunk servers.

What was our ROI?

We purchased and paid for it as an annual subscription for three years and working on purchasing the Perpetual edition.

What's my experience with pricing, setup cost, and licensing?

Pricing is pretty fair. However, I would suggest you trial for at least 90 days if you can get the sales person to offer you the option to renew your 30 day trial a couple of more times to evaluate. The 30 day trial is not enough.

Which other solutions did I evaluate?

The other SIEM solution providers we looked at were ArcSight, QRadar and SolarWinds LEM.

What other advice do I have?

Splunk is a good product. Pricing is a bit high however, after it's installed you can understand why and get caught up in reading the logs that are available.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Lead Splunk Architect at a financial services firm with 10,001+ employees
Real User
Enables Centralization And Correlation Of Data That Was Unattainable With Other Solutions

Pros and Cons

  • "It allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar."
  • "Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources."

How has it helped my organization?

Splunk helped reduce development cost since it provides free applications on Splunkbase that can save a huge amount of time and effort. It also gave us the ability to dig into logs to find not just one needle but many needles in the haystack of data, and that helped solve multiple production issues and reduced system downtime.

A great improvement brought by Splunk is the ability to remove sensitive data before displaying it in reports. This allows Splunk administrators to filter data according to the user’s clearance level.

What is most valuable?

Splunk can be seen as a huge box that allows the storage of all sorts of logs. This allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar. Splunk allow schema on the fly and therefore simplifies all the data onboarding process. All that leads to flexibility when it comes to defining the metadata since it is not necessary to have all the fields defined and extracted to be able to use Splunk.

Another great feature is the field extractor that allows persons with little or no experience with Regex to define fields and extract valuable information from the data.

Finally, the ability to connect with various sorts of databases, NoSQL solutions, makes it a very powerful tool, not only as a SIEM but also as a datalake for machine learning and data analysis.

What needs improvement?

Adding custom visualization in Splunk has been improved over the years but can still be made better by integrating more and more JavaScript visualization sources.

What do I think about the stability of the solution?

Released versions are quite stable. We encountered some visual bugs following major upgrades but that was due to custom CSS that we had edited into Splunk.

What do I think about the scalability of the solution?

Splunk is a data analytics platform and is designed to scale easily. Adding or removing machines from a splunk index can be done without affecting any of the existing members of the infrastructure.

How are customer service and technical support?

In my opinion Splunk has three levels of support. First level is their forum (Splunk Answers). The Forum is very rich and solves 90% of the issues that can be encountered. Then comes the real technical support team that replies quite fast, depending on the SLA. Finally comes the professional services team, which provides a very advanced level of expertise and can solve any issue.

Which solution did I use previously and why did I switch?

Yes, ArcSight. We switched because of how slow the support can be with HPE sometimes and also because Splunk is simpler to use, is more data oriented, and is more adapted for business security use cases.

How was the initial setup?

We started Splunk on a stand-alone server. Installing that was very easy, a basic RPM install for Linux and an installer for Windows. When we moved to a distributed environment, it was a bit more complicated but the documentation on Splunk Docs was clear and easy to use so we had no problem there.

What's my experience with pricing, setup cost, and licensing?

Splunk licensing model might seem expensive but with all the gain in functionalities you will have compared to traditional SIEM solutions I think it’s worth the price. Also, when you have small volumes of data to index daily (which might account for high EPS) you will be gaining the full advantage of using Splunk for a very low price.

Which other solutions did I evaluate?

Yes, Graylog and QRadar.

What other advice do I have?

You're in for a nice surprise, Splunk is fun, easy to use, and will give you the results you are looking for and more. It's a great tool for security and business analysis, you're looking at a big data platform that will allow a lot more than what the good old SIEMs could do.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Engineer, Infrastructure Applications at a healthcare company with 1,001-5,000 employees
Real User
Ingests machine data and helps to analyze and visualize it.

Pros and Cons

  • "The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data."
  • "It requires a significant amount of relatively complex architecture once you push past the single server instance."

How has it helped my organization?

Imagine a single application with 17 application servers and dozens of log files per server that rotate as often as once per hour. How do you track and analyze anomalies in those log files with the ability to go back and correlate data for the past X weeks? That was use case for just our team, not to mention the hundreds of other application teams.

What is most valuable?

Splunk has a single purpose in life: ingest machine data and help analyze and visualize that data. The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data. It does a great job at handling unstructured data. Breaking data into key/value pairs so that it can be searched is relatively painless.

What needs improvement?

Deploying Splunk as scale is not easy. It requires a significant amount of relatively complex architecture once you push past the single server instance. Breaking out your search and indexing layer requires someone with Splunk experience. Want to add search layer replication for HA? Want to host in AWS and do cross-region index replication?

Splunk expertise is in high demand today and finding talented engineers to pull off your large-scale implementation is hard. Do your homework.

What do I think about the stability of the solution?

Out-of-the-box functions are nearly flawless, but when you push at the edges, then things start to get a little flexible in their eloquence. There is a robust community of support to help through most issues and the documentation is exceptional.

What do I think about the scalability of the solution?

There were no issues with scalability, but we invested some serious time and resources to design a scalable infrastructure up front.

How are customer service and technical support?

Customer Service:

Customer service is excellent both during the purchase and ownership lifecycle.

Technical Support:

Technical support is mediocre. Splunk is struggling to deliver a consistently exceptional support experience. Their senior engineers are very talented, but those folks are in short supply and many of the most experienced engineers are making hundreds of dollars an hour as consultants not answering your support issues.

Which solution did I use previously and why did I switch?

No enterprise solution was in place.

How was the initial setup?

The initial setup was done without any prior experience and was up and running, including ingesting data, within a few hours. Setup at scale and scalability took months of effort.

What about the implementation team?

We hired a contractor with significant experience with Splunk, Elastic.io, AWS, and custom development. They were expensive, but worth every penny.

What was our ROI?

TBD.

What's my experience with pricing, setup cost, and licensing?

You will eat up whatever you purchase quickly. The level of insights that Splunk empowers is addictive.

Which other solutions did I evaluate?

We evaluated Graylog, Elastic.io, etc.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Foundation Technology Specialist at a insurance company with 1,001-5,000 employees
Vendor
Provides the ability to diagnose problems in production and non-production.

Pros and Cons

  • "The ability to rapidly diagnose problems in production and non-production, across hundreds of log files, is the most valuable feature."
  • "It is a challenge to manage the environment in such a way, that one’s log, even with the bandwidth license, isn’t exceeded."

How has it helped my organization?

MTTR is drastically reduced, because the developers and other IT support staff have instant access to log events.

People costs are saved by not having to involve the domain developers from multiple teams, when tracing a problem that spans multiple platforms.

Security is improved by not having to give as many people access to log on to the servers.

What is most valuable?

The ability to rapidly diagnose problems in production and non-production, across hundreds of log files, is the most valuable feature.

What needs improvement?

Official training, even CBT, is expensive so not many people are able to get certified. This leads/causes the users to make use of the most basic functionality only.

It is a challenge to manage the environment in such a way, that one’s log, even with the bandwidth license, isn’t exceeded. Splunk has moved towards not applying hard caps in data ingestion, and this will help us in the future.

However, I’d like an easier way to flag certain source log files as non-critical and have Splunk automatically disable those event sources when the license capacity exceeds an arbitrary value.

What do I think about the stability of the solution?

There were no stability issues.

What do I think about the scalability of the solution?

There were no scalability issues.

How are customer service and technical support?

Customer Service:

I haven't had the need to log any critical issues. Most of my support tickets have been revolved around configuration questions. I'm very happy with the way Splunk's support staff respond - they're pretty helpful. I think I've only had one situation where the response was acceptable, but not stellar.

Technical Support:

The technical support is good. I'm sometimes surprised when the support engineer doesn't immediately know the answer to my questions (as I feel they must be fairly common queries). But, this can probably be excused because of the breath of features Splunk Enterprise has.

Which solution did I use previously and why did I switch?

We were not using any other solution previously.

I evaluated ELK Stack but at the time, Splunk offered more flexibility, better support and was easier for us to implement.

How was the initial setup?

Initial setup was fairly straightforward, but we used an experienced implementation partner and ensured that our team was intimately involved in the installation/configuration process on a technical level.

What about the implementation team?

We used a combintation of in-house (ie. myself) and an experienced Splunk partner.

What's my experience with pricing, setup cost, and licensing?

The product has a lot of value, and I feel that we’re getting the value that we’re paying for.

Splunk Enterprise becomes extremely expensive after the 20GB/month license, but if you take care of what you log, i.e., by not logging excessive application events, then that license will get you a long way.

Which other solutions did I evaluate?

We looked at ELK Stack.

What other advice do I have?

Use an experienced Splunk architect to design your infrastructure configuration.

Ensure that your tech leads are intimately involved and understand exactly how the product fits together.

Manage your Splunk configuration in a repository (Git).

Educate the end users as quickly as possible to use the tool effectively.

Change practices and encourage staff to use Splunk instead of old ways of getting the data they need. Prevent, or limit, direct access to the servers or server log files if you can.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user664632
Senior IT Security Operations at a pharma/biotech company with 10,001+ employees
Vendor
Security relies on this for event correlation and alerts.

Pros and Cons

  • "The speed of the search engine"
  • "The administration of the cluster and app deployment to indexers or search heads can be done only using ssh access and command line, there is no GUI tools for that."

How has it helped my organization?

The network department, for example, has improved its efficiency by 30%. Security relies on this for event correlation and alerts.

What is most valuable?

  • The speed of the search engine
  • All the types of data sources that you configure can be forwarded to Splunk.
  • The ease-of-use

What needs improvement?

Cluster management can only be done via a command line. I would like them to add some GUI options for that. Permissions are not very flexible, so it would be nice to have more granular options, such as double factor authentication.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc


What do I think about the stability of the solution?

It is very stable.

What do I think about the scalability of the solution?

It scales out horizontally.

How are customer service and technical support?

The quality of support depends on the support and license. On the average, I would give them a rating of 6/10.

Which solution did I use previously and why did I switch?

We previously used ArcSight. Splunk is at another level. It is easier, more stable, and faster.

How was the initial setup?

It is very easy to set up on a standalone server. Of course, if you want a cluster, it is more complicated. In order to manage it, you need skilled people.

What's my experience with pricing, setup cost, and licensing?

It is not cheap :-)

Which other solutions did I evaluate?

We were using ArcSight before.

What other advice do I have?

My advice is to go ahead with it.

The administration of the cluster and app deployment to indexers or search
heads can be done only using ssh access and command line, there is no GUI
tools for that.

Permissions in the other hand could be improved by adding for example the
deny option to groups to see and index, etc. Also the authentication method
is just LDAP or spkunk, so some more security layers could be added as
second factor, etc


Disclosure: I am a real user, and this review is based on my own experience and opinions.
jorgenoguerah
IT Infrastructure Architect at a tech company with 201-500 employees
Consultant
Does event matching between several appliances and correlates data from different sources.

What is most valuable?

  • Event matching between several appliances
  • Correlating data from different sources
  • Report viewer

How has it helped my organization?

It helps us to detect viruses and security events from our network.

What needs improvement?

It needs documentation, and "how-to-do" information. It's complicated to build reports and views.

For how long have I used the solution?

I have used Splunk for about two years.

What do I think about the stability of the solution?

There were no stability issues. It was running on a VM over Hyper-V.

What do I think about the scalability of the solution?

There were no scalability issues. It was running on a VM over Hyper-V.

How are customer service and technical support?

I used support a little bit for some templates for formatting data from Cisco and Fortinet logs. They were very fast with their response. I didn't have any support contract, but only entry level support.

Which solution did I use previously and why did I switch?

This was our first try for log analysis.

How was the initial setup?

The setup was easy.

What's my experience with pricing, setup cost, and licensing?

There is nothing to say. At that time, it was for GBs of data received.

Which other solutions did I evaluate?

We did not look at alternatives. It was a consulting provider recommendation. It was a rapid implementation to accomplish legal requirements. After we used it for a while, we decided to keep it.

What other advice do I have?

Check for the plugin to format data of already completed templates for the appliance to which you want to keep logs and events.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Information Architect at a financial services firm with 5,001-10,000 employees
Vendor
Provides visibility into business metrics and insights that deliver value.

Pros and Cons

  • "Splunk provides immediate visibility into key business metrics and new business insights that deliver immediate value."
  • "We usually have to follow up with technical support on our open cases."

How has it helped my organization?

It is deployed to investigate, detect, respond, and prevent security incidents and threats by providing valuable context and visual insights to make faster and smarter security decisions.

What is most valuable?

  • Splunk delivers a holistic view of an application (the big picture).
  • Splunk provides immediate visibility into key business metrics and new business insights that deliver immediate value.
  • Significant reduction in mean-time-to-investigate (MTTI) and mean-time-to-resolve (MTTR) production incidents from days to hours.
  • Splunk visualization capabilities help pinpoint problem areas, spikes, and anomalies easier and faster.
  • Ability to monitor and resolve integration problems before they impact the business user area.
  • Splunk is being used as part of the development life cycle, resulting in better quality and more efficient applications.
  • Provides additional insights into a 360 degree view of the customer.

What needs improvement?

We usually have to follow up with technical support on our open cases. Otherwise, Splunk listens to customers and is constantly incorporating their feedback in future releases.

What do I think about the stability of the solution?

There are no software stability issues. The issues so far have been internal.

What do I think about the scalability of the solution?

There are no scalability issues. If you are planning on using Splunk for security use cases, I would recommend you go with Linux for your OS.

How are customer service and technical support?

We have the enterprise level of support. This is one area Splunk could improve upon, since we usually have to follow up with them on our open cases.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

There were no issues with the initial setup. We utilized Splunk’s partner zones for the initial setup. In retrospect, we should have utilized Splunk Professional Services.

What's my experience with pricing, setup cost, and licensing?

Although Splunk is an expensive product, it is designed to be utilized across your organization in order to maximize your ROI and lower your TCO.

We contacted Gartner and other business associates to determine what others are paying for Splunk.

Which other solutions did I evaluate?

We started researching ELK (Elastic, Logstash, Kibana). But management was so impressed with Splunk that we ended this research.

What other advice do I have?

Ensure you have an executive sponsors to fully deploy Splunk across your organization to maximize your ROI and lower your TCO.

Make use of Splunk Professional Services.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user664635
Performance Consultant at a tech services company with 10,001+ employees
Consultant
Some of the valuable features include data representation options and the analytics and querying of the indices.

Pros and Cons

  • "The data representation options in the dashboards are excellent."
  • "The user access control could be much more granular, so that the admins can control r/w/x access for specific features of the product like dashboards, etc."

What is most valuable?

The analytics and querying the indices is super easy.

The data representation options in the dashboards are excellent.

Multiple datasource/filetypes are supported and each can be customized in a few clicks.

What needs improvement?

Security administration and user access control is pretty basic. This can be improved.

The user access control could be much more granular, so that the admins can control r/w/x access for specific features of the product like dashboards, etc.

If this is improved, with a mapping against LDAP roles, it would be excellent.

What do I think about the stability of the solution?

We had no stability issues.

What do I think about the scalability of the solution?

We had no scalability issues.

How are customer service and technical support?

Technical support and the online community are some of the best for any product.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The setup was quite easy and there is lot of technical documentation for handholding you through the process.

What's my experience with pricing, setup cost, and licensing?

Pricing and licensing is quite expensive. But for the value the product provides, it seems at par in the market.

Which other solutions did I evaluate?

We looked at IBM SmartCloud Analytics and Log Analytics.

What other advice do I have?

Please watch out for the licensing agreement. There are a lot of IP specific clauses that Splunk has included in their license agreement. Per my understanding, any plugin available in the community cannot be used OOB, due to licensing restrictions. (This might be specific to our organization.)

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user664626
Business Analyst at a retailer with 10,001+ employees
Vendor
Provides real-time and scheduled searches with alternate functionalities.

What is most valuable?

  • Flexibility when creating dashboards
  • Automated cron searches
  • Real-time and scheduled searches with alternate functionalities
  • User-base integration with LDAP

How has it helped my organization?

It alerted many situations before other monitoring systems identified that there is a critical issue.

What needs improvement?

VMware and security device integration looks a bit complex.

For how long have I used the solution?

I have used Splunk for almost three years.

What do I think about the stability of the solution?

As of now, we have had no issues with stability. It is running like a charm.

What do I think about the scalability of the solution?

From a nodes perspective, there have been no scalability issues.

How are customer service and technical support?

I can say that support is good.

Which solution did I use previously and why did I switch?

We never used other solutions.

How was the initial setup?

We used the Splunk Cluster setup. It was a bit complex to set up, but management-wise and stability-wise, it was awesome.

What's my experience with pricing, setup cost, and licensing?

License costs fall under the NDA, but Splunk license costs are public, I believe.

Which other solutions did I evaluate?

We evaluated Logstash and others, but Splunk plays a pivotal role.

What other advice do I have?

I would strongly recommend this product, as it would be very beneficial for service operations and management.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user594183
Security Engineer at a retailer with 10,001+ employees
Real User
They provide predefined user cases. Scalability is always a question for this product.

What is most valuable?

They provide excellent predefined user cases.

How has it helped my organization?

This helps us in the footprinting of all the incidents.

What needs improvement?

When we deep dive into the events for the triggers, we have very little information in some instances.

For how long have I used the solution?

I have used Splunk for two years.

What do I think about the stability of the solution?

We raised support cases.

What do I think about the scalability of the solution?

Scalability is always a question for this product.

How are customer service and technical support?

Response from technical support can be improved. There was always a delay and we had to chase them.

Which solution did I use previously and why did I switch?

We didn’t have a…

What is most valuable?

They provide excellent predefined user cases.

How has it helped my organization?

This helps us in the footprinting of all the incidents.

What needs improvement?

When we deep dive into the events for the triggers, we have very little information in some instances.

For how long have I used the solution?

I have used Splunk for two years.

What do I think about the stability of the solution?

We raised support cases.

What do I think about the scalability of the solution?

Scalability is always a question for this product.

How are customer service and technical support?

Response from technical support can be improved. There was always a delay and we had to chase them.

Which solution did I use previously and why did I switch?

We didn’t have a previous solution.

How was the initial setup?

I was not present during the initial setup.

What's my experience with pricing, setup cost, and licensing?

Pricing and licensing are always high compared to other products in the market. Storage is very expensive as well.

What other advice do I have?

It is a good product, but expensive.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user396600
Vice Manager at a comms service provider with 10,001+ employees
Vendor
Collects data from many sources. Has search, analysis, and visualization capabilities.

What is most valuable?

  • Collects data from any source
  • Powerful search, analysis, and visualization
  • Easy to build system on any platform
  • API and easily integrated search
  • Action script

How has it helped my organization?

We have over 7000 devices in our network infrastructure for monitoring, maintenance, and performance assessment.

We achieve this by collecting data and applying the analysis.

For how long have I used the solution?

I have used this solution for one year.

What do I think about the scalability of the solution?

We did not encounter any issues with scalability. Everything is normal with no bugs.

How are customer service and technical support?

It’s easy to obtain support from Splunk for technical issues. We also have enough knowledge ourselves to apply fixes.

Which solution did I use previously and why did I switch?

We used to deploy Elastic Stack. The search language of Splunk is easier and friendlier than Elastic Stack. It has helped me to search quickly and easily. Based on the results, it’s easy to visualize and add results to a previously built, personal dashboard.

What's my experience with pricing, setup cost, and licensing?

Licensing is free. Pricing is based on usage.

Which other solutions did I evaluate?

We evaluated Elastic Stack and Sumo Logic.

What other advice do I have?

If you are an enterprise and you need the best service for critical business analysis, Splunk would be one of the best choices.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user363165
Products Manager at a tech services company with 5,001-10,000 employees
MSP
Valuable features include rapid search, data mining, and information propagation. The GUI should be improved.

What is most valuable?

Rapid search is a valuable feature. Performance and incident response were the top priorities for most MSSPs. Breaches of SLAs will have a negative impact on customer trust, which eventually leads to losing customer confidence on services to which they’re subscribing. Hence, the proactive approaches will be the main differentiator from one MSSP to the others.

How has it helped my organization?

It has been helping a lot of my clients with fast data mining and information propagation.

What needs improvement?

The GUI should be improved, in other words, the overall appearance.

For how long have I used the solution?

I am not the end-user. However, my job was more relevant as a consultant.

What do I think about the stability of the solution?

Performance upgrades are needed when more processing power is required.

What do I think about the scalability of the solution?

We have not had scalability issues.

How are customer service and technical support?

Technical support is good.

Which solution did I use previously and why did I switch?

The client was using an open source solution. They decided to switch to an enterprise product.

How was the initial setup?

The setup can be straightforward, if use cases are well defined.

What's my experience with pricing, setup cost, and licensing?

Overall, it the cost is reasonable and it is easy to upgrade.

Which other solutions did I evaluate?

Our client was considering the other solutions as well. However, due to their overall assessment, they still considered going with it.

What other advice do I have?

Start off with something at a comfortable level, expand gradually, and then move upwards, expanding steadily.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a distributor.
ITCS user
Sr. Program Manager at a consultancy with 51-200 employees
Consultant
It is able to configure and integrate various solutions into one tool and provide actionable results. You need a dedicated developer.

What is most valuable?

  • Can ingest data from various data sources.
  • Is very useful for organizations who are attempting to meet compliance requirements.
  • Is able to fully configure and integrate various solutions into one tool and provide actionable results.

How has it helped my organization?

My use of Splunk at my previous place of employment improved how we functioned.

For how long have I used the solution?

I have used Splunk for three years.

What do I think about the stability of the solution?

We didn’t have any stability issues.

What do I think about the scalability of the solution?

We didn’t have any scalability issues.

How are customer service and technical support?

During our use of Splunk, we had professional services assisting and not actual technical support. However, the professional services team was great.

Which solution did I use previously and why did I switch?

Our organization did not have an established SIEM tool.

How was the initial setup?

The initial setup is straightforward, depending on the level of implementation of the tool.

What's my experience with pricing, setup cost, and licensing?

Take into consideration the labor costs for a dedicated Splunk developer who can craft the required queries needed for each organization. Organizations usually have their own form of implementation of each tool.

Which other solutions did I evaluate?

We didn’t evaluate any alternatives.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Timur Baitenov
Technical Director at a tech services company with 11-50 employees
Real User
It allows us to store raw data and use it repeatedly for different domains.

How has it helped my organization?

We are using it for operational intelligence. We are using Splunk as a data lake for machine data. We gather all our machine data from the IT infrastructure and monitor its health.

What is most valuable?

Splunk's schema-on-read technology is one of the most valuable characteristics of this solution. It allows us to store raw data and use it repeatedly for different domains. You don't need to prepare the data upfront.

Splunk's Search Processing Language (SPL) is another beneficial feature. It is a very powerful tool that gives you the ability to do almost anything with your data.

What needs improvement?

Visualizations can improve. There are some performance and stability issues with the visualization layer.

What do I think about the stability of the solution?

There were stability issues, but only with the visualization layer.

What do I think about the scalability of the solution?

There were no scalability issues.

How are customer service and technical support?

The technical support is quite good.

Which solution did I use previously and why did I switch?

Previously, we worked with different vendors and solutions.

How was the initial setup?

The setup was very straightforward.

What's my experience with pricing, setup cost, and licensing?

The price is pretty high for our region.

Which other solutions did I evaluate?

We did a SIEM solutions review with this and other systems for one of our customers.

What other advice do I have?

This is the right choice if you are looking for a platform that can combine all machine-generated data and use it for various use cases from different domains.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Integration Architect at a manufacturing company with 1,001-5,000 employees
Vendor
Fast availability of operational data spread across several servers is nice, but the MES is a complex system.

What is most valuable?

What Splunk calls operational intelligence: fast availability of operational data spread across several servers to prevent or react faster to outages or performance decreases.

How has it helped my organization?

MES is a complex and very critical distributed system here. Production WIP is directly connected to it and ICT is required to provide a continuous availability and very stable performance (line production has a costant speed, software cannot slowdown). Collect operational data from hardware, middleware and application software can potentially improve ICT proactive and reactive tasks.

For how long have I used the solution?

I've ever used it, just studied it.

Which solution did I use previously and why did I switch?

We also use a traditional monitor, and Microsoft SCOM.

What was our ROI?

Every stop or slowdown of the production line means lost of money, e.g. 30% reduction when compared to the current baseline.

What's my experience with pricing, setup cost, and licensing?

Every stop or slowdown of the production line means lost of money, e.g. 30% of reduction compare to the current baseline.

Which other solutions did I evaluate?

IBM QRadar

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Consultant
Innovative tool but it needs to be improved for day to day use.
SIEM posts have grown in number at Infosecnirvana, but the requests to write about more products keep coming in. One of the oft asked about product is Splunk Enterprise. We have posted on HP ArcSight, IBM QRadar and McAfee Nitro SIEM. However, readers have been asking us repeatedly to write on Splunk. So here it is finally after being in the works for a long time. Introduction: In 2003, One of the most interesting products rolled out and vowed to simplify Log management once and for all (and it did!!!) - Splunk. Their motto was simple – Throw logs at me and I will provide a web based console to search through it intuitively. Interestingly they are one of the few companies that have not been acquired, in spite of being a very innovative product. So let’s see what makes Splunk tick…

SIEM posts have grown in number at Infosecnirvana, but the requests to write about more products keep coming in. One of the oft asked about product is Splunk Enterprise. We have posted on HP ArcSight, IBM QRadar and McAfee Nitro SIEM. However, readers have been asking us repeatedly to write on Splunk.

So here it is finally after being in the works for a long time.

Introduction:

In 2003, One of the most interesting products rolled out and vowed to simplify Log management once and for all (and it did!!!) - Splunk. Their motto was simple – Throw logs at me and I will provide a web based console to search through it intuitively. Interestingly they are one of the few companies that have not been acquired, in spite of being a very innovative product. So let’s see what makes Splunk tick.

Architecture:

As always, a product is as good as its architecture. It has to be solid both internally as well as externally (meaning solution deployment, integration, ease of use, compatibility etc.).

  • Internal Architecture: Under the hood Splunk has two main services – The Splunk Daemon that is written in C++ used for data collection, indexing, search etc. and the The Splunk Web Services that is a web application written using a combination of Python, AJAX, XML, XSLT etc . which provides the super intuitive graphical UI. Splunk also provides API access using REST and it can integrate with any web framework needed. Splunk is one of the few products that still use C++ and Python instead of the clunky Java and its cousins. This provides the edge to Splunk when processing large data volumes thrown at it.
  • Data Architecture: Splunk is a unique search engine like “data architecture”. In fact, some of the early development was based on the same concept of the path breaking GFS (Google file system) which provided a lot of direction and research into flat file storage, indexing and free text search capabilities with unmatched speed when compared to a relational DB. Splunk went on to master the distributed file system architecture and built their own proprietary data store which powers Splunk Enterprise today.
  • Deployment Architecture: The deployment of Splunk is based on true Big Data Architecture – Slave and Master, where the Slaves are the Search Indexers and the Master is a search head. Of course you can have both the nodes in the same Physical server, but in a true distributed architecture, you need a master and a slave. Read more at Big Data – What you need to know? to understand better on what Big Data is and how to try your hand at it.
  • Typical Setup: Lets look at a typical architecture deployment of Splunk in distributed mode.

Splunk_img4
As you can see, there are three distinct components of this architecture and they are as follows:

  1. Log collectors or Splunk Log Forwarders are installed closer to the source and forward all the logs to Splunk Indexers. This is similar to the Log Collectors in SIEM. They are not great, but are decent enough to get the job done.
  2. The Splunk indexers typically run only the Splunk Daemon service, that receives the data and indexes it based on a pre-defined Syntax (this is akin to parsers but lot more simpler and faster to process). This is then sent to the Splunk data store. Each data store has a set of indexes based on the amount of logs received. The data store can then be configured for retention, hot or cold or warm standby etc. etc. In big data terminology, these are the slave nodes.
  3. These indexers then use a process called as “Summarizer” or in big data terms – “Map reduce” to create a summary index of all the indexes available.
  4. Splunk Search head, which serves as the single console to search across all data stores has the “summary index” to know which Indexer (slave) node to query and what index to query. Now this is where the scalable search power of Splunk comes from. This is the master node in big data world.

What’s good about Splunk?

  • Search, Search & Search: Splunk is arguably the best search engine for logs out there. We have started looking at ELK, Hadoop and other big data search engines but for the moment, Splunk rules the roost. The Splunk Search Processing Language (SPL) is the reason behind this power. The search can be done historically (on indexed data) or in real time (data before indexing) and this is as good as Log search can get. None of the SIEM products can come close to the search power of Splunk. In other words, Splunk is to search Log Data and SIEM is to search Event Data.
  • Fully customizable as far as searching capabilities is concerned, Splunk lets us add scripts to search queries, provides field extraction capabilities for custom logs, provides API, SDK and Web framework support to achieve all that you would need for Log management, Investigations, Reporting and alerting.
  • Web Interface: Even though UI is a subjective benefit, Splunk has one of the most pleasing interfaces we have seen for log management tools. It really is super easy and intuitive to use. It has great visualization capabilities, dashboards, app widgets and what not. It really puts the cool factor in a rather dull log analysis experience.
  • No Parsing: Basically, Splunk is an “All you can eat” for logs. Splunk follows a “store now, parse later” approach which takes care of receiving any logs thrown at it without any parsing or support issues. If it is a known log type, the indexes are added and updated appropriately. If it is not a known type, still the logs are stored and indexed to be searchable for later. You can then use Field Extractions and build custom field parsings. This is one of the killer differentiators compared to traditional SIEM products as Splunk is a lot more forgiving and agnostic in log collection and storage and does not require specialized connectors or collectors to do the job. This makes it a great log management product.
  • Splunk Apps help in building on top of the Search head to provide parsing, visualizations, reporting, metrics, saved searching and alerting and even SIEM-like capabilities. This, in my opinion is the power of Splunk compared to the other products in the market. They have an App Store for Splunk Apps. Cool isn’t it? These apps not only are written by product vendors, but also by User community.
  • Scalability: Splunk is a true big data architecture. It can scale with addition of Indexers and search heads. Ratio of Search Heads to Indexers is at a good 1:6. This means that if you have 1 search head, you can have 6 search indexers. This is very attractive when compared to other SIEM solutions in the market when it comes to scaling at the log management layer.

What’s bad?

  • Not a SIEM: Splunk is not your traditional SIEM. Let me clarify further. SIEM has several things in it that assists in performing security event management, monitoring, operations and workflow. In short the keyword for SIEM is “Operational Security Management”. Now the question is – Can Splunk be an SIEM? The simple answer is YES, however the real answer lies in how much customisation and how much product expertise you have in store to make it a SIEM product.
  • Poor Correlation: Splunk does not do any correlation as it is not designed to do that. However, it can be used to correlate events using the Splunk search language. You can do manual correlation using piped searches, lookup tables, scripted searches etc. but again you need to be familiar with the language. You can also automate it by scheduled and real time search triggers. However, nothing is out of the box. Anton blogs about Splunk Correlation being far superior to ArcSight (which btw is the best correlation engine we have worked with) but honestly, we don’t have real life implementation experience to justify that.
  • SIEM App: Splunk has an enterprise SIEM app that aids in SIEM-like functions. But it is definitely not a replacement killer for SIEM product. It is very basic and and does not do much out of the box.
  • No Aggregation: The logs being sent to Splunk are received as is and sent to the data store. It is not aggregated. This while is a good thing for log collection and search performance, it is not good for underlying storage sizing. SIEM solutions have this capability but Splunk does not. This in turn affects the scalability aspect.
  • Poor Compression: Many SIEM products have a compression ratio of 10:1. However for Splunk, we have consistently seen the ratio to be around 4:1. This while good for smaller log volumes, is very poor for larger volumes. The main reason for this is that the Indexes take a lot of storage compared to the raw logs. While they aid in greater search capabilities, they increase underlying storage and maintenance cost.
  • Scalability: Even though, Scalability is one of the benefits of using Splunk for Log management, there is a downside to it too. Add to it the lack of aggregation, compression etc. and you can see how it impacts Scale. For example, Every indexer can handle only 100 – 150 GB/day on a good server hardware. In spite of what people might say about Splunk sizing and performance tuning, from years of personal use and experience, we can safely say that for standard enterprise hardware, this limit is as good as it gets. So assume you are looking at 1 TB/day. You would need 8 indexer servers and 2 search head servers for Splunk. However, if you were to take ArcSight or QRadar, you could do the same on two appliances with compression enabled (10:1 ratio of compression). This from a management perspective leads to larger foot print for Splunk than other SIEM products.
  • Price: Contrary to popular belief, Splunk can get very expensive very fast. For all the reasons mentioned above, Splunk can get very expensive compared to other SIEM vendors to do large data collection as well as SIEM functionality. In a word – Be Cautious!!!

Conclusion: In our opinion, Splunk is one of the most innovative log management tools out there. But as a SIEM, to use in day to day security management, monitoring, ticketing etc. it has a lot of catching up to do. The ideal scenario will be to use Splunk in the log management layer and use any market leading SIEM in the correlation, workflow and operational management layer. We have seen several successful implementations where Splunk serves as the log management tool and ArcSight or QRadar serves as the Correlation engine. Best of both worlds!!!

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Systems/Applications Specialist with 201-500 employees
Vendor
It could be easier to set up but it has an innovative way of collecting and presenting data

What is most valuable?

Its performance, scalability and most importantly the innovative way of collecting and presenting data.

Fast search! Imagine a scenario with an application environment where a couple of modules are based at a different servers. There is a system issue and a check needs to be completed in a timely manner. Traditionally engineers would have to login to the servers, navigate to different folders and load the log files to check for errors. Splunk can give this at a glance for all of the systems at once! Furthermore a “trap” of known errors could be saved and a real time alert setup to send an email in a meaningful way with relevant details (e.g. priority, affected systems) and instructions what needs to be done next.

How has it helped my organization?

Helpful for systems support, monitoring of the operations and deliveries, analysing trends and performance. Great for making sense of the application log’s events for business needs - e.g. requests per day, completed tasks per user, exceptions, KPI etc.

What needs improvement?

It can be easier to setup and adding new sources which Splunk are improving with every new version.

For how long have I used the solution?

I have used it for two years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

It's running great given the information it processes.

What do I think about the scalability of the solution?

Really scalable solution. Could be split into soft/hard forwarders if needed and even completed in an HA setup.

How are customer service and technical support?

Customer Service:

Splunk have dedicated staff trying to change the world for the better.

Technical Support:

Splunk have introduced their own certification path which guarantees that the technical support will have the needed expertise.

Which solution did I use previously and why did I switch?

I am familiar that there are other solutions out there but I haven't used them. Started with Splunk.

How was the initial setup?

The initial setup requires some good analysis - what would be collected, from where, how to group the incoming data in virtual folders and indexes so it make sense and ease/scope the search later on. Apart from that the initial application setup is straightforward.

What about the implementation team?

Implemented in house with the support of the vendor with high level of expertise.

What was our ROI?

I'm not sure about the money but in saved time and a new kind of visibility for the system/business process this product has been revolutionary in the working environment. The demand for deeper integration and more details hasn't stopped since the initial implementation and we have moved on from just technical and business reports, KPI reports from other systems and we keep building new alerts, dashboards and reports as per new requirements.

What's my experience with pricing, setup cost, and licensing?

Not sure about the cost but I have heard it can get pretty costly for an Enterprise grade scale as the environment I work in. For home it is free up to 500Mb a day. Day-to-day cost for the product itself is costing just system resources, however the development work that needs to be completed for new requests and keeping the old one up-to-date can raise the budget according to the expertise needed.

What other advice do I have?

Go for it and be brave. Experiment, add, remove, modify. Keep what is not working until it is working how you want and then delete the rest. Make a library of useful search queries and a diagram of systems and related files included in the indexes. Do not allow access for everyone to run DB queries as per the other forms of DB access. Install 3rd party modules and play with them. Collect system events for the OS and relate it to application performance. Trap the errors you have identified, create alerts and follow name convention for email subject (e.g. priority, type, system, description).

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Consultant
Great Log Management and Investigation tool, but Operational SIEM capability needs improvement

Valuable Features

Great Log management capabilities with flexible and comprehensive search capabilities. Scalable and Easy to use.

Room for Improvement

Operational Workflow, Use Case Framework, and ticketing systems to make it suitable for SOC environments

Use of Solution

3 years

Scalability Issues

Splunk is extremely scalable with the limit being the hardware in use.

Customer Service and Technical Support

If you get the right people engaged, support can be a bliss.

Initial Setup

Setup is simple and straight forward.

Other Advice

http://infosecnirvana.com/splunk-enterprise-need-know/

Valuable Features

Great Log management capabilities with flexible and comprehensive search capabilities. Scalable and Easy to use.

Room for Improvement

Operational Workflow, Use Case Framework, and ticketing systems to make it suitable for SOC environments

Use of Solution

3 years

Scalability Issues

Splunk is extremely scalable with the limit being the hardware in use.

Customer Service and Technical Support

If you get the right people engaged, support can be a bliss.

Initial Setup

Setup is simple and straight forward.

Other Advice

http://infosecnirvana.com/splunk-enterprise-need-know/

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user142623
CEO with 51-200 employees
Vendor
Popular
Pros and Cons of Splunk, Sumo Logic, LogStash and Others
Splunk, Sumo Logic, LogStash, GrayLog, Loggly, PaperTrails – did I miss someone? I’m pretty sure I did. Logs are like fossil fuels – we’ve been wanting to get rid of them for the past 20 years, but we’re not quite there yet. Well, if that’s the case I want a BMW! To deal with the growth of log data a host of log management & analysis tools have been built over the last few years to help developers and operations make sense of the growing data. I thought it’d be interesting to look at our options and what are each tools’ selling point, from a developer’s standpoint. Splunk As the biggest tool in this space, I decided to put Splunk in a category of its own. That’s not to say it’s the best tool for what you need, but more to give credit to a product who essentially created a new…

Splunk, Sumo Logic, LogStash, GrayLog, Loggly, PaperTrails – did I miss someone? I’m pretty sure I did. Logs are like fossil fuels – we’ve been wanting to get rid of them for the past 20 years, but we’re not quite there yet. Well, if that’s the case I want a BMW!

To deal with the growth of log data a host of log management & analysis tools have been built over the last few years to help developers and operations make sense of the growing data. I thought it’d be interesting to look at our options and what are each tools’ selling point, from a developer’s standpoint.

Splunk

As the biggest tool in this space, I decided to put Splunk in a category of its own. That’s not to say it’s the best tool for what you need, but more to give credit to a product who essentially created a new category.

Pros

Splunk is probably the most feature rich solution in the space. It’s got hundreds of apps (I counted 537) to make sense of almost every format of log data, from security to business analytics to infrastructure monitoring. Splunk’s search and charting tools are feature rich to the point that there’s probably no set of data you can’t get to through its UI or APIs.

Cons

Splunk has two major cons. The first, that is more subjective, is that it’s an on-premise solution which means that setup costs in terms of money and complexity are high. To deploy in a high-scale environment you will need to install and configure a dedicated cluster. As a developer, it’s usually something you can’t or don’t want to do as your first choice.

Splunk’s second con is that it’s expensive. To support a real-world application you’re looking at tens of thousands of dollars, which most likely means you’ll need sign offs from high-ups in your organization, and the process is going to be slow. If you’ve got a new app and you want something fast that you can quickly spin up and ramp as things progress – keep reading.

Read the rest of this post here.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user138168
Senior Software Engineer at a retailer with 10,001+ employees
Vendor
Support can retrieve salient logging data from massive distributed systems in seconds but deployment is not easy.
I've been using Splunk for over 3 years now. The most valuable feature for me is alerting. Using Splunk, production support teams can retrieve salient logging data from massive distributed systems in seconds. I'd say that some the key/value pair parsing can be a little off and has room for improvement. The deployment is not easy and I've only encountered issues with stability and scalability when on under-provisioned equipment. The initial setup was complex - need to identify source types in advance, and a large deployment with multiple indexers can be tricky. We initially implemented in-house, and then through Splunk themselves to upgrade and improve. Before implementing Splunk we used an in-house system, but Splunk offered far more to us. Also, their customer service is good and their…

I've been using Splunk for over 3 years now. The most valuable feature for me is alerting. Using Splunk, production support teams can retrieve salient logging data from massive distributed systems in seconds.

I'd say that some the key/value pair parsing can be a little off and has room for improvement. The deployment is not easy and I've only encountered issues with stability and scalability when on under-provisioned equipment. The initial setup was complex - need to identify source types in advance, and a large deployment with multiple indexers can be tricky. We initially implemented in-house, and then through Splunk themselves to upgrade and improve.

Before implementing Splunk we used an in-house system, but Splunk offered far more to us. Also, their customer service is good and their technical supper is excellent. Our ROI was big!

I'd advise others who are looking into implementing Splunk to get a true Splunk expert - either spunk themselves or a vendor, to do the installation.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user129642
Systems Administrator at a energy/utilities company with 10,001+ employees
Vendor
Splunk vs LogLogic: Splunk stands out for its ability to consume almost any log type and it's ease of searching

Valuable Features:

Splunk – ease of searching large amounts of data. 

Improvements to My Organization:

Splunk – real time alerts on critical indicators, compliance reports, troubleshooting and predictive abilities using trends. 

Use of Solution:

Splunk – 3 years 

Deployment Issues:

Splunk – Had one issue requiring a support call regarding the configuration of the automated configuration deployment package. Quickly resolved. 

Stability Issues:

Splunk – None. 

Scalability Issues:

Splunk – Not needed yet. 

Customer Service:

Splunk – Splunk has a very knowledgeable support staff and the Splunk support website is outstanding. The message boards are very active and often using them will often…

Valuable Features:

Splunk – ease of searching large amounts of data. 

Improvements to My Organization:

Splunk – real time alerts on critical indicators, compliance reports, troubleshooting and predictive abilities using trends. 

Use of Solution:

Splunk – 3 years 

Deployment Issues:

Splunk – Had one issue requiring a support call regarding the configuration of the automated configuration deployment package. Quickly resolved. 

Stability Issues:

Splunk – None. 

Scalability Issues:

Splunk – Not needed yet. 

Customer Service:

Splunk – Splunk has a very knowledgeable support staff and the Splunk support website is outstanding. The message boards are very active and often using them will often prevent having to call support. 

Initial Setup:

Splunk – Easy, but can get very complex depending on the type of logs to ingest. While Splunk, out of the box, handles most common types. The extraction of data from custom logs can be problematic. Although Splunk does provide tools for accomplishing this. 

Other Advice:

Both Splunk and LogLogic excel at their intended purpose. If you are looking for an appliance that you can stick in the rack, minimally configure and then forget about, you will like the LogLogic solution. If you need to regularly search different logs for different data you will like Splunk better.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user126639
Sr. Security Engineer at a university with 1,001-5,000 employees
Vendor
In additon to search and analytic capabilities, Splunk has under-the-cover capabilities for timestamp data.
Splunk is a pretty powerful piece of software. There is the obvious search and analytic capabilities it has but there is some robustness under the covers as well. One of those under-the-cover capabilities is detecting and understanding timestamp data. Its the sort of thing that as users of the software we simply accept and generally speaking don't spend a whole lot of time thinking about.  From an admin perspective as you start to put some effort into understanding your deployment and making sure things are working correctly one of the items to look at is the DateParserVerbose logs. Why you ask? I've recently had to deal with some timstamp issues. These internal logs generally document problems related to timestamp extraction and can tell you if, for example, there are logs…

Splunk is a pretty powerful piece of software. There is the obvious search and analytic capabilities it has but there is some robustness under the covers as well. One of those under-the-cover capabilities is detecting and understanding timestamp data. Its the sort of thing that as users of the software we simply accept and generally speaking don't spend a whole lot of time thinking about. 

From an admin perspective as you start to put some effort into understanding your deployment and making sure things are working correctly one of the items to look at is the DateParserVerbose logs. Why you ask? I've recently had to deal with some timstamp issues. These internal logs generally document problems related to timestamp extraction and can tell you if, for example, there are logs being dropped for a variety of timestamp related reasons. 

Dropped events are certainly worthy of some of your time! What about logs that aren't being dropped but for one reason or another Splunk is assigning a timestamp that isn't correct? 

Continue reading this post on my blog here.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Senior Manager of Network with 1,001-5,000 employees
Vendor
Splunk is great for Syslog capabilites. For normal device management, you can't go wrong with SolarWinds.
I'd go with Splunk for logging. For Syslog capabilities, Splunk wins outright from my experience. It's quick, very customizable, and there are many different modules some specific for vendors and devices. (Cisco Security Suite for one).  If you are really into SolarWinds and want to use them for Syslog then I would go with Kiwi. SolarWinds NPM has a syslog collector but under heavy load (a few hundred devices) it will get bogged down real quick in my experience. If you are looking for normal device management then NPM, NCM, NTA are the way to go. You can't go wrong with SolarWinds.

I'd go with Splunk for logging. For Syslog capabilities, Splunk wins outright from my experience. It's quick, very customizable, and there are many different modules some specific for vendors and devices. (Cisco Security Suite for one). 

If you are really into SolarWinds and want to use them for Syslog then I would go with Kiwi. SolarWinds NPM has a syslog collector but under heavy load (a few hundred devices) it will get bogged down real quick in my experience.

If you are looking for normal device management then NPM, NCM, NTA are the way to go. You can't go wrong with SolarWinds.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user121728
Head of Service Integrity with 1,001-5,000 employees
Vendor
It can probably do anything if you tweak it enough but it's not cheap.
Splunk is really good at log parsing events over time. It is quick to drill in and analyze and it is quick to build a presentation layer and automate reporting. I love it for problem analysis and event management however it is not a capacity management tool.  It can be a cm tool but not a good tool for projections etc. There are many tools that claim to be cm tools but they are usually expensive and miss the basic day to day challenges of capacity management. Eg: excluding backups from day peaks, removing outliers, forward trending, accepting data from any source. Start by getting your key data extracted from reliable sources and other tools. The charting and presentation layer is impressive and quick. It can probably do anything if you tweak it enough. I would call it a very handy…

Splunk is really good at log parsing events over time. It is quick to drill in and analyze and it is quick to build a presentation layer and automate reporting. I love it for problem analysis and event management however it is not a capacity management tool. 

It can be a cm tool but not a good tool for projections etc. There are many tools that claim to be cm tools but they are usually expensive and miss the basic day to day challenges of capacity management. Eg: excluding backups from day peaks, removing outliers, forward trending, accepting data from any source. Start by getting your key data extracted from reliable sources and other tools.

The charting and presentation layer is impressive and quick. It can probably do anything if you tweak it enough. I would call it a very handy tool but probably not the tool. It is not that cheap either. I have used it personally to analyze big data as well as creating knowledge from some ordinary logging. I then created some pretty cool dashboards but they were more operational dashboards.

I don't think we could afford it as a capacity tool but we can use the data it simplified.

Disclosure: I am a real user, and this review is based on my own experience and opinions.