Log monitoring has transformed operations and now supports real-time threat detection
What is our primary use case?
I use Splunk Enterprise Platform and Splunk Cloud for our Splunk solutions. I work with Splunk Enterprise Platform for the Enterprise, not with Enterprise Security.
I use Splunk Enterprise Platform for monitoring systems, analyzing logs, and building dashboards that support our operations, visibility, and business insights. I perform log analysis, create dashboards, and set up alerts using SPL. We query large volumes of logs, identify patterns, and troubleshoot issues.
I definitely use Splunk Enterprise Platform's machine learning toolkit. It helps us with predictive analytics in our organization. I have set alerts for daily ingestion using the Machine Learning toolkit in Splunk Enterprise Platform directly. I use SPL commands such as fit, apply, and score for regression and classification analysis, including yes or no category alerts. I mainly use it for anomaly detection in our company.
It is very efficient for us in assessing the effectiveness of Splunk Enterprise Platform in detecting anomalies and preventing system outages. I also set alerts for daily ingestion. Overall, it is a great tool for security analysis and log monitoring, and it is one of the best tools we have been using.
I have a custom add-on for forwarder management. Instead of having different instances, I made a different app for forwarder management. Anything that happens to that forwarder, I can see using that particular app and add-on SPL. That is how it helps us. I have many different custom add-ons for Splunk Enterprise Platform, and I have directly published them in Splunkbase. Even if our new employees need to see and debug what is the problem in our forwarder, that is how Splunk Enterprise Platform custom add-ons work for us.
I definitely leverage Splunk Enterprise Platform for advanced threat detection. It integrates with our existing security tools by aggregating logs from multiple sources such as servers, applications, and network devices. It makes it easier to correlate events and identify suspicious patterns that would not be visible in isolated systems. I use real-time alerts for suspicious activities. I have also set alerts in our organization for users; if multiple failed login attempts occur, then we get an alert. I monitor security events in real-time through dashboards.
What is most valuable?
The number one valuable feature is its powerful search capabilities in Splunk Enterprise Platform. Using SPL, we can fire a query and get so much results from that. The number two is its dashboard; we have built dashboards and alerts for different use cases. We use dashboards for visualization, which is also one of the best features. It is integrated with other tools; we have our custom add-ons there. It integrates with other tools as well. Additionally, it handles large volumes of machine data well, as we ingest daily TBs of data in Splunk Enterprise Platform.
In terms of improving data interpretation, it shows only the most relevant information for a specific user or role. Instead of going through large volumes of raw logs, we can directly see key metrics and alerts that matter to us. In our use case, we have set a system health and error rate, which we can directly see on our personalized dashboard. It makes our data more actionable, improves our efficiency, and allows both our technical and non-technical users to interpret insights without deep querying knowledge.
What needs improvement?
The number one area for improvement is cost; it is not cost-efficient for small organizations. Better cost management should be the first priority. Performance optimization is also important. Large queries or poorly optimized searches can sometimes slow down our results. Better recommendations or automation for query tuning would help us. It would be better if this is added in the near future versions.
For how long have I used the solution?
I have been using Splunk Enterprise Platform for a year.
What do I think about the stability of the solution?
It is super stable, which is why we use it. It is one of the best tools.
What do I think about the scalability of the solution?
It is super scalable for us; I would rate it eight out of ten regarding scalability.
How are customer service and support?
It is superb because whenever we raise a support case, they answer us instantly. Customer service is also good.
How was the initial setup?
It was straightforward for the initial setup.
What about the implementation team?
We have Splunk dedicated employees here who have trained in Splunk Enterprise Platform. It was installed directly by our own employees.
What was our ROI?
We definitely have approximately thirty to forty percent ROI from Splunk Enterprise Platform.
Which other solutions did I evaluate?
We have directly integrated to Splunk Enterprise Platform because we have become Splunk partners.
What other advice do I have?
This is my first time, so I do not know much about this platform. We have our custom application, and we can directly use that to enhance end-user experience. My piece of advice will be if you are looking for a SIEM tool to monitor and have personalized dashboards, then Splunk Enterprise Platform is definitely for you. If your team has the budget and your company has budget, then you should definitely move to Splunk Enterprise Platform. I would rate this product a nine out of ten overall.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Easy to Use and Secure—A Great Fit for Our Team
What do you like best about the product?
good to use and security we use same software
What do you dislike about the product?
License is the issue for the splunk enterprise
What problems is the product solving and how is that benefiting you?
splunk help me to implement ES for the enterprise log
Centralized analytics have transformed noc and soc operations and deliver faster threat response
What is our primary use case?
My usual use cases for Splunk Enterprise Platform involve all NOC and SOC activities, where SOC-related alerts will be aggregated with NOC-related alerts, allowing for correlation between them, including use cases such as abnormal travel and anomaly detection, all of which are detected by Splunk Enterprise Platform.
For instance, if there is a DDoS attack indicated by an anomaly in the traffic when WAF is integrated, an alert is generated in Splunk Enterprise Platform, which our L1 and L2 teams will then visualize and remediate based on the alert.
I do not use Splunk Enterprise Platform's Machine Learning Toolkit directly, but my team utilizes it.
How has it helped my organization?
Splunk Enterprise Platform's Machine Learning Toolkit has helped us with predictive analytics in our organization significantly, as it automates the anomaly detection that previously required our L1 and L2 teams to spend three to four hours on.
It immediately triggers alerts upon detecting patterns such as WAF spikes or suspicious login behavior, allowing our L1 to avoid manual analysis and triaging. The predictive analysis reduces false positives, enabling our analysts to close tickets swiftly—previously taking two to three days, and now they close them before breaching the SLA due to effective pattern discovery and outlier detection.
Splunk Enterprise Platform's Machine Learning Toolkit is efficient in detecting abnormal login attempts and brute force attacks, effectively aiding our proactive defense planning through advanced analytics and anomaly detection.
What is most valuable?
Splunk Enterprise Platform's most valuable features include its integration with AI, as Cisco, which has taken Splunk Enterprise Platform recently, is building up AI functionalities, enhancing remediation capabilities and the orchestration part in the market. Additionally, Splunk Enterprise Platform shows the correct logs at the correct time, and inventory management is very good.
I assess the effectiveness of Splunk Enterprise Platform in detecting anomalies and preventing system outages as very strong; for over two to three decades, it has provided centralized log visibility, real-time monitoring, and analytics correlation, which is robust for threat detection and incident investigation.
Splunk Enterprise Platform's machine learning capability of the toolkit predicts trends and reduces many false positives, making Splunk Enterprise Platform an essential tool for both SOC and network operations, where it effectively detects anomalies that other SIEM tools cannot.
Splunk Enterprise Platform's personalized dashboards are superb, as I have been experimenting with them extensively, and new features have enhanced their quality, making them particularly effective for presentations to leadership, including direct engagement with the CISO.
What needs improvement?
In terms of improvement for Splunk Enterprise Platform, as more companies embrace AI, adding more AI automations is crucial and could parallel what competitors such as Xplain are doing. Managing duplicate alerts efficiently can optimize costs, as the current license-based data ingestion can quickly escalate if duplicate data is fed.
Better filtering of unnecessary log sources could greatly interest clients by demonstrating cost efficiency. From an architectural standpoint, data onboarding, normalization, performance, and scalability improvements would be beneficial, particularly in optimizing search speed and query execution to handle larger searches efficiently.
For how long have I used the solution?
I have been working with Splunk Enterprise Platform for the last 10 years as a Splunk certified power user and advanced user, and along with Splunk Enterprise Platform, I am using Palo Alto's Cortex XSOAR and Azure Sentinel continuously for over 10 and 12 or more years.
What do I think about the stability of the solution?
I evaluate the stability and reliability of Splunk Enterprise Platform as very high; we utilize it for both SOC and NOC operations, and our L1 and L2 teams get real-time alerts and query the SPL effectively without delays that other SIEM solutions may impose.
What do I think about the scalability of the solution?
Splunk Enterprise Platform is scalable; we have already adapted it from SOC to NOC operations while maintaining good indexing practices that prevent overload and ensure clear searches, maximizing performance in large SPL queries.
How are customer service and support?
My L1 team regularly communicates with Splunk Enterprise Platform's technical support, which is very helpful.
I would rate the technical support from Splunk Enterprise Platform around eight on a scale from one to ten, where one would be the worst and ten would be the best.
Which solution did I use previously and why did I switch?
Before using Splunk Enterprise Platform, I utilized Azure Sentinel in my previous company at Deloitte, prior to leaving.
How was the initial setup?
Although I did not participate in the initial setup, I provided mentoring for the team under me who managed the implementation because I have spent 14 years in the industry, which included hands-on implementations earlier in my career.
Splunk Enterprise Platform's implementation is very straightforward; I do not feel there is a significant difference from the implementation point of view, as everything is clearly documented by Splunk Enterprise Platform.
What about the implementation team?
We are a customer of Splunk Enterprise Platform, currently at Aramex, and we bought a vendor from Capgemini who has actually implemented Splunk Enterprise Platform for us, so we are not directly linked with Splunk Enterprise Platform but rely on our vendor to use Splunk Enterprise Platform for us.
What was our ROI?
Splunk Enterprise Platform's dashboards significantly improve data interpretation, providing immediate real-time visibility on top trending alerts and live data without needing to run queries repeatedly. They aggregate metrics and highlight trends such as threat overviews and MITRE ATT&CK mapping, which reduces the workload for our L1 and L2 teams.
Pre-built alerts for anomalies in login attempts, failed attempts, or geolocation mapping are very visible in Splunk Enterprise Platform's dashboard, which plays a critical role in providing real-time visibility into security events and network activities.
Splunk Enterprise Platform's application management feature enhances end-user experiences by providing organized dashboards that monitor application usage and configurations, facilitating faster detection and query execution. It logs metrics into applications that reveal usage patterns, anomaly detections, and attack occurrences, while also ensuring proper governance and versioning of applications.
What's my experience with pricing, setup cost, and licensing?
I consider Splunk Enterprise Platform an expensive tool because budget constraints from license-based data ingestion costs are significant. Costs can escalate rapidly when duplicate data is processed, which Splunk Enterprise Platform can identify to help clients save directly on unnecessary spending.
What other advice do I have?
I leverage Splunk Enterprise Platform for advanced threat detection, which is critical for our SOC operations. Threat intelligence and detection are vital, especially since Cisco's acquisition of Splunk Enterprise Platform has integrated Talos into it, enhancing our ability to monitor for IP reputation and potential attacks, while also keeping an eye on advisories regarding application vulnerabilities. I would rate this product overall at a nine out of ten.
Security monitoring has become proactive and real-time investigation detects threats faster
What is our primary use case?
I am not currently using
Splunk Enterprise Platform, but in my previous company, PwC, I used Splunk for almost six months, and before that company, I had a total exposure of almost three years to
Splunk Enterprise Platform. My main use case for Splunk Enterprise Platform was detection and investigation.
Ingesting massive amounts of machine-generated data and running real-time searches to identify patterns, anomalies, or threats related to specific security issues was how I used Splunk Enterprise Platform for detection and investigation. The most significant aspect, if I must prioritize, is the data ingestion capability. Splunk Enterprise Platform usually collects authentication logs from various sources such as Windows event logs and SSH, which relates to Linux logs, and some web application-based logs as well. Apart from that, I use it for detection logic. The main search I use is Search Processing Language, based upon the queries I provide related to the machines I monitor.
Mostly for brute-force detection, I use it for monitoring multiple failed login attempts from a single source or multiple IP sources followed by a successful login, which often indicates a compromised account. I also use it for lateral movement and privilege escalations. For privilege escalations, it involves detecting when a normal user is added to a high-privilege group, such as Domain Admins. Additionally, I have capabilities related to IT operations, which involve web traffic analysis, mostly identifying slow-loading web pages or sudden spikes, errors such as 404 or 403 Forbidden, or even 500 errors.
What is most valuable?
The best features in Splunk Enterprise Platform are the Search Processing Language, which includes pipe syntax, and real-time alerting and dashboards. The dashboard is an interactive tool, and I use it for visualizations such as heat maps, graphs, and glass tables. The dashboards I use depend upon the widgets that are most helpful to track and monitor. I can also set some thresholds to trigger real-time values based upon the log information available in Splunk Enterprise Platform, which can be useful for the remediation of scripts.
When a specific condition is met, such as any brute-force attack happening, it is easy to investigate the alert, particularly in Splunk Enterprise Platform. Integration is a notable aspect of the features in Splunk Enterprise Platform.
Before using Splunk Enterprise Platform, I used LogRhythm, but after initiating Splunk Enterprise Platform, I noticed several positive impacts in my organization.
What needs improvement?
For Splunk Enterprise Platform improvement, I think it would be beneficial to focus on particular areas such as system performance, cost management, and detection accuracy. Based upon system performance, I generally look into errors, status errors, or forbidden errors. I could also build some pre-indexed summaries so that Splunk Enterprise Platform can search much faster than raw logs.
For how long have I used the solution?
In my current field, I have worked for around six years, and at my current company, I have been working for the last three years.
What do I think about the stability of the solution?
There is no proper downtime for Splunk Enterprise Platform; whatever downtime occurs, the IT team handles it. There is no significant downtime to report.
What do I think about the scalability of the solution?
It is easy to differentiate the type of logs based on Splunk Enterprise Platform. If it is a phishing email, I can easily identify what kind of phishing alert it is. If it is a brute-force attack or something such as password spraying, it is easy to identify in Splunk Enterprise Platform.
How are customer service and support?
I usually reach out to customer support for Splunk Enterprise Platform whenever I need specific data. I contact the technical support team immediately, and on a priority basis, I receive a resolution. If not, I raise a ticket so that I can get a proper solution for the issues I am facing.
How was the initial setup?
My experience with pricing, setup cost, and licensing has been notable.
What was our ROI?
I have seen a return on investment from using Splunk Enterprise Platform, illustrated by tracking how the daily data volume has been indexed, the estimated cost, the monthly actual report, and the annual report. Biquarterly and mid-year reports can be easily tracked in Splunk Enterprise Platform.
Which other solutions did I evaluate?
I do have other options such as DataDog for one, and
Microsoft Sentinel,
Azure Sentinel. In my current company, I am using DataDog currently as a
SIEM tool.
What other advice do I have?
Splunk Enterprise Platform is deployed on-premises in my organization. I rate this product an overall 8 out of 10.
Splunk Enterprise Makes Endpoint Data Collection and Troubleshooting Easy at Scale
What do you like best about the product?
Splunk Enterprise stands out because it makes it easy to collect data from endpoints at scale. It can pull in logs, events, and machine data from many different systems, then centralize that information so it is searchable and useful. That makes troubleshooting, monitoring, and security investigations much faster, because the data is already in one place instead of scattered across servers and devices.
What do you dislike about the product?
Splunk Enterprise can be expensive, and at times it feels like you don’t have enough control over your own data. Running into licensing limits is also frustrating, especially when data volume grows unexpectedly and starts impacting visibility or how the platform can be used. Another concern is that vulnerabilities in Windows collectors can add extra security risk and increase ongoing maintenance overhead. Taken together, these issues can make the platform feel restrictive, costly, and more difficult to manage than it should be.
What problems is the product solving and how is that benefiting you?
Splunk Enterprise is helping us solve endpoint and infrastructure data tracking across multiple systems. Before using it, it was harder to pull together logs and machine data from different endpoints in one place, which made troubleshooting, monitoring, and investigating issues slower and more manual. Now we can collect and search that data centrally, which gives us better visibility into system activity and helps us identify problems faster. This has improved incident response, made tracking issues across environments easier, and reduced the time spent manually gathering data from different sources.
Splunk Enterprise Delivers Powerful Real-Time Search and Actionable Insights
What do you like best about the product?
Splunk Enterprise excels at real-time data indexing and search, allowing you to quickly correlate disparate logs into actionable insights using its powerful Search Processing Language (SPL).
Its versatile visualization tools and massive Splunkbase app ecosystem make it a top choice for centralized security monitoring and high-scale IT operations.
What do you dislike about the product?
Splunk Enterprise is often criticized for its complex and expensive licensing based on data volume, which can become unpredictable as your infrastructure grows.
Users also find its Search Processing Language (SPL) has a steep learning curve, and the platform can be resource-intensive to maintain and scale.
What problems is the product solving and how is that benefiting you?
Splunk Enterprise solves data fragmentation and visibility gaps by centralizing massive volumes of machine data into a single, searchable platform.
It benefits you by providing real-time security insights and operational monitoring, drastically reducing the time needed to detect and resolve critical system issues
Easy Correlation Insights, But Support Has Slipped Since Cisco
What do you like best about the product?
quick ease of use and very useful for finding correlations
What do you dislike about the product?
dealing with splunk tech support now that CISCO owns them
What problems is the product solving and how is that benefiting you?
Finding evidence in our logs in a quicker amount of time
SPL search and dashboards are really useful
What do you like best about the product?
What I like most about Splunk Enterprise is its powerful search capabilities using SPL, which make it easy to analyze large volumes of log data quickly. It’s very useful for monitoring systems, identifying issues, and building dashboards for real-time insights. The flexibility in creating custom queries and visualizations is a big advantage
What do you dislike about the product?
One of the main drawbacks is the cost, especially as data ingestion increases.
What problems is the product solving and how is that benefiting you?
Splunk Enterprise helps solve the problem of dealing with large volumes of log data coming from different systems. Without it, troubleshooting and monitoring can be time-consuming because the data is scattered. With Splunk, it becomes easier to centralize logs, search through them quickly, and identify issues in real time. This helps reduce debugging time and improves overall system monitoring
Custom dashboards and alerts have transformed how our team monitors diverse security logs
What is our primary use case?
In terms of using Splunk Enterprise Platform, we use it for our SOC environment where we have an ES setup separately. We collect logs from various sources like AWS, EDR logs, firewall logs, WinEvent logs, Linux logs, application logs, and specific service logs.
We gather that and based on that, we are providing users dashboards, searches, and alerts.
What is most valuable?
In terms of my favorite features of Splunk Enterprise Platform, it has vast customizability. It is very customizable. I can customize it according to my use case. Or if I have any restrictions in my environment or client environment, I can customize it according to my requirements. It is not something where I need to go with the straightforward way.
For a specific feature of Splunk Enterprise Platform, I appreciate the custom commands and custom endpoints by using which I can build my Splunk apps.
What needs improvement?
When concerning the cost of Splunk Enterprise Platform, the license cost can be a factor. The pricing is based on limited factors. There are two types of pricing where we have licensing based on the data or logs which we are indexing by size.
It can also be based on if we are purchasing the cloud platform, then it can be based on multiple factors such as how much data we are searching daily or a limit on that. Usually for 10 GB of license and two years of retention, it costs around $20,000 to $30,000.
Based on my thoughts about Splunk Enterprise Platform, I would rate it a seven or eight because the only thing I'm keeping in mind is the licensing cost. Otherwise, the overall product is good, its features, its customizability, and scalability are all excellent. The only factor is the licensing.
If they were providing a license to small customers, if they target small customers, it would be really great.
If they provide a small license to small customers, or if they bring some new licensing for small customers for the specific use case on top of Splunk Enterprise Platform, that would be beneficial.
For how long have I used the solution?
My experience with Splunk Enterprise Platform is approximately two and a half years.
What do I think about the stability of the solution?
In terms of Splunk Enterprise Platform stability, I would rate it nine out of ten.
What do I think about the scalability of the solution?
When considering scalability, Splunk Enterprise Platform is very scalable. I would rate it nine out of ten.
How are customer service and support?
I have contacted support for Splunk Enterprise Platform multiple times. For our architecture specifically, we have contacted Splunk support. The add-on which is being provided by Splunk support was generating an error in our environment. For that, we contacted support and they were able to provide us with the solution which is currently working fine.
Which solution did I use previously and why did I switch?
Regarding alternatives to Splunk Enterprise Platform, I have tried to use other tools, but they are very specific to some use cases only. I have preferred to use Splunk because it works with all my use cases and all the log or source types. I tried Dynatrace and DataDog, which provide observability, but that was not as useful to me.
How was the initial setup?
In terms of ease of use with Splunk Enterprise Platform, it is very easy and straightforward. All the steps are mentioned in their documentation. All the guides which are required or the prerequisites that must be there before installing or setup, are in their documentation. The community is also very good. We have enough description about the installation steps, which is what makes it easiest.
What about the implementation team?
Using Splunk Enterprise Platform requires maintenance. In terms of maintenance, it will be specific. If we are making any changes, then we must schedule maintenance because it will restart its services and we must accept the downtime. If we are upgrading our environment or any specific apps that are present in our environment, then we must have maintenance for it.
What other advice do I have?
I would rate this review an eight overall.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Splunk’s for SOC Operations
What do you like best about the product?
What I like most about Splunk is how well it integrates with many well-known products, along with its very clear, easy-to-use dashboards. On top of that, the search system is incredibly versatile and works especially well for SOC operations.
What do you dislike about the product?
The main downside of Splunk is that it’s still quite expensive compared to other vendors. As a service provider, I also find it difficult to position with clients, because the costs can climb quickly and the overall price becomes high.
What problems is the product solving and how is that benefiting you?
Splunk helps us address security issues for our clients. Its fast query capabilities and event correlation add an important layer to our security operations, making it easier to investigate and connect related activity when incidents come up.
