Splunk: The log expert
November 20, 2019

Splunk: The log expert

Kuntal Das | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise

Splunk Enterprise is a brilliant tool that we use in the University of Colorado, Denver to analyze logs obtained from various sources. Our team is responsible for maintaining the security of our campus and the University of Colorado, Anschutz medical campus.

The log sources are typically firewall logs, email logs, logs from the Intrusion detection system (IDS), logs of different services running on the google cloud, etc. It offers a very easy interface and a query language. We can build our own alarm rule and UI within it for visualization. The rules will run at a time defined by the user and will send metrics to the email. It helped in automating blacklisting as now we can get the most troublesome IP addresses and block them in a minute. It also helped us in tracing a list of most vulnerable on the campus. The most powerful feature is the correlation of log sources. Correlation of log sources is a very taxing process for any software. Splunk handles this gracefully. By correlating firewall traffic, wireless and IDS traffic we once spotted a machine that had a trojan in it and was trying to spread itself laterally through open SMB ports.
  • It is very useful in creating custom rules for analyzing system logs and display relevant information. The query language is very easy to learn.
  • We can create custom UI to visualize the output of our data. The interface is very flexible. It also allows the sharing of rules among users.
  • There is an open online community to help others. Stackoverflow also has a splunk community. These resources make it more convenient to learn.
  • They can introduce a query builder for non-technical users.
  • The query error messages could be more specific.
  • Ease of collecting IP for blacklisting.
  • Generation of metrics against compromised accounts based on location and time of the year. It helped in launching phishing education campaign before hitting the most vulnerable month of the year.
  • It helped in neutralizing vulnerable word-press sites across the campus, leading to the decrease of account compromise.
Splunk is a very useful, lightweight and simple tool to analyze logs. As a computer science student who loves coding, it is much more convenient to use. I can build custom queries for myself or a subset of the users. The language is much simpler than SQL and is much faster as well for large amounts of data. It is highly scalable and with a customizable dashboard, it becomes even more useful than LogRhythm which is not that flexible.
The Splunk support team is very helpful and active when it comes to asking questions or raising issues. It is very rare that we had to contact them as the software is flawless. However, the support we received when a problem happened due to the version update, they reached out to us instantly and recommended steps to fix that.

Do you think Splunk Enterprise delivers good value for the price?

Yes

Are you happy with Splunk Enterprise's feature set?

Yes

Did Splunk Enterprise live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise go as expected?

Yes

Would you buy Splunk Enterprise again?

Yes

Pros: Splunk is very well suited if you have multiple log sources of related data. All of them can be correlated and tasks can be automated based on the requirement. Other than alerts, Splunk can also run a specific script of your choice, based on some defined conditions.
Cons: If you have a few logs but a large number of log sources, Splunk can be very expensive.

Splunk Enterprise Feature Ratings

Centralized event and log data collection
10
Correlation
10
Event and log normalization/management
9
Deployment flexibility
10
Integration with Identity and Access Management Tools
9
Custom dashboards and workspaces
10