Thoughts from a Splunk Administrator - Who had zero Splunk experience before starting!
February 09, 2022

Thoughts from a Splunk Administrator - Who had zero Splunk experience before starting!

Stefanie Gunter | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk Enterprise Security (ES)

We utilize Enterprise Security at my organization to provide Enterprise Security Overview briefing on a weekly basis. Enterprise Security has been proven useful when understanding the security "health" of our organization. We don't currently utilize the investigative features of Enterprise Security, mostly due to the lack of resources. (I'm the sole Splunk Admin).
  • Detecting events of interest that could be security risks
  • Once set up, Enterprise Security is almost a full SIEM
  • Providing a birds-eye view of the Security posture of an organization
  • Integrating with IDS/IPS, Vulnerability Scanners, and other databases to enrich your data.
  • The initial setup could be more user-friendly. After a year of working with the organization, I still do not have ES fine-tuned. While we could pay to have Professional Services come out and spin up everything, it's not fair to have purchased a product like Enterprise Security and receive little to no instruction on setting it up. What does fine-tuning your notable events look like? What data should be mapped to the data models? What do I do when an ES index is not populating? If my Identity notables are not populating, where do I look? What does a healthy asset & identity manager look like?
  • I've placed tickets into Splunk Support for issues like these and to be fair, a premium product like Splunk does not offer premium support.
  • Faster MTTD mostly
Enterprise Security is not the only risk-based alerting software we have at our company. However, we feel like the best defense is defense-in-depth. Enterprise Security really excels in utilizing Machine Learning and correlational searches to understand what our network is like - and then respond accordingly. We still do receive many false positives and as I learn with Enterprise Security we will learn to fine-tune those events.
I feel like Enterprise Security is only as good as the quality of data you ingest. It takes a lot of prep work in order to have a fully working/trustworthy SIEM product. The flexibility is great and as I've mentioned before, Enterprise Security is well suited to any organization - big or small. As long as that organization can provide the proper resources and data that Enterprise Security needs... Everything will be great!
Enterprise Security was already purchased before I started my position as a Splunk Administrator. It was never fully set up until I started with the company.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?


Are you happy with Splunk Enterprise Security (ES)'s feature set?


Did Splunk Enterprise Security (ES) live up to sales and marketing promises?


Did implementation of Splunk Enterprise Security (ES) go as expected?


Would you buy Splunk Enterprise Security (ES) again?


Splunk Enterprise Security could be used for a broad array of organizations. We have entered the data age where data is gold. Splunk Enterprise Security allows you to work in tandem with Splunk to notify on Interesting/Notable events. If a company has the resources to dedicate a full team (more than one person) I believe any organization will appreciate what Splunk Enterprise Security has to offer. Enterprise Security is more of an investment to protect your data.

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
Event and log normalization/management
Deployment flexibility
Integration with Identity and Access Management Tools
Custom dashboards and workspaces
Host and network-based intrusion detection
Log retention
Rules-based and algorithmic detection thresholds
Response orchestration and automation
Reporting and compliance management
Incident indexing/searching